draft-ietf-dane-protocol-14.txt   draft-ietf-dane-protocol-15.txt 
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft VPN Consortium Internet-Draft VPN Consortium
Intended status: Standards Track J. Schlyter Intended status: Standards Track J. Schlyter
Expires: July 7, 2012 Kirei AB Expires: August 7, 2012 Kirei AB
January 4, 2012 February 4, 2012
Using Secure DNS to Associate Certificates with Domain Names For TLS Using Secure DNS to Associate Certificates with Domain Names For TLS
draft-ietf-dane-protocol-14 draft-ietf-dane-protocol-15
Abstract Abstract
TLS and DTLS use PKIX certificates for authenticating the server. TLS and DTLS use PKIX certificates for authenticating the server.
Users want their applications to verify that the certificate provided Users want their applications to verify that the certificate provided
by the TLS server is in fact associated with the domain name they by the TLS server is in fact associated with the domain name they
expect. TLSA provides bindings of keys to domains that are asserted expect. TLSA provides bindings of keys to domains that are asserted
not by external entities, but by the entities that operate the DNS. not by external entities, but by the entities that operate the DNS.
This document describes how to use secure DNS to associate the TLS This document describes how to use secure DNS to associate the TLS
server's certificate with the intended domain name. server's certificate with the intended domain name.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 7, 2012. This Internet-Draft will expire on August 7, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 14 skipping to change at page 3, line 14
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Certificate Associations . . . . . . . . . . . . . . . . . 4 1.1. Certificate Associations . . . . . . . . . . . . . . . . . 4
1.2. Securing Certificate Associations . . . . . . . . . . . . 5 1.2. Securing Certificate Associations . . . . . . . . . . . . 5
1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 5 2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 5
2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 6 2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 6
2.1.1. The Certificate Usage Field . . . . . . . . . . . . . 6 2.1.1. The Certificate Usage Field . . . . . . . . . . . . . 6
2.1.2. The Selector Field . . . . . . . . . . . . . . . . . . 6 2.1.2. The Selector Field . . . . . . . . . . . . . . . . . . 7
2.1.3. The Matching Type Field . . . . . . . . . . . . . . . 7 2.1.3. The Matching Type Field . . . . . . . . . . . . . . . 7
2.1.4. The Certificate for Association Field . . . . . . . . 7 2.1.4. The Certificate Association Data Field . . . . . . . . 7
2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 7 2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 7
2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 8 2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 8
3. Domain Names for TLS Certificate Associations . . . . . . . . 8 3. Domain Names for TLS Certificate Associations . . . . . . . . 8
4. Semantics and Features of TLSA Certificate Usages . . . . . . 9 4. Semantics and Features of TLSA Certificate Usages . . . . . . 9
4.1. Pass PKIX Validation and Chain Through CA . . . . . . . . 9 4.1. Pass PKIX Validation and Chain Through CA . . . . . . . . 9
4.2. Pass PKIX Validation and Match End Entity Certificate . . 9 4.2. Pass PKIX Validation and Match End Entity Certificate . . 9
4.3. Pass PKIX Validation and Use Trust Anchor . . . . . . . . 9 4.3. Pass PKIX Validation and Use Trust Anchor . . . . . . . . 9
4.4. Use of TLS Certificate Associations in TLS . . . . . . . . 9 4.4. Match Certificate . . . . . . . . . . . . . . . . . . . . 9
5. TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 10 5. Use of TLS Certificate Associations in TLS . . . . . . . . . . 10
6. Mandatory-to-Implement Algorithms . . . . . . . . . . . . . . 11 6. TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. Mandatory-to-Implement Algorithms . . . . . . . . . . . . . . 13
7.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 12 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
7.2. TLSA Usages . . . . . . . . . . . . . . . . . . . . . . . 12 8.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 13
7.3. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 13 8.2. TLSA Usages . . . . . . . . . . . . . . . . . . . . . . . 14
7.4. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 13 8.3. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 14
8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 8.4. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 14
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 9. Security Considerations . . . . . . . . . . . . . . . . . . . 15
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
10.1. Normative References . . . . . . . . . . . . . . . . . . . 15 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
10.2. Informative References . . . . . . . . . . . . . . . . . . 15 11.1. Normative References . . . . . . . . . . . . . . . . . . . 16
11.2. Informative References . . . . . . . . . . . . . . . . . . 17
Appendix A. Operational Considerations for Deploying TLSA Appendix A. Operational Considerations for Deploying TLSA
Records . . . . . . . . . . . . . . . . . . . . . . . 16 Records . . . . . . . . . . . . . . . . . . . . . . . 18
A.1. Creating TLSA Records . . . . . . . . . . . . . . . . . . 16 A.1. Creating TLSA Records . . . . . . . . . . . . . . . . . . 18
A.1.1. Ambiguities and Corner Cases When TLS Clients A.1.1. Ambiguities and Corner Cases When TLS Clients
Build Trust Chains . . . . . . . . . . . . . . . . . . 16 Build Trust Chains . . . . . . . . . . . . . . . . . . 18
A.1.2. Choosing a Selector Type . . . . . . . . . . . . . . . 17 A.1.2. Choosing a Selector Type . . . . . . . . . . . . . . . 19
A.2. Provisioning TLSA Records in DNS . . . . . . . . . . . . . 18 A.2. Provisioning TLSA Records in DNS . . . . . . . . . . . . . 20
A.2.1. Provisioning TLSA Records with Aliases . . . . . . . . 18 A.2.1. Provisioning TLSA Records with Aliases . . . . . . . . 20
A.2.2. Provisioning with NS Records . . . . . . . . . . . . . 21 A.2.2. Provisioning with NS Records . . . . . . . . . . . . . 23
A.3. Securing the Last Hop . . . . . . . . . . . . . . . . . . 21 A.3. Securing the Last Hop . . . . . . . . . . . . . . . . . . 23
A.4. Handling Certificate Rollover . . . . . . . . . . . . . . 21 A.4. Handling Certificate Rollover . . . . . . . . . . . . . . 23
Appendix B. Pseudocode for Using TLSA . . . . . . . . . . . . . . 21 Appendix B. Pseudocode for Using TLSA . . . . . . . . . . . . . . 24
B.1. Helper Functions . . . . . . . . . . . . . . . . . . . . . 21 B.1. Helper Functions . . . . . . . . . . . . . . . . . . . . . 24
B.2. Main TLSA Pseudo Code . . . . . . . . . . . . . . . . . . 22 B.2. Main TLSA Pseudo Code . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction 1. Introduction
The first response from the server in TLS may contain a certificate. The first response from the server in TLS may contain a certificate.
In order for the TLS client to authenticate that it is talking to the In order for the TLS client to authenticate that it is talking to the
expected TLS server, the client must validate that this certificate expected TLS server, the client must validate that this certificate
is associated with the domain name used by the client to get to the is associated with the domain name used by the client to get to the
server. Currently, the client must extract the domain name from the server. Currently, the client must extract the domain name from the
certificate, must trust a trust anchor upon which the server's certificate, must trust a trust anchor upon which the server's
certificate is rooted, and must successfully validate the certificate is rooted, and must successfully validate the
skipping to change at page 4, line 28 skipping to change at page 4, line 28
trusting an external certificate authority (CA). Given that the DNS trusting an external certificate authority (CA). Given that the DNS
administrator for a domain name is authorized to give identifying administrator for a domain name is authorized to give identifying
information about the zone, it makes sense to allow that information about the zone, it makes sense to allow that
administrator to also make an authoritative binding between the administrator to also make an authoritative binding between the
domain name and a certificate that might be used by a host at that domain name and a certificate that might be used by a host at that
domain name. The easiest way to do this is to use the DNS. domain name. The easiest way to do this is to use the DNS.
There are many use cases for such functionality. [DANEUSECASES] There are many use cases for such functionality. [DANEUSECASES]
lists the ones that the protocol in this document is meant to apply lists the ones that the protocol in this document is meant to apply
to. [DANEUSECASES] also lists many requirements, most of which the to. [DANEUSECASES] also lists many requirements, most of which the
protocol in this document is believed to meet. Section 5 covers the protocol in this document is believed to meet. Section 6 covers the
applicability of this document to the use cases in detail. applicability of this document to the use cases in detail.
This document applies to both TLS [RFC5246] and DTLS [RFC4347bis]. This document applies to both TLS [RFC5246] and DTLS [RFC4347bis].
In order to make the document more readable, it mostly only talks In order to make the document more readable, it mostly only talks
about "TLS", but in all cases, it means "TLS or DTLS". This document about "TLS", but in all cases, it means "TLS or DTLS". This document
only relates to securely associating certificates for TLS and DTLS only relates to securely associating certificates for TLS and DTLS
with host names; other security protocols and other forms of with host names; other security protocols and other forms of
identification of TLS servers (such as IP addresses) are handled in identification of TLS servers (such as IP addresses) are handled in
other documents. For example, keys for IPsec are covered in other documents. For example, keys for IPsec are covered in
[RFC4025] and keys for SSH are covered in [RFC4255]. [RFC4025] and keys for SSH are covered in [RFC4255].
skipping to change at page 5, line 17 skipping to change at page 5, line 17
This document defines a secure method to associate the certificate This document defines a secure method to associate the certificate
that is obtained from the TLS server with a domain name using DNS; that is obtained from the TLS server with a domain name using DNS;
the DNS information needs to be be protected by DNSSEC. Because the the DNS information needs to be be protected by DNSSEC. Because the
certificate association was retrieved based on a DNS query, the certificate association was retrieved based on a DNS query, the
domain name in the query is by definition associated with the domain name in the query is by definition associated with the
certificate. certificate.
DNSSEC, which is defined in RFCs 4033, 4034, and 4035 ([RFC4033], DNSSEC, which is defined in RFCs 4033, 4034, and 4035 ([RFC4033],
[RFC4034], and [RFC4035]), uses cryptographic keys and digital [RFC4034], and [RFC4035]), uses cryptographic keys and digital
signatures to provide authentication of DNS data. Information signatures to provide authentication of DNS data. Information that
retrieved from the DNS and that is validated using DNSSEC is thereby is retrieved from the DNS and that is validated using DNSSEC is
proved to be the authoritative data. The DNSSEC signature MUST be thereby proved to be the authoritative data. The DNSSEC signature
validated on all responses that use DNSSEC in order to assure the MUST be validated on all responses that use DNSSEC in order to assure
proof of origin of the data. This document does not specify how the proof of origin of the data. This document does not specify how
DNSSEC validation occurs because there are many different proposals DNSSEC validation occurs because there are many different proposals
for how a client might get validated DNSSEC results. for how a client might get validated DNSSEC results.
This document only relates to securely getting the DNS information This document only relates to securely getting the DNS information
for the certificate association using DNSSEC; other secure DNS for the certificate association using DNSSEC; other secure DNS
mechanisms are out of scope. mechanisms are out of scope.
1.3. Terminology 1.3. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
skipping to change at page 6, line 9 skipping to change at page 6, line 9
The type value for the TLSA RR type is TBD. The type value for the TLSA RR type is TBD.
The TLSA RR is class independent. The TLSA RR is class independent.
The TLSA RR has no special TTL requirements. The TLSA RR has no special TTL requirements.
2.1. TLSA RDATA Wire Format 2.1. TLSA RDATA Wire Format
The RDATA for a TLSA RR consists of a one octet usage type field, a The RDATA for a TLSA RR consists of a one octet usage type field, a
one octet selector field, a one octet matching type field and the one octet selector field, a one octet matching type field and the
certificate for association field. certificate association data field.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Usage | Selector | Matching Type | / | Usage | Selector | Matching Type | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /
/ / / /
/ Certificate for Association / / Certificate Association Data /
/ / / /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2.1.1. The Certificate Usage Field 2.1.1. The Certificate Usage Field
A one-octet value, called "certificate usage" or just "usage", A one-octet value, called "certificate usage" or just "usage",
specifying the provided association that will be used to match the specifying the provided association that will be used to match the
target certificate from TLS. This will be an IANA registry in order target certificate from the TLS handshake. This value is defined in
to make it easier to add additional certificate usages in the future. a new IANA registry (see Section 8.2) in order to make it easier to
The usages defined in this document are: add additional certificate usages in the future. The usages defined
in this document are:
0 -- The target certificate MUST pass PKIX validation and MUST 0 -- The target certificate MUST pass PKIX validation and MUST
chain through a CA certificate matching the TLSA record chain through a CA certificate matching the TLSA record
1 -- The target certificate MUST pass PKIX validation and MUST 1 -- The target certificate MUST pass PKIX validation and MUST
match the TLSA record match the TLSA record
2 -- The target certificate MUST pass PKIX validation, with any 2 -- The target certificate MUST pass PKIX validation, with any
certificate matching the TLSA record considered to be a trust certificate matching the TLSA record considered to be a trust
anchor for this validation anchor for this validation
The three certificate usages defined in this document explicitly only 3 -- The target certificate MUST match the TLSA record
apply to PKIX-formatted certificates. If TLS allows other formats
later, or if extensions to this protocol are made that accept other The certificate usages defined in this document explicitly only apply
formats for certificates, those certificates will need their own to PKIX-formatted certificates in DER encoding. If TLS allows other
certificate types. formats later, or if extensions to this protocol are made that accept
other formats for certificates, those certificates will need their
own certificate usage values.
The use of this field is described in greater detail in Section 4. The use of this field is described in greater detail in Section 4.
2.1.2. The Selector Field 2.1.2. The Selector Field
A one-octet value, called "selector", specifying what will be A one-octet value, called "selector", specifying what the association
matched. This value is defined in a new IANA registry. The data will be matched against from the TLS certificate presented by
selectors defined in this document are: the server. This value is defined in a new IANA registry (see
Section 8.3. The selectors defined in this document are:
0 -- Full certificate 0 -- Full certificate
1 -- SubjectPublicKeyInfo 1 -- SubjectPublicKeyInfo
2.1.3. The Matching Type Field 2.1.3. The Matching Type Field
A one-octet value, called "matching type", specifying how the A one-octet value, called "matching type", specifying how the
certificate association is presented. This value is defined in a new certificate association is presented. This value is defined in a new
IANA registry. The types defined in this document are: IANA registry (see Section 8.4). The types defined in this document
are:
0 -- Exact match on selected content 0 -- Exact match on selected content
1 -- SHA-256 hash of selected content 1 -- SHA-256 hash of selected content
2 -- SHA-512 hash of selected content 2 -- SHA-512 hash of selected content
Using the same hash algorithm as is used in the signature in the Because a client support for multiple hash algorithms might be
certificate will make it more likely that the TLS client will limited, it is advisable to use the same hash algorithm for the
understand this TLSA data. matching type as is used for the signature in the certificate. Doing
so will increase the likelihood of interoperability.
2.1.4. The Certificate for Association Field 2.1.4. The Certificate Association Data Field
The "association data" to be matched. The field contains the bytes The "certificate association data" to be matched. The field contains
to be matched or the hash of the bytes to be matched. The source of the bytes to be matched or the hash of the bytes to be matched. The
the data to be matched is controlled by the Matching Type field. The field contains the bytes to be matched: the raw data, for matching
type 0, or the hash of the raw data, for matching types 1 and 2. The
data refers to the certificate in the association, not to the TLS data refers to the certificate in the association, not to the TLS
ASN.1 Certificate object. ASN.1 Certificate object.
2.2. TLSA RR Presentation Format 2.2. TLSA RR Presentation Format
The presentation format of the RDATA portion is as follows: The presentation format of the RDATA portion is as follows:
o The certificate usage field MUST be represented as an unsigned o The certificate usage field MUST be represented as an unsigned
decimal integer. decimal integer.
o The selector field MUST be represented as an unsigned decimal o The selector field MUST be represented as an unsigned decimal
integer. integer.
o The matching type field MUST be represented as an unsigned decimal o The matching type field MUST be represented as an unsigned decimal
integer. integer.
o The certificate for association field MUST be represented as a o The certificate association data field MUST be represented as a
string of hexadecimal characters. Whitespace is allowed within string of hexadecimal characters. Whitespace is allowed within
the string of hexadecimal characters. the string of hexadecimal characters.
2.3. TLSA RR Examples 2.3. TLSA RR Examples
An example of a hashed (SHA-256) association of a PKIX CA An example of a hashed (SHA-256) association of a PKIX CA
certificate: certificate:
_443._tcp.www.example.com. IN TLSA ( _443._tcp.www.example.com. IN TLSA (
0 0 1 d2abde240d7cd3ee6b4b28c54df034b9 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9
7983a1d16e8a410e4561cb106618e971 ) 7983a1d16e8a410e4561cb106618e971 )
An example of a hashed (SHA-512) subject public key association of a An example of a hashed (SHA-512) subject public key association of a
PKIX end entity certificate: PKIX end entity certificate:
_443._tcp.www.example.com. IN TLSA _443._tcp.www.example.com. IN TLSA (
1 1 2 92003ba34942dc74152e2f2c408d29ec 1 1 2 92003ba34942dc74152e2f2c408d29ec
a5a520e7f2e06bb944f4dca346baf63c a5a520e7f2e06bb944f4dca346baf63c
1b177615d466f6c4b71c216a50292bd5 1b177615d466f6c4b71c216a50292bd5
8c9ebdd2f74e38fe51ffd48c43326cbc ) 8c9ebdd2f74e38fe51ffd48c43326cbc )
An example of a full certificate association of a PKIX trust anchor: An example of a full certificate association of a PKIX end entity
certificate:
_443._tcp.www.example.com. IN TLSA _443._tcp.www.example.com. IN TLSA (
2 0 0 30820307308201efa003020102020... ) 3 0 0 30820307308201efa003020102020... )
3. Domain Names for TLS Certificate Associations 3. Domain Names for TLS Certificate Associations
TLSA resource records are stored at a prefixed DNS domain name. The Unless there is an protocol-specific specification that is different
prefix is prepared in the following manner: than this one, TLSA resource records are stored at a prefixed DNS
domain name. The prefix is prepared in the following manner:
1. The decimal representation of the port number on which a TLS- 1. The decimal representation of the port number on which a TLS-
based service is assumed to exist is prepended with an underscore based service is assumed to exist is prepended with an underscore
character ("_") to become the left-most label in the prepared character ("_") to become the left-most label in the prepared
domain name. This number has no leading zeros. domain name. This number has no leading zeros.
2. The protocol name of the transport on which a TLS-based service 2. The protocol name of the transport on which a TLS-based service
is assumed to exist is prepended with an underscore character is assumed to exist is prepended with an underscore character
("_") to become the second left-most label in the prepared domain ("_") to become the second left-most label in the prepared domain
name. The transport names defined for this protocol are "tcp", name. The transport names defined for this protocol are "tcp",
skipping to change at page 9, line 8 skipping to change at page 9, line 17
For example, to request a TLSA resource record for an HTTP server For example, to request a TLSA resource record for an HTTP server
running TLS on port 443 at "www.example.com", you would use running TLS on port 443 at "www.example.com", you would use
"_443._tcp.www.example.com" in the request. To request a TLSA "_443._tcp.www.example.com" in the request. To request a TLSA
resource record for an SMTP server running the STARTTLS protocol on resource record for an SMTP server running the STARTTLS protocol on
port 25 at "mail.example.com", you would use port 25 at "mail.example.com", you would use
"_25._tcp.mail.example.com". "_25._tcp.mail.example.com".
4. Semantics and Features of TLSA Certificate Usages 4. Semantics and Features of TLSA Certificate Usages
The three certificate usages have very different semantics, but also The certificate usages have very different semantics, but also have
have features common to all three types. features common to all the types.
4.1. Pass PKIX Validation and Chain Through CA 4.1. Pass PKIX Validation and Chain Through CA
Certificate usage 0 is used to specify a CA certificate, or the Certificate usage 0 is used to specify a CA certificate, or the
public key of such a certificate, that the must be found in any of public key of such a certificate, that must be found in any of the
the PKIX validation chains for the end entity certificate given by PKIX validation chains for the end entity certificate given by the
the server in TLS. This usage is sometimes referred to as "CA server in TLS. This usage is sometimes referred to as "CA
constraint" because it limits which CA can be used to issue constraint" because it limits which CA can be used to issue
certificates for a given host name. certificates for a given host name.
4.2. Pass PKIX Validation and Match End Entity Certificate 4.2. Pass PKIX Validation and Match End Entity Certificate
Certificate usage 1 is used to specify an end entity certificate, or Certificate usage 1 is used to specify an end entity certificate, or
the public key of such a certificate, that must be matched with the the public key of such a certificate, that must be matched with the
end entity certificate given by the server in TLS. This usage is end entity certificate given by the server in TLS. This usage is
sometimes referred to as "service certificate constraints" because it sometimes referred to as "service certificate constraints" because it
limits which end entity certificate may be used by a given host name. limits which end entity certificate may be used by a given host name.
4.3. Pass PKIX Validation and Use Trust Anchor 4.3. Pass PKIX Validation and Use Trust Anchor
Certificate usage 2 is used to specify a certificate, or the public Certificate usage 2 is used to specify a certificate, or the public
key of such a certificate, that must be used as a trust anchor when key of such a certificate, that must be used as a trust anchor when
validating the end entity certificate given by the server in TLS. validating the end entity certificate given by the server in TLS.
This usage is sometimes referred to as "domain-issued certificate" This usage allows a domain name administrator to specify a new trust
because it allows for a domain name administrator to issue anchor, such as if the domain issues its own certificates under its
certificates for a domain without involving a third-party CA. own CA that is not expected to be in the end users collection of
trust anchors.
4.4. Use of TLS Certificate Associations in TLS 4.4. Match Certificate
Certificate usage 3 is used to specify a certificate, or the public
key of such a certificate, that must match the end entity certificate
given by the server in TLS. This usage is sometimes referred to as
"domain-issued certificate" because it allows for a domain name
administrator to issue certificates for a domain without involving a
third-party CA.
5. Use of TLS Certificate Associations in TLS
Section 2.1 of this document defines the mandatory matching rules for Section 2.1 of this document defines the mandatory matching rules for
the data from the TLS certificate associations and the certificates the data from the TLS certificate associations and the certificates
received from the TLS server. received from the TLS server.
The TLS session that is to be set up MUST be for the specific port The TLS session that is to be set up MUST be for the specific port
number and transport name that was given in the TLSA query. The number and transport name that was given in the TLSA query. The
matching or chaining MUST be done within the life of the TTL on the matching or chaining MUST be done within the life of the TTL on the
TLSA record. TLSA record; using a TLSA record past the lifetime specified in the
TTL can expose the the TLS client to many types of attacks.
Some specifications for applications that run under TLS, such as Some specifications for applications that run under TLS, such as
[RFC2818] for HTTP, require the server's certificate to have a domain [RFC2818] for HTTP, require the server's certificate to have a domain
name that matches the host name expected by the client. Some name that matches the host name expected by the client. Some
specifications such at [RFC6125] detail how to match the identify specifications such as [RFC6125] detail how to match the identity
given in a PKIX certificate with those expected by the user. given in a PKIX certificate with those expected by the user.
An application that complies with this document first requests TLSA An application that complies with this document first requests TLSA
records in order to make certificate associations. records in order to make certificate associations.
Determining whether a TLSA RRset can be used depends on the DNSSEC Determining whether a TLSA RRset can be used depends on the DNSSEC
validation state (as defined in [RFC4033]). validation state (as defined in [RFC4033]).
o A TLSA RRset whose DNSSEC validation state is secure MUST be used o A TLSA RRset whose DNSSEC validation state is secure MUST be used
as a certificate association for TLS unless a local policy would as a certificate association for TLS unless a local policy would
prohibit the use of the specific certificate association in the prohibit the use of the specific certificate association in the
secure TLSA RRset. secure TLSA RRset.
o If the DNSSEC validation state on the response to the request for o If the DNSSEC validation state on the response to the request for
the TLSA RRset is bogus, this MUST cause TLS not to be started or, the TLSA RRset is bogus, this MUST cause TLS not to be started or,
if the TLS negotiation is already in progress, to cause the if the TLS negotiation is already in progress, MUST cause the
connection to be aborted. connection to be aborted.
o A TLSA RRset whose DNSSEC validation state is indeterminate or o A TLSA RRset whose DNSSEC validation state is indeterminate or
insecure cannot be used for TLS and MUST be marked as unusable. insecure cannot be used for TLS and MUST be marked as unusable.
If an application receives zero usable certificate associations, it If an application receives zero usable certificate associations, it
processes TLS in the normal fashion without any input from the TLSA processes TLS in the normal fashion without any input from the TLSA
records; otherwise, that application attempts to match each records; otherwise, that application attempts to match each
certificate association with the TLS server's end entity certificate. certificate association with the TLS server's end entity certificate.
Clients that validate the DNSSEC signatures themselves MUST either Clients that validate the DNSSEC signatures themselves MUST use
use standard DNSSEC validation procedures or a secure transport (such standard DNSSEC validation procedures. Clients that rely on another
as TSIG [RFC2845], SIG(0) [RFC2931], or IPsec [RFC6071]) between entity to perform the DNSSEC signature validation MUST use a secure
themselves and the entity performing the DNSSEC signature validation. transport between themselves and the validator. Examples of secure
Note that it is not sufficient to use secure transport to a DNS transports include TSIG [RFC2845], SIG(0) [RFC2931], and IPsec
resolver that does not do DNSSEC signature validation. [RFC6071]. Note that it is not sufficient to use secure transport to
a DNS resolver that does not do DNSSEC signature validation.
If a certificate association contains a certificate usage, selector, If a certificate association contains a certificate usage, selector,
or matching type that is not understood by the TLS client, that or matching type that is not understood by the TLS client, that
certificate association MUST be marked as unusable. If the certificate association MUST be marked as unusable. If the
comparison data for a certificate is malformed, the certificate comparison data for a certificate is malformed, the certificate
association MUST be marked as unusable. association MUST be marked as unusable. If a certificate association
contains a matching type or certificate association data that uses a
cryptographic algorithm that is considered too weak for the TLS
client's policy, the certificate association MUST be marked as
unusable.
5. TLSA and DANE Use Cases and Requirements 6. TLSA and DANE Use Cases and Requirements
The different types of certificates for association defined in TLSA The different types of certificates associations defined in TLSA are
are matched with various sections of [DANEUSECASES]. The three use matched with various sections of [DANEUSECASES]. Three use cases
cases from section 3 of [DANEUSECASES] are covered in this protocol from Section 3 of [DANEUSECASES] are covered in this protocol as
as follows: follows:
3.1 CA Constraints -- Implemented using certificate usage 0. 3.1 CA Constraints -- Implemented using certificate usage 0.
3.2 Certificate Constraints -- Implemented using certificate usage 3.2 Certificate Constraints -- Implemented using certificate usage
1. 1.
3.3 Domain-Issued Certificates -- Implemented using certificate 3.3 Domain-Issued Certificates -- Implemented using certificate
usage 2. usage 3.
The requirements from section 4 of [DANEUSECASES] are covered in this The requirements from Section 4 of [DANEUSECASES] are covered in this
protocol as follows (note that some of these might be excessively protocol as follows:
glib):
Multiple Ports -- Covered in the TLSA request syntax. Multiple Ports -- The TLSA records for different application
services running on a single host can be distinguished through the
service name and port number prefixed to the host name (see
Section 3).
No Downgrade -- Covered by DNSSEC itself. No Downgrade -- Section 5 specifies the conditions under which a
client can process and act upon TLSA records. Specifically, if
the DNSSEC status for the TLSA resource record set is determined
to be bogus, TLS is not attempted at all.
Encapsulation -- Covered in the TLSA response semantics. Encapsulation -- Covered in the TLSA response semantics.
Predictability -- Covered by this spec. Predictability -- The appendixes of this specification provide
operational considerations and implementation guidance in order to
enable application developers to form a consistent interpretation
of the recommended DANE client behavior.
Opportunistic Security -- Covered in the TLSA request syntax. Opportunistic Security -- If a client conformant to this
specification can reliably determine the presence of a TLSA
record, it will attempt to use this information. Conversely, if a
client can reliably determine the absence of any TLSA record, it
will fall back to processing TLS in the normal fashion. This is
discussed in Section 5.
Combination -- Covered in the TLSA response semantics. No support Combination -- Multiple TLSA records can be published for a given
is provided to combine two TLSA certificate associations in a host name, thus enabling the client to construct multiple TLSA
single operation. Support exists for having multiple TLSA certificate associations that reflect different DANE assertions.
certificate associations that are treated independently. No support is provided to combine two TLSA certificate
associations in a single operation.
Roll-over -- Covered by the TTLs on the TLSA records. Roll-over -- Section 5 states that applications must not cache TLSA
records beyond their TTL expiration. This ensures that clients
will not latch onto assertions made by expired TLSA records, and
will be able to transition between using one DANE mechanism to
another.
Simple Key Management -- Implemented using the SubjectPublicKeyInfo Simple Key Management -- The SubjectPublicKeyInfo selector in the
selector. TLSA record provides a mode that enables a domain holder to only
have to maintain a single long-lived public/private key pair
without the need to manage certificates. Appendix A outlines the
usefulness and the potential downsides to using this mode.
Minimal Dependencies -- Covered in the TLSA response semantics. Minimal Dependencies -- This specification relies on DNSSEC to
protect the origin authenticity and integrity of the TLSA resource
record set. Additionally, if DNSSEC validation is not performed
on the system that wishes to use TLSA certificate bindings, this
specification requires that the "last mile" be over a secure
transport. There are no other deployment dependencies for this
approach.
Minimal Options -- Covered in the TLSA response semantics. Minimal Options -- The operating modes map precisely to the DANE use
cases and requirements. DNSSEC use is mandatory in that this
specification encourages applications to use TLSA records that are
only shown to be validated.
Wild Cards -- Covered in a limited manner in the TLSA request Wild Cards -- Covered in a limited manner in the TLSA request
syntax; see Appendix A. syntax; see Appendix A.
Redirection -- Covered in the TLSA request syntax; see Appendix A. Redirection -- Covered in the TLSA request syntax; see Appendix A.
6. Mandatory-to-Implement Algorithms 7. Mandatory-to-Implement Algorithms
A system creating TLSA records that conforms to this specification A system creating TLSA records that conforms to this specification
MUST be able to create TLSA records containing certificate usages 0, MUST be able to create TLSA records containing certificate usages 0,
1 and 2. A system creating TLSA records that conforms to this 1, 2, and 3. A system creating TLSA records that conforms to this
specification MUST be able to create TLSA records with selectors 0 specification MUST be able to create TLSA records with selectors 0
(full certificate) and 1 (SubjectPublicKeyInfo). A system creating (full certificate) and 1 (SubjectPublicKeyInfo). A system creating
TLSA records that conforms to this specification MUST be able to TLSA records that conforms to this specification MUST be able to
create TLSA records using matching type 0 (no hash used) and matching create TLSA records using matching type 0 (no hash used) and matching
type 1 (SHA-256), and SHOULD be able to create TLSA records using type 1 (SHA-256), and SHOULD be able to create TLSA records using
matching type 2 (SHA-512). matching type 2 (SHA-512).
TLS clients conforming to this specification MUST be able to TLS clients conforming to this specification MUST be able to
correctly interpret TLSA records with certificate usages 0, 1 and 2. correctly interpret TLSA records with certificate usages 0, 1, 2, and
TLS clients conforming to this specification MUST be able to compare 3. TLS clients conforming to this specification MUST be able to
a certificate for association with a certificate from TLS using compare a certificate association with a certificate from the TLS
selectors type 0 and 1, and matching type 0 (no hash used) and handshake using selectors type 0 and 1, and matching type 0 (no hash
matching type 1 (SHA-256), and SHOULD be able to make such used) and matching type 1 (SHA-256), and SHOULD be able to make such
comparisons with matching type 2 (SHA-512). comparisons with matching type 2 (SHA-512).
At the time this is written, it is expected that there will be a new At the time this is written, it is expected that there will be a new
family of hash algorithms called SHA-3 within the next few years. It family of hash algorithms called SHA-3 within the next few years. It
is expected that some of the SHA-3 algorithms will be mandatory is expected that some of the SHA-3 algorithms will be mandatory
and/or recommended for TLSA records after the algorithms are fully and/or recommended for TLSA records after the algorithms are fully
defined. At that time, this specification will be updated. defined. At that time, this specification will be updated.
7. IANA Considerations 8. IANA Considerations
7.1. TLSA RRtype 8.1. TLSA RRtype
This document uses a new DNS RR type, TLSA, whose value is TBD. A This document uses a new DNS RR type, TLSA, whose value is TBD. A
separate request for the RR type will be submitted to the expert separate request for the RR type will be submitted to the expert
reviewer, and future versions of this document will have that value reviewer, and future versions of this document will have that value
instead of TBD. instead of TBD.
7.2. TLSA Usages In the following sections, "RFC Required" was chosen TLSA usages, and
"Specification Required" for selectors and hashes, because of the
amount of detail that is likely to be needed for implementers to
correctly implement new usages as compared to new matching types and
hash types.
8.2. TLSA Usages
This document creates a new registry, "Certificate Usages for TLSA This document creates a new registry, "Certificate Usages for TLSA
Resource Records". The registry policy is "RFC Required". The Resource Records". The registry policy is "RFC Required". The
initial entries in the registry are: initial entries in the registry are:
Value Short description Reference Value Short description Reference
---------------------------------------------------------- ----------------------------------------------------------
0 Pass PKIX and chain through CA [This] 0 Pass PKIX and chain through CA [This]
1 Pass PKIX and match EE [This] 1 Pass PKIX and match EE [This]
2 Pass PKIX and trusted via certificate [This] 2 Pass PKIX and trusted via certificate [This]
3 Match certificate [This]
4-254 Unassigned 4-254 Unassigned
255 Private use 255 Private use
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
7.3. TLSA Selectors 8.3. TLSA Selectors
This document creates a new registry, "Selectors for TLSA Resource This document creates a new registry, "Selectors for TLSA Resource
Records". The registry policy is "Specification Required". The Records". The registry policy is "Specification Required". The
initial entries in the registry are: initial entries in the registry are:
Value Short description Reference Value Short description Reference
---------------------------------------------------------- ----------------------------------------------------------
0 Full Certificate [This] 0 Full Certificate [This]
1 SubjectPublickeyInfo [This] 1 SubjectPublicKeyInfo [This]
2-254 Unassigned 2-254 Unassigned
255 Private use 255 Private use
7.4. TLSA Matching Types Applications to the registry can request specific values that have
yet to be assigned.
8.4. TLSA Matching Types
This document creates a new registry, "Matching Types for TLSA This document creates a new registry, "Matching Types for TLSA
Resource Records". The registry policy is "Specification Required". Resource Records". The registry policy is "Specification Required".
The initial entries in the registry are: The initial entries in the registry are:
Value Short description Reference Value Short description Reference
--------------------------------------------- ---------------------------------------------
0 No hash used [This] 0 No hash used [This]
1 SHA-256 NIST FIPS 180-3 1 SHA-256 NIST FIPS 180-3
2 SHA-512 NIST FIPS 180-3 2 SHA-512 NIST FIPS 180-3
skipping to change at page 13, line 31 skipping to change at page 15, line 4
Resource Records". The registry policy is "Specification Required". Resource Records". The registry policy is "Specification Required".
The initial entries in the registry are: The initial entries in the registry are:
Value Short description Reference Value Short description Reference
--------------------------------------------- ---------------------------------------------
0 No hash used [This] 0 No hash used [This]
1 SHA-256 NIST FIPS 180-3 1 SHA-256 NIST FIPS 180-3
2 SHA-512 NIST FIPS 180-3 2 SHA-512 NIST FIPS 180-3
3-254 Unassigned 3-254 Unassigned
255 Private use 255 Private use
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
8. Security Considerations 9. Security Considerations
The security of the protocols described in this document relies on The security of the protocols described in this document relies on
the security of DNSSEC as used by the client requesting A/AAAA and the security of DNSSEC as used by the client requesting A/AAAA and
TLSA records. TLSA records.
A DNS administrator who goes rogue and changes both the A/AAAA and A DNS administrator who goes rogue and changes both the A/AAAA and
TLSA records for a domain name can cause the user to go to an TLSA records for a domain name can cause the user to go to an
unauthorized server that will appear authorized, unless the client unauthorized server that will appear authorized, unless the client
performs certificate validation and rejects the certificate. That performs certificate validation and rejects the certificate. That
administrator could probably get a certificate issued anyway, so this administrator could probably get a certificate issued anyway, so this
skipping to change at page 14, line 20 skipping to change at page 15, line 40
key is kept on the SSL proxy; the proxy intercepts TLS requests, key is kept on the SSL proxy; the proxy intercepts TLS requests,
creates a new TLS session with the intended host, and sets up a TLS creates a new TLS session with the intended host, and sets up a TLS
session with the client using a certificate that chains to the trust session with the client using a certificate that chains to the trust
anchor installed in the client by the proxy. In such environments, anchor installed in the client by the proxy. In such environments,
the TLSA protocol will prevent the SSL proxy from functioning as the TLSA protocol will prevent the SSL proxy from functioning as
expected because the TLS client will get a certificate association expected because the TLS client will get a certificate association
from the DNS that will not match the certificate that the SSL proxy from the DNS that will not match the certificate that the SSL proxy
uses with the client. The client, seeing the proxy's new certificate uses with the client. The client, seeing the proxy's new certificate
for the supposed destination will not set up a TLS session. Thus, for the supposed destination will not set up a TLS session. Thus,
such proxies might choose to aggressively block TLSA requests and/or such proxies might choose to aggressively block TLSA requests and/or
responses. responses, even though this is not a recommended practice.
Client treatment of any information included in the trust anchor is a Client treatment of any information included in the trust anchor is a
matter of local policy. This specification does not mandate that matter of local policy. This specification does not mandate that
such information be inspected or validated by the domain name such information be inspected or validated by the domain name
administrator. administrator.
If a server's certificate is revoked, or if an intermediate CA in a If a server's certificate is revoked, or if an intermediate CA in a
chain between the end entity and a trust anchor has its certificate chain between the end entity and a trust anchor has its certificate
revoked, a TLSA record with a certificate type of 2 that matches the revoked, a TLSA record with a certificate type of 2 that matches the
revoked certificate would in essence override the revocation because revoked certificate would in essence override the revocation because
the client would treat that revoked certificate as a trust anchor and the client would treat that revoked certificate as a trust anchor and
thus not check its revocation status. Because of this, domain thus not check its revocation status. Because of this, domain
administrators need to be responsible for being sure that the key or administrators need to be responsible for being sure that the key or
certificate used in TLSA records with a certificate type of 2 are in certificate used in TLSA records with a certificate type of 2 are in
fact able to be used as reliable trust anchors. fact able to be used as reliable trust anchors.
9. Acknowledgements Certificates that are delivered in TLSA with usage type 2
fundamentally change the way the TLS server's end entity certificate
is evaluated. For example, the server's certificate might chain to
an existing CA through an intermediate CA that has certain policy
restrictions, and the certificate would not pass those restrictions
and thus normally be rejected. That intermediate CA could issue
itself a new certificate without the policy restrictions and tell its
customers to use that certificate with usage type 2. This in essence
allows an intermediate CA to be come a trust anchor for certificates
that the end user might have expected to chain to an existing trust
anchor.
10. Acknowledgements
Many of the ideas in this document have been discussed over many Many of the ideas in this document have been discussed over many
years. More recently, the ideas have been discussed by the authors years. More recently, the ideas have been discussed by the authors
and others in a more focused fashion. In particular, some of the and others in a more focused fashion. In particular, some of the
ideas here originated with Paul Vixie, Dan Kaminsky, Jeff Hodges, ideas here originated with Paul Vixie, Dan Kaminsky, Jeff Hodges,
Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Langley, Ben Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Langley, Ben
Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit, Ondrej Sury, Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit, Ondrej Sury,
Richard Barnes, Jim Schaad, and Stephen Farrell. Richard Barnes, Jim Schaad, Stephen Farrell and Suresh Krishnaswamy.
This document has also been greatly helped by many active This document has also been greatly helped by many active
participants of the DANE Working Group. participants of the DANE Working Group.
10. References 11. References
10.1. Normative References 11.1. Normative References
[DANEUSECASES] [DANEUSECASES]
Barnes, R., "Use Cases and Requirements for DNS-based Barnes, R., "Use Cases and Requirements for DNS-based
Authentication of Named Entities (DANE)", Authentication of Named Entities (DANE)",
draft-ietf-dane-use-cases (work in progress), 2011. draft-ietf-dane-use-cases (work in progress), 2011.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
skipping to change at page 15, line 48 skipping to change at page 17, line 32
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011. Security (TLS)", RFC 6125, March 2011.
10.2. Informative References 11.2. Informative References
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
February 2000. February 2000.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B.
Wellington, "Secret Key Transaction Authentication for DNS Wellington, "Secret Key Transaction Authentication for DNS
(TSIG)", RFC 2845, May 2000. (TSIG)", RFC 2845, May 2000.
skipping to change at page 16, line 21 skipping to change at page 18, line 5
[RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures (
SIG(0)s)", RFC 2931, September 2000. SIG(0)s)", RFC 2931, September 2000.
[RFC4025] Richardson, M., "A Method for Storing IPsec Keying [RFC4025] Richardson, M., "A Method for Storing IPsec Keying
Material in DNS", RFC 4025, March 2005. Material in DNS", RFC 4025, March 2005.
[RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely [RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely
Publish Secure Shell (SSH) Key Fingerprints", RFC 4255, Publish Secure Shell (SSH) Key Fingerprints", RFC 4255,
January 2006. January 2006.
[RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
RFC 4641, September 2006.
[RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions:
Extension Definitions", RFC 6066, January 2011.
[RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and
Internet Key Exchange (IKE) Document Roadmap", RFC 6071, Internet Key Exchange (IKE) Document Roadmap", RFC 6071,
February 2011. February 2011.
Appendix A. Operational Considerations for Deploying TLSA Records Appendix A. Operational Considerations for Deploying TLSA Records
A.1. Creating TLSA Records A.1. Creating TLSA Records
When creating TLSA records with certificate usage type 0 or 2, care When creating TLSA record with certificate usage type 0 (CA
needs to be taken when choosing between selector type 0 (full Certificate) or type 2 (Trust Anchor), one needs to understand the
certificate) and 1 (SubjectPublicKeyInfo) because of the algorithms implications when choosing between selector type 0 (full certificate)
that various TLS clients employ to build their trust-chain. The and 1 (SubjectPublicKeyInfo). A careful choice is required because
following outlines some important cases and discusses implications of the different methods for building trust chains are used by different
the choice of selector type. TLS clients. The following outlines the cases that one should be
aware of and discusses the implications of the choice of selector
type.
Note that certificate usage 2 is not affected by this discussion if Certificate usage 2 is not affected by the different types of chain
the association is made to an end entity certificate. building when the end entity certificate is the same as the trust
anchor certificate.
A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains
TLS clients are known to implement methods that may cause any TLS clients may implement their own chain-building code rather than
certificate (except the end entity certificate in the original rely on the chain presented by the TLS server. This means that,
certificate chain sent by server) to be exchanged or removed from the except for the end entity certificate, any certificate presented in
trust chain when client builds trust chain. the suggested chain may or may not be present in the final chain
built by the client.
Certificates the client can use to replace certificates from original Certificates that the client can use to replace certificates from
chain include: original chain include:
o Client's trust anchors o Client's trust anchors
o Certificates cached locally o Certificates cached locally
o Certificates retrieved from a URI listed in an Authority o Certificates retrieved from a URI listed in an Authority
Information Access X.509v3 extension Information Access X.509v3 extension
CAs frequently reissue certificates with a different validity period, CAs frequently reissue certificates with different validity period,
a hash in the signature algorithm or PKIX extensions; only the public signature algorithm (such as an different hash algorithm in the
key, issuer and subject remain intact. Thes reissued certificates signature algorithm), CA key pair (such as for a cross-certificate),
are certificates that the TLS client can use in place of original or PKIX extensions where the public key and subject remain the same.
certificate. These reissued certificates are the certificates TLS client can use
in place of an original certificate.
Clients are known to exchange or remove certificates that could cause Clients are known to exchange or remove certificates that could cause
TLSA association that rely on the full certificate to fail. For TLSA association that rely on the full certificate to fail. For
example: example:
o The client considers the hash in signature algorithm of a o The client considers the signature algorithm of a certificate to
certificate no longer sufficiently secure no longer be sufficiently secure
o A cross-certificate issued to CA2 by CA1 is represented by a self-
signed root certificate of CA2 as a trust anchor in client's trust
store
o A CA certificate above the cross-certificate in original chain may o The client may not have an associated root certificate in trust
be removed from the chain because the client found a trust anchor store and instead uses a cross-certificate with an identical
below that CA certificate subject and public key.
A.1.2. Choosing a Selector Type A.1.2. Choosing a Selector Type
A.1.2.1. Selector Type 0 In this section, "false-negative failure" means that a client will
not accept the TLSA association for certificate designated by DNS
administrator. Also, "false-positive acceptance" means that the
client accepts a TLSA association for a certificate that is not
designated by the DNS administrator.
The "Full certificate" selector provides most precise specification A.1.2.1. Selector Type 0 (Full Certificate)
of a trust anchor. Such non-ambiguity foils a class of hypothetical
future attacks on a CA where the CA issues new certificate with an
identical SubjectPublicKeyInfo, but a different issuer, subject, or
extensions that would allow redirection of a trust chain. This "Full
certificate" selector would also foil bad practices or negligence of
a CA if the CA uses the same key for unrelated CA certificates.
For a DNS administrator, the best course to avoid false-positive The "Full certificate" selector provides the most precise
failures at client's side when using this selector is: specification of a TLS certificate association, capturing all fields
of the PKIX certificate. For a DNS administrator, the best course to
avoid false-negative failures in the client when using this selector
are:
o Do not associate to CA certificates that have a signature o If a CA issued a replacement certificate, don't associate to CA
algorithm with hash that is considered weak if that CA has issued certificates that have a signature algorithm with a hash that is
a replacement certificate. considered weak (such as MD2 and MD5).
o Determine how common client applications process the TLSA o Determine how common client applications process the TLSA
association using a fresh client installation, that is, with the association using a fresh client installation, that is, with the
local certificate cache empty. local certificate cache empty.
A.1.2.2. Selector Type 1 A.1.2.2. Selector Type 1 (SubjectPublicKeyInfo)
A SubjectPublicKeyInfo selector gives greater flexibility in avoiding A SubjectPublicKeyInfo selector gives greater flexibility in avoiding
many false-positive failures caused by trust-chain-building some false-negative failures caused by trust-chain-building
algorithms used in many clients. algorithms used in clients.
One specific use-case should be noted: creating a TLSA association to One specific use-case should be noted: creating a TLSA association to
certificate I1 that directly signed end entity certificate S1 of the certificate I1 that directly signed end entity certificate S1 of
server. Because the key used to sign S1 is fixed, the association to server. Since the key used to sign S1 is fixed, association to I1
I1 must succeed: if the client swaps I1 for I2 (a different must succeed: if a client swaps I1 for I2 (a different certificate),
certificate), I2's SubjectPublicKeyInfo must match the its SPKI must match SPKI of I1. Such association would not suffer
SubjectPublicKeyInfo of I1. Such association would not suffer from from a false-negative failure on client's side if the client uses a
false-positive failure on the client if the client uses a reissued CA reissued CA certificate I2 in place of I1.
certificate I2 in place of I1.
The attack surface is a bit broader compared to "full certificate" The attack surface is a bit broader compared to "full certificate"
selector: selector: the DNS administrator might unintentionally specify an
association that would lead to false-positive acceptance.
o The administrator must know or trust the CA not to engage in bad o The administrator must know or trust the CA not to engage in bad
practices, such as not sharing key of I1 for unrelated CA practices, such as not sharing key of I1 for unrelated CA
certificates leading to trust-chain redirect certificates leading to trust-chain redirect. If possible, the
administrator should review all CA certificates that have the same
SPKI.
o The administrator should understand whether some PKIX extension o The administrator should understand whether some PKIX extension
may adversely affect security of the association. If possible, may adversely affect security of the association. If possible,
administrators should review all CA certificates that share the administrators should review all CA certificates that share the
SubjectPublicKeyInfo. SubjectPublicKeyInfo.
Using the SubjectPublicKeyInfo selector for association with a Using the SubjectPublicKeyInfo selector for association with a
certificate in a chain above I1 needs to be decided on a case-by-case certificate in a chain above I1 needs to be decided on a case-by-case
basis: there are too many possibilities based on the issuing CA's basis: there are too many possibilities based on the issuing CA's
practices. Unless the full implications of such an association are practices. Unless the full implications of such an association are
understood by the administrator, using selector type 0 is a better understood by the administrator, using selector type 0 is a better
option from a security perspective. option from a security perspective.
In practice, sharing keys in differently-purposed CA certificates is
rare, but certainly happens sometimes. An attack on an association
by SubjectPublicKeyInfo would require either gross negligence on the
part of the CA or an attacker gaining control of CA.
A.2. Provisioning TLSA Records in DNS A.2. Provisioning TLSA Records in DNS
A.2.1. Provisioning TLSA Records with Aliases A.2.1. Provisioning TLSA Records with Aliases
The TLSA resource record is not special in the DNS; it acts exactly The TLSA resource record is not special in the DNS; it acts exactly
like any other RRtype where the queried name has one or more labels like any other RRtype where the queried name has one or more labels
prefixed to the base name, such as the SRV RRtype [RFC2782]. This prefixed to the base name, such as the SRV RRtype [RFC2782]. This
affects the way that the TLSA resource record is used when aliasing affects the way that the TLSA resource record is used when aliasing
in the DNS. in the DNS.
skipping to change at page 19, line 38 skipping to change at page 21, line 28
Application implementations and full-service resolvers request DNS Application implementations and full-service resolvers request DNS
records using libraries that automatically follow CNAME (and DNAME) records using libraries that automatically follow CNAME (and DNAME)
aliasing. This allows hosts to put TLSA records in their own zones aliasing. This allows hosts to put TLSA records in their own zones
or to use CNAME to do redirection. or to use CNAME to do redirection.
If the owner of the original domain wants a TLSA record for the same, If the owner of the original domain wants a TLSA record for the same,
they simply enter it under the defined prefix: they simply enter it under the defined prefix:
; No TLSA record in target domain ; No TLSA record in target domain
; ;
sub5.example.com. IN CNAME sub6.example.com. sub5.example.com. IN CNAME sub6.example.com.
_443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab... _443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab...
sub6.example.com. IN A 10.0.0.0 sub6.example.com. IN A 192.0.2.1
sub6.example.com. IN AAAA 2001:db8::1/32
If the owner of the orginal domain wants to have the target domain If the owner of the original domain wants to have the target domain
host the TLSA record, the original domain uses a CNAME record: host the TLSA record, the original domain uses a CNAME record:
; TLSA record for original domain has CNAME to target domain ; TLSA record for original domain has CNAME to target domain
; ;
sub5.example.com. IN CNAME sub6.example.com. sub5.example.com. IN CNAME sub6.example.com.
_443._tcp.sub5.example.com. IN CNAME _443._tcp.sub6.example.com. _443._tcp.sub5.example.com. IN CNAME _443._tcp.sub6.example.com.
sub6.example.com. IN A 10.0.0.0 sub6.example.com. IN A 192.0.2.1
_443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4... sub6.example.com. IN AAAA 2001:db8::1/32
_443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4...
Note that it is acceptable for both the original domain and the Note that it is acceptable for both the original domain and the
target domain to have TLSA records, but the two records are target domain to have TLSA records, but the two records are
unrelated. Consider the following: unrelated. Consider the following:
; TLSA record in both the original and target domain ; TLSA record in both the original and target domain
; ;
sub5.example.com. IN CNAME sub6.example.com. sub5.example.com. IN CNAME sub6.example.com.
_443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab... _443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab...
sub6.example.com. IN A 10.0.0.0 sub6.example.com. IN A 192.0.2.1
_443._tcp.sub6.example.com. IN TLSA 1 1 1 ac49d9ba4570ac49... sub6.example.com. IN AAAA 2001:db8::1/32
_443._tcp.sub6.example.com. IN TLSA 1 1 1 ac49d9ba4570ac49...
In this example, someone looking for the TLSA record for In this example, someone looking for the TLSA record for
sub5.example.com would always get the record whose value starts sub5.example.com would always get the record whose value starts
"308202c5308201ab"; the TLSA record whose value starts "308202c5308201ab"; the TLSA record whose value starts
"ac49d9ba4570ac49" would only be sought by someone who is looking for "ac49d9ba4570ac49" would only be sought by someone who is looking for
the TLSA record for sub6.example.com, and never for sub5.example.com. the TLSA record for sub6.example.com, and never for sub5.example.com.
One should note that deploying different certificates for multiple
services located at a shared TLS listener often requires the use of
TLS SNI (Server Name Indication) [RFC6066].
Note that these methods use the normal method for DNS aliasing using Note that these methods use the normal method for DNS aliasing using
CNAME: the DNS client requests the record type that they actually CNAME: the DNS client requests the record type that they actually
want. want.
A.2.1.2. Provisioning TLSA Records with DNAME Records A.2.1.2. Provisioning TLSA Records with DNAME Records
Using DNAME records allows a zone owner to alias an entire subtree of Using DNAME records allows a zone owner to alias an entire subtree of
names below the name that has the DNAME. This allows the wholesale names below the name that has the DNAME. This allows the wholesale
aliasing of prefixed records such as those used by TLSA, SRV, and so aliasing of prefixed records such as those used by TLSA, SRV, and so
on without aliasing the name itself. However, because DNAME can only on without aliasing the name itself. However, because DNAME can only
be used for subtrees of a base name, it is rarely used to alias be used for subtrees of a base name, it is rarely used to alias
individual hosts that might also be running TLS. individual hosts that might also be running TLS.
; TLSA record in target domain, visible in original domain via DNAME ; TLSA record in target domain, visible in original domain via DNAME
; ;
sub5.example.com. IN CNAME sub6.example.com. sub5.example.com. IN CNAME sub6.example.com.
_tcp.sub5.example.com. IN DNAME _tcp.sub6.example.com. _tcp.sub5.example.com. IN DNAME _tcp.sub6.example.com.
sub6.example.com. IN A 10.0.0.0 sub6.example.com. IN A 192.0.2.1
sub6.example.com. IN AAAA 2001:db8::1/32
_443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4... _443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4...
A.2.1.3. Provisioning TLSA Records with Wildcards A.2.1.3. Provisioning TLSA Records with Wildcards
Wildcards are generally not terribly useful for RRtypes that require Wildcards are generally not terribly useful for RRtypes that require
prefixing because you can only wildcard at a layer below the host prefixing because you can only wildcard at a layer below the host
name. For example, if you want to have the same TLSA record for name. For example, if you want to have the same TLSA record for
every TCP port for www.example.com, you might have every TCP port for www.example.com, you might have
*._tcp.www.example.com. IN TLSA 1 1 1 5c1502a6549c423b... *._tcp.www.example.com. IN TLSA 1 1 1 5c1502a6549c423b...
This is possibly useful in some scenarios where the same service is This is possibly useful in some scenarios where the same service is
offered on many ports. offered on many ports.
A.2.2. Provisioning with NS Records A.2.2. Provisioning with NS Records
[[ This was proposed, and questioned, and not yet followed through [[ THIS SECTION NEEDS TO BE WRITTEN OR REMOVED. This was proposed,
on. ]] and questioned, and not yet followed through on. This section will
be removed in the next draft if no one volunteers to write it. ]]
A.3. Securing the Last Hop A.3. Securing the Last Hop
[[ Need to add text here about the various ways that a client who is As described in Section 5, an application processing TLSA records
pulling in TLSA records can be sure that they are protected by must know the DNSSEC validity of those records. There are many ways
DNSSEC. ]] for the application to securely find this out, and this specification
does not mandate any single method.
Some common methods for an application to know the DNSSEC validity of
TLSA records include:
o The application can have its own DNS resolver and DNSSEC
validation stack.
o The application can communicate through a trusted channel (such as
requests to the operating system under which the application is
running) to a local DNS resolver that does DNSSEC validation.
o The application can communicate through a secured channel (such as
requests running over TLS, IPsec, TSIG or SIG(0)) to a non-local
DNS resolver that does DNSSEC validation.
o The application can communicate through a secured channel (such as
requests running over TLS, IPsec, TSIG or SIG(0)) to a non-local
DNS resolver that does not do DNSSEC validation, but gets
responses through a secured channel from a different DNS resolver
that does DNSSEC validation.
A.4. Handling Certificate Rollover A.4. Handling Certificate Rollover
[[ Need to add text here about how to handle a change in certificate. Certificate rollover is handled in much the same was as for rolling
It would cover using two TLSA records at the same time, the TTL on DNSSEC zone signing keys using the pre-publish key rollover method
the RRset, and coordinating that with the use of the certificates in [RFC4641]. Suppose example.com has a single TLSA record for a TLS
the TLS server. ]] service on TCP port 990:
_990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015...
To start the rollover process, obtain or generate the new certificate
or SubjectPublicKeyInfo to be used after the rollover and generate
the new TLSA record. Add that record alongside the old one:
_990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015...
_990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30...
After the new records have propagated to the authoritative
nameservers and the TTL of the old record has expired, switch to the
new certificate on the TLS server. Once this has occurred, the old
TLSA record can be removed:
_990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30...
This completes the certificate rollover.
Appendix B. Pseudocode for Using TLSA Appendix B. Pseudocode for Using TLSA
This appendix describes the interactions given earlier in this This appendix describes the interactions given earlier in this
specification in pseudocode format. This appendix is non-normative. specification in pseudocode format. This appendix is non-normative.
If the steps below disagree with the text earlier in the document, If the steps below disagree with the text earlier in the document,
the steps earlier in the document should be considered correct and the steps earlier in the document should be considered correct and
this text incorrect. this text incorrect.
Note that this pseudocode is more strict than the normative text.
For instance, it forces an order on the evaluation of criteria which
is not mandatory from the normative text.
B.1. Helper Functions B.1. Helper Functions
// implement the function for exiting // implement the function for exiting
function Finish (F) = { function Finish (F) = {
if (F == 0) { if (F == ABORT_TLS) {
abort the TLS handshake or prevent TLS from starting abort the TLS handshake or prevent TLS from starting
exit exit
} }
if (F == 1) { if (F == NO_TLSA) {
fall back to non-TLSA certificate validation fall back to non-TLSA certificate validation
exit exit
} }
if (F == 2) { if (F == ACCEPT) {
accept the TLS connection accept the TLS connection
exit exit
} }
// unreachable // unreachable
} }
// implement the selector function // implement the selector function
function Select (S, X) = { function Select (S, X) = {
// Full certificate // Full certificate
if (S == 0) { if (S == 0) {
return X return X
} }
// SubjectPublicKeyInfo // SubjectPublicKeyInfo
if (S == 1) { if (S == 1) {
return X.SubjectPublicKeyInfo return X.SubjectPublicKeyInfo
skipping to change at page 22, line 19 skipping to change at page 25, line 16
// Full certificate // Full certificate
if (S == 0) { if (S == 0) {
return X return X
} }
// SubjectPublicKeyInfo // SubjectPublicKeyInfo
if (S == 1) { if (S == 1) {
return X.SubjectPublicKeyInfo return X.SubjectPublicKeyInfo
} }
return undef // unreachable
} }
// implement the matching function // implement the matching function
function Match (M, X, Y) { function Match (M, X, Y) {
// Exact match on selected content // Exact match on selected content
if (M == 0) { if (M == 0) {
return (X == Y) return (X == Y)
} }
// SHA-256 hash of selected content // SHA-256 hash of selected content
if (M == 1) { if (M == 1) {
return (SHA-256(X) == Y) return (SHA-256(X) == Y)
} }
// SHA-512 hash of selected content // SHA-512 hash of selected content
if (M == 2) { if (M == 2) {
return (SHA-512(X) == Y) return (SHA-512(X) == Y)
} }
return undef // unreachable
} }
B.2. Main TLSA Pseudo Code B.2. Main TLSA Pseudo Code
TLS connect using [transport] to [name] on [port] and receiving end TLS connect using [transport] to [name] on [port] and receiving end
entity cert C for the TLS server: entity cert C for the TLS server:
(TLSArecords, ValState) = DNSSECValidatedLookup( (TLSArecords, ValState) = DNSSECValidatedLookup(
domainname=_[port]._[transport].[name], RRtype=TLSA, class=IN) domainname=_[port]._[transport].[name], RRtype=TLSA, class=IN)
// check for states that would change processing // check for states that would change processing
if (ValState == BOGUS) { if (ValState == BOGUS) {
Finish(0) Finish(ABORT_TLS)
} }
if ((ValState == INDETERMINATE) or (ValState == INSECURE)) { if ((ValState == INDETERMINATE) or (ValState == INSECURE)) {
Finish(1) Finish(NO_TLSA)
} }
// if here, ValState must be SECURE // if here, ValState must be SECURE
for each R in TLSArecords { for each R in TLSArecords {
// unusable records include unknown certUsage, unknown // unusable records include unknown certUsage, unknown
// selectorType, unknown matchingType, and erroneous RDATA // selectorType, unknown matchingType, erroneous RDATA, and
if (R is unusable) remove it from TLSArecords // prohibited by local policy
if (R is unusable) {
remove R from TLSArecords
}
} }
if (length(TLSArecords) == 0) { if (length(TLSArecords) == 0) {
Finish(1) Finish(NO_TLSA)
} }
// A TLS client might have multiple trust anchors that it might use // A TLS client might have multiple trust anchors that it might use
// when validating the TLS server's end entity certificate. Also, // when validating the TLS server's end entity certificate. Also,
// there can be multiple PKIX validation chains for the // there can be multiple PKIX validation chains for the
// certificates given by the server in TLS. Thus, there are // certificates given by the server in TLS. Thus, there are
// possibly many chains that might need to be tested during // possibly many chains that might need to be tested during
// PKIX validation. // PKIX validation.
for each R in TLSArecords { for each R in TLSArecords {
// pass PKIX validation and chain through CA cert from TLSA // pass PKIX validation and chain through CA cert from TLSA
if (R.certUsage == 0) { if (R.certUsage == 0) {
for each PKIX validation chain H { for each PKIX validation chain H {
if (C passes PKIX validation in H) { if (C passes PKIX validation in H) {
for each D in H { for each D in H {
if (D is a CA certificate) and if ((D is a CA certificate) and
Match(matchingType, Select(selectorType, D), R) { Match(R.matchingType, Select(R.selectorType, D),
Finish(2) R.cert)) {
Finish(ACCEPT)
}
} }
} }
} }
} }
// pass PKIX validation and match EE cert from TLSA // pass PKIX validation and match EE cert from TLSA
if (R.certUsage == 1) { if (R.certUsage == 1) {
for each PKIX validation chain H { for each PKIX validation chain H {
if (C passes PKIX validation in H) { if ((C passes PKIX validation in H) and
if (Match(matchingType, Select(selectorType, C), R)) { Match(R.matchingType, Select(R.selectorType, C),
Finish(2) R.cert)) {
} Finish(ACCEPT)
} }
} }
} }
// pass PKIX validation using TLSA record as trust anchor // pass PKIX validation using TLSA record as trust anchor
if (R.certUsage == 2) { if (R.certUsage == 2) {
for each PKIX validation chain H that has R as the trust anchor { for each PKIX validation chain H that has R as the trust anchor {
if (C passes PKIX validation in H) { if (C passes PKIX validation in H) and
Finish(2) Match(R.matchingType, Select(R.selectorType, C),
R.cert)) {
Finish(ACCEPT)
} }
} }
} }
// match the TLSA record and the TLS certificate
if (R.certUsage == 3) {
if Match(R.matchingType, Select(R.selectorType, C), R.cert)
Finish(ACCEPT)
}
}
} }
// if here, the none of the TLSA records was sufficient for TLS // if here, then none of the TLSA records ended in "Finish(ACCEPT)"
Finish(0) // so abort TLS
Finish(ABORT_TLS)
Authors' Addresses Authors' Addresses
Paul Hoffman Paul Hoffman
VPN Consortium VPN Consortium
Email: paul.hoffman@vpnc.org Email: paul.hoffman@vpnc.org
Jakob Schlyter Jakob Schlyter
Kirei AB Kirei AB
 End of changes. 109 change blocks. 
232 lines changed or deleted 378 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/