draft-ietf-dane-protocol-16.txt   draft-ietf-dane-protocol-17.txt 
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft VPN Consortium Internet-Draft VPN Consortium
Intended status: Standards Track J. Schlyter Intended status: Standards Track J. Schlyter
Expires: August 11, 2012 Kirei AB Expires: September 1, 2012 Kirei AB
February 8, 2012 February 29, 2012
Using Secure DNS to Associate Certificates with Domain Names For TLS The DNS-Based Authentication of Named Entities (DANE) Protocol for
draft-ietf-dane-protocol-16 Transport Layer Security (TLS)
draft-ietf-dane-protocol-17
Abstract Abstract
TLS and DTLS use PKIX certificates for authenticating the server. Encrypted communication on the Internet often uses Transport Level
Users want their applications to verify that the certificate provided Security (TLS), which depends on third parties to certify the keys
by the TLS server is in fact associated with the domain name they used. This document improves on that situation by enabling the
expect. TLSA provides bindings of keys to domains that are asserted administrator of a domain name to certify the keys used in that
not by external entities, but by the entities that operate the DNS. domain's TLS servers. This requires matching improvements in TLS
This document describes how to use secure DNS to associate the TLS client software, but no change in TLS server software.
server's certificate with the intended domain name.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 11, 2012. This Internet-Draft will expire on September 1, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Certificate Associations . . . . . . . . . . . . . . . . . 4 1.1. Background of the Problem . . . . . . . . . . . . . . . . 4
1.2. Securing Certificate Associations . . . . . . . . . . . . 5 1.2. Securing the Association with a Server's Certificate . . . 5
1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.3. Method For Securing Certificate Associations . . . . . . . 6
2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 5 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 6 2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 7
2.1.1. The Certificate Usage Field . . . . . . . . . . . . . 6 2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 7
2.1.2. The Selector Field . . . . . . . . . . . . . . . . . . 7 2.1.1. The Certificate Usage Field . . . . . . . . . . . . . 7
2.1.3. The Matching Type Field . . . . . . . . . . . . . . . 7 2.1.2. The Selector Field . . . . . . . . . . . . . . . . . . 8
2.1.4. The Certificate Association Data Field . . . . . . . . 7 2.1.3. The Matching Type Field . . . . . . . . . . . . . . . 9
2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 7 2.1.4. The Certificate Association Data Field . . . . . . . . 9
2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 8 2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 9
3. Domain Names for TLS Certificate Associations . . . . . . . . 8 2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 10
4. Semantics and Features of TLSA Certificate Usages . . . . . . 9 3. Domain Names for TLS Certificate Associations . . . . . . . . 10
4.1. Pass PKIX Validation and Chain Through CA . . . . . . . . 9 4. Use of TLSA Records in TLS . . . . . . . . . . . . . . . . . . 11
4.2. Pass PKIX Validation and Match End Entity Certificate . . 9 5. TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 12
4.3. Pass PKIX Validation and Use Trust Anchor . . . . . . . . 9 6. Mandatory-to-Implement Features . . . . . . . . . . . . . . . 14
4.4. Match Certificate . . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
5. Use of TLS Certificate Associations in TLS . . . . . . . . . . 10 7.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 14
6. TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 11 7.2. TLSA Usages . . . . . . . . . . . . . . . . . . . . . . . 15
7. Mandatory-to-Implement Algorithms . . . . . . . . . . . . . . 13 7.3. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 15
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 7.4. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 15
8.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 13 8. Security Considerations . . . . . . . . . . . . . . . . . . . 16
8.2. TLSA Usages . . . . . . . . . . . . . . . . . . . . . . . 14 8.1. DNS Caching . . . . . . . . . . . . . . . . . . . . . . . 17
8.3. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 14 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18
8.4. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 14 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18
9. Security Considerations . . . . . . . . . . . . . . . . . . . 15 10.1. Normative References . . . . . . . . . . . . . . . . . . . 18
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16 10.2. Informative References . . . . . . . . . . . . . . . . . . 19
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
11.1. Normative References . . . . . . . . . . . . . . . . . . . 16
11.2. Informative References . . . . . . . . . . . . . . . . . . 17
Appendix A. Operational Considerations for Deploying TLSA Appendix A. Operational Considerations for Deploying TLSA
Records . . . . . . . . . . . . . . . . . . . . . . . 18 Records . . . . . . . . . . . . . . . . . . . . . . . 20
A.1. Creating TLSA Records . . . . . . . . . . . . . . . . . . 18 A.1. Creating TLSA Records . . . . . . . . . . . . . . . . . . 20
A.1.1. Ambiguities and Corner Cases When TLS Clients A.1.1. Ambiguities and Corner Cases When TLS Clients
Build Trust Chains . . . . . . . . . . . . . . . . . . 18 Build Trust Chains . . . . . . . . . . . . . . . . . . 20
A.1.2. Choosing a Selector Type . . . . . . . . . . . . . . . 19 A.1.2. Choosing a Selector Type . . . . . . . . . . . . . . . 21
A.2. Provisioning TLSA Records in DNS . . . . . . . . . . . . . 20 A.2. Provisioning TLSA Records in DNS . . . . . . . . . . . . . 22
A.2.1. Provisioning TLSA Records with Aliases . . . . . . . . 20 A.2.1. Provisioning TLSA Records with Aliases . . . . . . . . 22
A.2.2. Provisioning with NS Records . . . . . . . . . . . . . 22 A.3. Securing the Last Hop . . . . . . . . . . . . . . . . . . 24
A.3. Securing the Last Hop . . . . . . . . . . . . . . . . . . 23 A.4. Handling Certificate Rollover . . . . . . . . . . . . . . 25
A.4. Handling Certificate Rollover . . . . . . . . . . . . . . 23 Appendix B. Pseudocode for Using TLSA . . . . . . . . . . . . . . 26
Appendix B. Pseudocode for Using TLSA . . . . . . . . . . . . . . 24 B.1. Helper Functions . . . . . . . . . . . . . . . . . . . . . 26
B.1. Helper Functions . . . . . . . . . . . . . . . . . . . . . 24 B.2. Main TLSA Pseudo Code . . . . . . . . . . . . . . . . . . 27
B.2. Main TLSA Pseudo Code . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 31
1. Introduction 1. Introduction
1.1. Background of the Problem
Applications that communicate over the Internet often need to prevent
eavesdropping, tampering, or forgery of their communications. The
Transport Layer Security (TLS) protocol provides this kind of
communications privacy over the Internet, using encryption.
The security properties of encryption systems depend strongly on the
keys that they use. If secret keys are revealed, or if published
keys can be replaced by bogus keys, these systems provide little or
no security.
TLS uses certificates to protect keys. A certificate combines a
published key with other information such as the name of the service
that the key is used by, and this combination is digitally signed by
another key. Having a certificate for a key is only helpful if you
trust the other key that signed the certificate. If that other key
was itself revealed or substituted, then its signature is worthless
in proving anything about the first key.
On the Internet, this problem has been solved for years by entities
called "Certification Authorities" (CAs). CAs protect their secret
key vigorously, while supplying their public key to the software
vendors who build TLS clients. They then sign certificates, and
supply those to TLS servers. TLS client software uses a set of these
CA keys as "trust anchors" to validate the signatures on certificates
that the client receives from TLS servers. Client software typically
allows any CA to usefully sign any other certificate.
This solution has gradually broken down because some CAs have become
untrustworthy. A single trusted CA that betrays its trust, either
voluntarily or by providing less-than-vigorous protection for its
secrets and capabilities, can compromise any other certificate that
TLS uses by signing a replacement certificate that contains a bogus
key. Several real-world occurrances that have exploited such CAs for
subversion of major web sites (presumably to abet wiretapping and
large-scale fraud) have brought TLS's CA model into disrepute.
The DNS Security Extensions (DNSSEC) provides a similar model that
involves trusted keys signing the information for untrusted keys.
However, DNSSEC provides three significant improvements. Keys are
tied to names in the Domain Name System (DNS), rather than to
arbitrary identifying strings; this is more convenient for Internet
protocols. Signed keys for any domain are accessible online through
a straightforward query using the standard DNSSEC protocol, so there
is no problem distributing the signed keys. Most significantly, the
keys associated with a domain name can only be signed by a key
associated with the parent of that domain name; for example, the keys
for "example.com" can only be signed by the keys for "com", and the
keys for "com" can only be signed by the DNS root. This prevents an
untrustworthy signer from compromising anyone's keys except those in
their own subdomains. Like TLS, DNSSEC relies on public keys that
come built into the DNSSEC client software, but these keys come only
from a single root domain rather than from a multiplicity of CAs.
1.2. Securing the Association with a Server's Certificate
A TLS client begins a connection by exchanging messages with a TLS
server. It looks up the server's name using the DNS to get Internet
Protocol (IP) address associated with the name. It then begins a
connection to a client-chosen port at that address, and sends an
initial message there. However, the client does not yet know whether
an adversary is intercepting and/or altering its communication before
it reaches the TLS server. It does not even know whether the real
TLS server associated with that domain name has ever received its
initial messages.
The first response from the server in TLS may contain a certificate. The first response from the server in TLS may contain a certificate.
In order for the TLS client to authenticate that it is talking to the In order for the TLS client to authenticate that it is talking to the
expected TLS server, the client must validate that this certificate expected TLS server, the client must validate that this certificate
is associated with the domain name used by the client to get to the is associated with the domain name used by the client to get to the
server. Currently, the client must extract the domain name from the server. Currently, the client must extract the domain name from the
certificate, must trust a trust anchor upon which the server's certificate and must successfully validate the certificate, including
certificate is rooted, and must successfully validate the chaining to a trust anchor.
certificate.
Some people want a different way to authenticate the association of There is a different way to authenticate the association of the
the server's certificate with the intended domain name without server's certificate with the intended domain name without trusting
trusting an external certificate authority (CA). Given that the DNS an external CA. Given that the DNS administrator for a domain name
administrator for a domain name is authorized to give identifying is authorized to give identifying information about the zone, it
information about the zone, it makes sense to allow that makes sense to allow that administrator to also make an authoritative
administrator to also make an authoritative binding between the binding between the domain name and a certificate that might be used
domain name and a certificate that might be used by a host at that by a host at that domain name. The easiest way to do this is to use
domain name. The easiest way to do this is to use the DNS. the DNS, securing the binding with DNSSEC.
There are many use cases for such functionality. [RFC6394] lists the There are many use cases for such functionality. [RFC6394] lists the
ones that the protocol in this document is meant to apply to. ones that the DNS RRtype in this document are meant to apply.
[RFC6394] also lists many requirements, most of which the protocol in [RFC6394] also lists many requirements, most of which this document
this document is believed to meet. Section 6 covers the is believed to meet. Section 5 covers the applicability of this
applicability of this document to the use cases in detail. document to the use cases in detail.
This document applies to both TLS [RFC5246] and DTLS [RFC6347]. In This document applies to both TLS [RFC5246] and DTLS [RFC6347]. In
order to make the document more readable, it mostly only talks about order to make the document more readable, it mostly only talks about
"TLS", but in all cases, it means "TLS or DTLS". This document only "TLS", but in all cases, it means "TLS or DTLS". This document only
relates to securely associating certificates for TLS and DTLS with relates to securely associating certificates for TLS and DTLS with
host names; other security protocols and other forms of host names; other security protocols and other forms of
identification of TLS servers (such as IP addresses) are handled in identification of TLS servers (such as IP addresses) are handled in
other documents. For example, keys for IPsec are covered in other documents. For example, keys for IPsec are covered in
[RFC4025] and keys for SSH are covered in [RFC4255]. [RFC4025] and keys for SSH are covered in [RFC4255].
1.1. Certificate Associations 1.3. Method For Securing Certificate Associations
A certificate association is formed from a piece of information A certificate association is formed from a piece of information
identifying a certificate with the domain name where the data is identifying a certificate (such as the contents of the certificate or
found. The data used to identify the certificate consists of either a trust anchor to which the certificate chains) and the domain name
a PKIX certificate or a hash of a PKIX certificate. When using the where the data is found. This document only applies to PKIX
certificate itself in the certificate association, the entire [RFC5280] certificates, not certificates of other formats.
certificate in the normal format is used. This document only applies
to PKIX [RFC5280] certificates, not certificates of other formats.
A DNS query can return multiple certificate associations, such as in A DNS query can return multiple certificate associations, such as in
the case of different server software on a single host using the case of different server software on a single host using
different certificates, or in the case that a server is changing from different certificates, or in the case that a server is changing from
one certificate to another. one certificate to another.
1.2. Securing Certificate Associations
This document defines a secure method to associate the certificate This document defines a secure method to associate the certificate
that is obtained from the TLS server with a domain name using DNS; that is obtained from the TLS server with a domain name using DNS;
the DNS information needs to be be protected by DNSSEC. Because the the DNS information needs to be be protected by DNSSEC. Because the
certificate association was retrieved based on a DNS query, the certificate association was retrieved based on a DNS query, the
domain name in the query is by definition associated with the domain name in the query is by definition associated with the
certificate. certificate.
DNSSEC, which is defined in RFCs 4033, 4034, and 4035 ([RFC4033], DNSSEC, which is defined in RFCs 4033, 4034, and 4035 ([RFC4033],
[RFC4034], and [RFC4035]), uses cryptographic keys and digital [RFC4034], and [RFC4035]), uses cryptographic keys and digital
signatures to provide authentication of DNS data. Information that signatures to provide authentication of DNS data. Information that
skipping to change at page 5, line 29 skipping to change at page 6, line 43
thereby proved to be the authoritative data. The DNSSEC signature thereby proved to be the authoritative data. The DNSSEC signature
MUST be validated on all responses that use DNSSEC in order to assure MUST be validated on all responses that use DNSSEC in order to assure
the proof of origin of the data. This document does not specify how the proof of origin of the data. This document does not specify how
DNSSEC validation occurs because there are many different proposals DNSSEC validation occurs because there are many different proposals
for how a client might get validated DNSSEC results. for how a client might get validated DNSSEC results.
This document only relates to securely getting the DNS information This document only relates to securely getting the DNS information
for the certificate association using DNSSEC; other secure DNS for the certificate association using DNSSEC; other secure DNS
mechanisms are out of scope. mechanisms are out of scope.
1.3. Terminology 1.4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
This document also makes use of standard PKIX, DNSSEC, and TLS This document also makes use of standard PKIX, DNSSEC, and TLS
terminology. See [RFC5280], [RFC4033], and [RFC5246] respectively, terminology. See [RFC5280], [RFC4033], and [RFC5246] respectively,
for these terms. In addition, terms related to TLS-protected for these terms. In addition, terms related to TLS-protected
application services and DNS names are taken from [RFC6125]. application services and DNS names are taken from [RFC6125].
skipping to change at page 6, line 26 skipping to change at page 7, line 39
/ / / /
/ Certificate Association Data / / Certificate Association Data /
/ / / /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2.1.1. The Certificate Usage Field 2.1.1. The Certificate Usage Field
A one-octet value, called "certificate usage" or just "usage", A one-octet value, called "certificate usage" or just "usage",
specifying the provided association that will be used to match the specifying the provided association that will be used to match the
target certificate from the TLS handshake. This value is defined in target certificate from the TLS handshake. This value is defined in
a new IANA registry (see Section 8.2) in order to make it easier to a new IANA registry (see Section 7.2) in order to make it easier to
add additional certificate usages in the future. The usages defined add additional certificate usages in the future. The usages defined
in this document are: in this document are:
0 -- The target certificate MUST pass PKIX validation and MUST 0 -- Certificate usage 0 is used to specify a CA certificate, or
chain through a CA certificate matching the TLSA record the public key of such a certificate, that must be found in any of
the PKIX certification paths for the end entity certificate given
by the server in TLS. This usage is sometimes referred to as "CA
constraint" because it limits which CA can be used to issue
certificates for a given host name, port, and protocol. The
target certificate MUST pass PKIX certification path validation
and a CA certificate that matches the TLSA record MUST be included
as part of a valid certification path.
1 -- The target certificate MUST pass PKIX validation and MUST 1 -- Certificate usage 1 is used to specify an end entity
match the TLSA record certificate, or the public key of such a certificate, that must be
matched with the end entity certificate given by the server in
TLS. This usage is sometimes referred to as "service certificate
constraint" because it limits which end entity certificate may be
used by a given host name, port, and protocol. The target
certificate MUST pass PKIX certification path validation and MUST
match the TLSA record.
2 -- The target certificate MUST pass PKIX validation, with any 2 -- Certificate usage 2 is used to specify a certificate, or the
public key of such a certificate, that must be used as a trust
anchor when validating the end entity certificate given by the
server in TLS. This usage is sometimes referred to as "trust
anchor assertion" and allows a domain name administrator to
specify a new trust anchor, for example if the domain issues its
own certificates under its own CA that is not expected to be in
the end users' collection of trust anchors. The target
certificate MUST pass PKIX certification path validation, with any
certificate matching the TLSA record considered to be a trust certificate matching the TLSA record considered to be a trust
anchor for this validation anchor for this certification path validation.
3 -- The target certificate MUST match the TLSA record 3 -- Certificate usage 3 is used to specify a certificate, or the
public key of such a certificate, that must match the end entity
certificate given by the server in TLS. This usage is sometimes
referred to as "domain-issued certificate" because it allows for a
domain name administrator to issue certificates for a domain
without involving a third-party CA. The target certificate MUST
match the TLSA record.
The certificate usages defined in this document explicitly only apply The certificate usages defined in this document explicitly only apply
to PKIX-formatted certificates in DER encoding. If TLS allows other to PKIX-formatted certificates in DER encoding. If TLS allows other
formats later, or if extensions to this protocol are made that accept formats later, or if extensions to this RRtype are made that accept
other formats for certificates, those certificates will need their other formats for certificates, those certificates will need their
own certificate usage values. own certificate usage values.
The use of this field is described in greater detail in Section 4.
2.1.2. The Selector Field 2.1.2. The Selector Field
A one-octet value, called "selector", specifying which part of the A one-octet value, called "selector", specifying which part of the
TLS certificate presented by the server will be matched against the TLS certificate presented by the server will be matched against the
association data. This value is defined in a new IANA registry (see association data. This value is defined in a new IANA registry (see
Section 8.3. The selectors defined in this document are: Section 7.3. The selectors defined in this document are:
0 -- Full certificate 0 -- Full certificate
1 -- SubjectPublicKeyInfo 1 -- SubjectPublicKeyInfo
2.1.3. The Matching Type Field 2.1.3. The Matching Type Field
A one-octet value, called "matching type", specifying how the A one-octet value, called "matching type", specifying how the
certificate association is presented. This value is defined in a new certificate association is presented. This value is defined in a new
IANA registry (see Section 8.4). The types defined in this document IANA registry (see Section 7.4). The types defined in this document
are: are:
0 -- Exact match on selected content 0 -- Exact match on selected content
1 -- SHA-256 hash of selected content 1 -- SHA-256 hash of selected content
2 -- SHA-512 hash of selected content 2 -- SHA-512 hash of selected content
Because clients' support for multiple hash algorithms might be If the TLSA record's matching type is a hash, the record SHOULD use
limited, it is advisable to use the same hash algorithm for the the same hash algorithm that was used in the signature in the
matching type as is used for the signature in the certificate. Doing certificate. This will assist clients that support a small number of
so will increase the likelihood of interoperability. hash algorithms.
2.1.4. The Certificate Association Data Field 2.1.4. The Certificate Association Data Field
The "certificate association data" to be matched. This field The "certificate association data" to be matched. This field
contains the data to be matched. These bytes are either raw data contains the data to be matched. These bytes are either raw data
(that is, the full certificate or its SubjectPublicKeyInfo, depending (that is, the full certificate or its SubjectPublicKeyInfo, depending
on the selector) for matching type 0, or the hash of the raw data for on the selector) for matching type 0, or the hash of the raw data for
matching types 1 and 2. The data refers to the certificate in the matching types 1 and 2. The data refers to the certificate in the
association, not to the TLS ASN.1 Certificate object. association, not to the TLS ASN.1 Certificate object.
skipping to change at page 9, line 15 skipping to change at page 11, line 8
3. The domain name is appended to the result of step 2 to complete 3. The domain name is appended to the result of step 2 to complete
the prepared domain name. the prepared domain name.
For example, to request a TLSA resource record for an HTTP server For example, to request a TLSA resource record for an HTTP server
running TLS on port 443 at "www.example.com", you would use running TLS on port 443 at "www.example.com", you would use
"_443._tcp.www.example.com" in the request. To request a TLSA "_443._tcp.www.example.com" in the request. To request a TLSA
resource record for an SMTP server running the STARTTLS protocol on resource record for an SMTP server running the STARTTLS protocol on
port 25 at "mail.example.com", you would use port 25 at "mail.example.com", you would use
"_25._tcp.mail.example.com". "_25._tcp.mail.example.com".
4. Semantics and Features of TLSA Certificate Usages 4. Use of TLSA Records in TLS
The certificate usages have very different semantics, but also have
features common to all the types.
4.1. Pass PKIX Validation and Chain Through CA
Certificate usage 0 is used to specify a CA certificate, or the
public key of such a certificate, that must be found in any of the
PKIX validation chains for the end entity certificate given by the
server in TLS. This usage is sometimes referred to as "CA
constraint" because it limits which CA can be used to issue
certificates for a given host name.
4.2. Pass PKIX Validation and Match End Entity Certificate
Certificate usage 1 is used to specify an end entity certificate, or
the public key of such a certificate, that must be matched with the
end entity certificate given by the server in TLS. This usage is
sometimes referred to as "service certificate constraints" because it
limits which end entity certificate may be used by a given host name.
4.3. Pass PKIX Validation and Use Trust Anchor
Certificate usage 2 is used to specify a certificate, or the public
key of such a certificate, that must be used as a trust anchor when
validating the end entity certificate given by the server in TLS.
This usage is sometimes referred to as "trust anchor assertion" and
allows a domain name administrator to specify a new trust anchor,
such as if the domain issues its own certificates under its own CA
that is not expected to be in the end users collection of trust
anchors.
4.4. Match Certificate
Certificate usage 3 is used to specify a certificate, or the public
key of such a certificate, that must match the end entity certificate
given by the server in TLS. This usage is sometimes referred to as
"domain-issued certificate" because it allows for a domain name
administrator to issue certificates for a domain without involving a
third-party CA.
5. Use of TLS Certificate Associations in TLS
Section 2.1 of this document defines the mandatory matching rules for Section 2.1 of this document defines the mandatory matching rules for
the data from the TLS certificate associations and the certificates the data from the TLSA certificate associations and the certificates
received from the TLS server. received from the TLS server.
The TLS session that is to be set up MUST be for the specific port The TLS session that is to be set up MUST be for the specific port
number and transport name that was given in the TLSA query. The number and transport name that was given in the TLSA query.
matching or chaining MUST be done within the life of the TTL on the
TLSA record; using a TLSA record past the lifetime specified in the
TTL can expose the the TLS client to many types of attacks.
Some specifications for applications that run under TLS, such as Some specifications for applications that run under TLS, such as
[RFC2818] for HTTP, require the server's certificate to have a domain [RFC2818] for HTTP, require the server's certificate to have a domain
name that matches the host name expected by the client. Some name that matches the host name expected by the client. Some
specifications such as [RFC6125] detail how to match the identity specifications such as [RFC6125] detail how to match the identity
given in a PKIX certificate with those expected by the user. given in a PKIX certificate with those expected by the user.
An application that complies with this document first requests TLSA An implementation of this protocol makes a DNS query for TLSA records
records in order to make certificate associations. (or uses already-retrieved TLSA records if they are cached within
their time to live value), validates these records using DNSSEC, and
uses the resulting TLSA records and validation status to modify its
responses to the TLS server.
If a host is using TLSA usage type 2 for its certifcate, the
corresponding TLS server SHOULD send the certificate that is
referenced just like it currently sends intermediate certificates.
Determining whether a TLSA RRset can be used depends on the DNSSEC Determining whether a TLSA RRset can be used depends on the DNSSEC
validation state (as defined in [RFC4033]). validation state (as defined in [RFC4033]).
o A TLSA RRset whose DNSSEC validation state is secure MUST be used o A TLSA RRset whose DNSSEC validation state is secure MUST be used
as a certificate association for TLS unless a local policy would as a certificate association for TLS unless a local policy would
prohibit the use of the specific certificate association in the prohibit the use of the specific certificate association in the
secure TLSA RRset. secure TLSA RRset.
o If the DNSSEC validation state on the response to the request for o If the DNSSEC validation state on the response to the request for
the TLSA RRset is bogus, this MUST cause TLS not to be started or, the TLSA RRset is bogus, this MUST cause TLS not to be started or,
if the TLS negotiation is already in progress, MUST cause the if the TLS negotiation is already in progress, MUST cause the
connection to be aborted. connection to be aborted.
o A TLSA RRset whose DNSSEC validation state is indeterminate or o A TLSA RRset whose DNSSEC validation state is indeterminate or
insecure cannot be used for TLS and MUST be marked as unusable. insecure cannot be used for TLS and MUST be considered unusable.
If an application receives zero usable certificate associations, it
processes TLS in the normal fashion without any input from the TLSA
records; otherwise, that application attempts to match each
certificate association with the TLS server's end entity certificate.
Clients that validate the DNSSEC signatures themselves MUST use Clients which validate the DNSSEC signatures themselves MUST use
standard DNSSEC validation procedures. Clients that rely on another standard DNSSEC validation procedures. Clients that rely on another
entity to perform the DNSSEC signature validation MUST use a secure entity to perform the DNSSEC signature validation MUST use a secure
mechanism between themselves and the validator. Examples of secure mechanism between themselves and the validator. Examples of secure
transports to other hosts include TSIG [RFC2845], SIG(0) [RFC2931], transports to other hosts include TSIG [RFC2845], SIG(0) [RFC2931],
and IPsec [RFC6071]. Note that it is not sufficient to use secure and IPsec [RFC6071]. Note that it is not sufficient to use secure
transport to a DNS resolver that does not do DNSSEC signature transport to a DNS resolver that does not do DNSSEC signature
validation. validation.
If a certificate association contains a certificate usage, selector, If a certificate association contains a certificate usage, selector,
or matching type that is not understood by the TLS client, that or matching type that is not understood by the TLS client, that
certificate association MUST be marked as unusable. If the certificate association MUST be considered unusable. If the
comparison data for a certificate is malformed, the certificate comparison data for a certificate is malformed, the certificate
association MUST be marked as unusable. If a certificate association association MUST be considered unusable.
contains a matching type or certificate association data that uses a
cryptographic algorithm that is considered too weak for the TLS
client's policy, the certificate association MUST be marked as
unusable.
6. TLSA and DANE Use Cases and Requirements If a certificate association contains a matching type or certificate
association data that uses a cryptographic algorithm that is
considered too weak for the TLS client's policy, the certificate
association MUST be marked as unusable.
If an application receives zero usable certificate associations, it
processes TLS in the normal fashion without any input from the TLSA
records. If an application receives one or more usable certificate
associations, it attempts to match each certificate association with
the TLS server's end entity certificate until a successful match is
found.
5. TLSA and DANE Use Cases and Requirements
The different types of certificate associations defined in TLSA are The different types of certificate associations defined in TLSA are
matched with various sections of [RFC6394]. The use cases from matched with various sections of [RFC6394]. The use cases from
Section 3 of [RFC6394] are covered in this protocol as follows: Section 3 of [RFC6394] are covered in this document as follows:
3.1 CA Constraints -- Implemented using certificate usage 0. 3.1 CA Constraints -- Implemented using certificate usage 0.
3.2 Certificate Constraints -- Implemented using certificate usage 3.2 Certificate Constraints -- Implemented using certificate usage
1. 1.
3.3 Trust Anchor Assertion and Domain-Issued Certificates -- 3.3 Trust Anchor Assertion and Domain-Issued Certificates --
Implemented using certificate usages 2 and 3, respectively. Implemented using certificate usages 2 and 3, respectively.
The requirements from Section 4 of [RFC6394] are covered in this The requirements from Section 4 of [RFC6394] are covered in this
protocol as follows: document as follows:
Multiple Ports -- The TLSA records for different application Multiple Ports -- The TLSA records for different application
services running on a single host can be distinguished through the services running on a single host can be distinguished through the
service name and port number prefixed to the host name (see service name and port number prefixed to the host name (see
Section 3). Section 3).
No Downgrade -- Section 5 specifies the conditions under which a No Downgrade -- Section 4 specifies the conditions under which a
client can process and act upon TLSA records. Specifically, if client can process and act upon TLSA records. Specifically, if
the DNSSEC status for the TLSA resource record set is determined the DNSSEC status for the TLSA resource record set is determined
to be bogus, TLS is not attempted at all. to be bogus, TLS is not attempted at all.
Encapsulation -- Covered in the TLSA response semantics. Encapsulation -- Covered in the TLSA response semantics.
Predictability -- The appendixes of this specification provide Predictability -- The appendixes of this specification provide
operational considerations and implementation guidance in order to operational considerations and implementation guidance in order to
enable application developers to form a consistent interpretation enable application developers to form a consistent interpretation
of the recommended DANE client behavior. of the recommended DANE client behavior.
Opportunistic Security -- If a client conformant to this Opportunistic Security -- If a client conformant to this
specification can reliably determine the presence of a TLSA specification can reliably determine the presence of a TLSA
record, it will attempt to use this information. Conversely, if a record, it will attempt to use this information. Conversely, if a
client can reliably determine the absence of any TLSA record, it client can reliably determine the absence of any TLSA record, it
will fall back to processing TLS in the normal fashion. This is will fall back to processing TLS in the normal fashion. This is
discussed in Section 5. discussed in Section 4.
Combination -- Multiple TLSA records can be published for a given Combination -- Multiple TLSA records can be published for a given
host name, thus enabling the client to construct multiple TLSA host name, thus enabling the client to construct multiple TLSA
certificate associations that reflect different DANE assertions. certificate associations that reflect different DANE assertions.
No support is provided to combine two TLSA certificate No support is provided to combine two TLSA certificate
associations in a single operation. associations in a single operation.
Roll-over -- Section 5 states that applications must not cache TLSA Roll-over -- Section 4 states that applications must not cache TLSA
records beyond their TTL expiration. This ensures that clients records beyond their TTL expiration. This ensures that clients
will not latch onto assertions made by expired TLSA records, and will not latch onto assertions made by expired TLSA records, and
will be able to transition between using one DANE mechanism to will be able to transition between using one DANE mechanism to
another. another.
Simple Key Management -- The SubjectPublicKeyInfo selector in the Simple Key Management -- The SubjectPublicKeyInfo selector in the
TLSA record provides a mode that enables a domain holder to only TLSA record provides a mode that enables a domain holder to only
have to maintain a single long-lived public/private key pair have to maintain a single long-lived public/private key pair
without the need to manage certificates. Appendix A outlines the without the need to manage certificates. Appendix A outlines the
usefulness and the potential downsides to using this mode. usefulness and the potential downsides to using this mode.
skipping to change at page 13, line 10 skipping to change at page 14, line 15
Minimal Options -- The operating modes map precisely to the DANE use Minimal Options -- The operating modes map precisely to the DANE use
cases and requirements. DNSSEC use is mandatory in that this cases and requirements. DNSSEC use is mandatory in that this
specification encourages applications to use TLSA records that are specification encourages applications to use TLSA records that are
only shown to be validated. only shown to be validated.
Wild Cards -- Covered in a limited manner in the TLSA request Wild Cards -- Covered in a limited manner in the TLSA request
syntax; see Appendix A. syntax; see Appendix A.
Redirection -- Covered in the TLSA request syntax; see Appendix A. Redirection -- Covered in the TLSA request syntax; see Appendix A.
7. Mandatory-to-Implement Algorithms 6. Mandatory-to-Implement Features
A system creating TLSA records that conforms to this specification A system creating TLSA records that conforms to this specification
MUST be able to create TLSA records containing certificate usages 0, MUST be able to create TLSA records containing certificate usages 0,
1, 2, and 3. A system creating TLSA records that conforms to this 1, 2, and 3. A system creating TLSA records that conforms to this
specification MUST be able to create TLSA records with selectors 0 specification MUST be able to create TLSA records with selectors 0
(full certificate) and 1 (SubjectPublicKeyInfo). A system creating (full certificate) and 1 (SubjectPublicKeyInfo). A system creating
TLSA records that conforms to this specification MUST be able to TLSA records that conforms to this specification MUST be able to
create TLSA records using matching type 0 (no hash used) and matching create TLSA records using matching type 0 (no hash used) and matching
type 1 (SHA-256), and SHOULD be able to create TLSA records using type 1 (SHA-256), and SHOULD be able to create TLSA records using
matching type 2 (SHA-512). matching type 2 (SHA-512).
skipping to change at page 13, line 36 skipping to change at page 14, line 41
handshake using selectors type 0 and 1, and matching type 0 (no hash handshake using selectors type 0 and 1, and matching type 0 (no hash
used) and matching type 1 (SHA-256), and SHOULD be able to make such used) and matching type 1 (SHA-256), and SHOULD be able to make such
comparisons with matching type 2 (SHA-512). comparisons with matching type 2 (SHA-512).
At the time this is written, it is expected that there will be a new At the time this is written, it is expected that there will be a new
family of hash algorithms called SHA-3 within the next few years. It family of hash algorithms called SHA-3 within the next few years. It
is expected that some of the SHA-3 algorithms will be mandatory is expected that some of the SHA-3 algorithms will be mandatory
and/or recommended for TLSA records after the algorithms are fully and/or recommended for TLSA records after the algorithms are fully
defined. At that time, this specification will be updated. defined. At that time, this specification will be updated.
8. IANA Considerations 7. IANA Considerations
8.1. TLSA RRtype 7.1. TLSA RRtype
This document uses a new DNS RR type, TLSA, whose value is TBD. A This document uses a new DNS RR type, TLSA, whose value is TBD. A
separate request for the RR type will be submitted to the expert separate request for the RR type will be submitted to the expert
reviewer, and future versions of this document will have that value reviewer, and future versions of this document will have that value
instead of TBD. instead of TBD.
In the following sections, "RFC Required" was chosen for TLSA usages In the following sections, "RFC Required" was chosen for TLSA usages
and "Specification Required" for selectors and matching types because and "Specification Required" for selectors and matching types because
of the amount of detail that is likely to be needed for implementers of the amount of detail that is likely to be needed for implementers
to correctly implement new usages as compared to new selectors and to correctly implement new usages as compared to new selectors and
matching types. matching types.
8.2. TLSA Usages 7.2. TLSA Usages
This document creates a new registry, "Certificate Usages for TLSA This document creates a new registry, "Certificate Usages for TLSA
Resource Records". The registry policy is "RFC Required". The Resource Records". The registry policy is "RFC Required". The
initial entries in the registry are: initial entries in the registry are:
Value Short description Reference Value Short description Reference
---------------------------------------------------------- ----------------------------------------------------------
0 Pass PKIX and chain through CA [This] 0 CA constraint [This]
1 Pass PKIX and match EE [This] 1 Service certificate constraint [This]
2 Pass PKIX and trusted via certificate [This] 2 Trust anchor assertion [This]
3 Match certificate [This] 3 Domain-issued certificate [This]
4-254 Unassigned 4-254 Unassigned
255 Private use 255 Private use
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
8.3. TLSA Selectors 7.3. TLSA Selectors
This document creates a new registry, "Selectors for TLSA Resource This document creates a new registry, "Selectors for TLSA Resource
Records". The registry policy is "Specification Required". The Records". The registry policy is "Specification Required". The
initial entries in the registry are: initial entries in the registry are:
Value Short description Reference Value Short description Reference
---------------------------------------------------------- ----------------------------------------------------------
0 Full Certificate [This] 0 Full Certificate [This]
1 SubjectPublicKeyInfo [This] 1 SubjectPublicKeyInfo [This]
2-254 Unassigned 2-254 Unassigned
255 Private use 255 Private use
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
8.4. TLSA Matching Types 7.4. TLSA Matching Types
This document creates a new registry, "Matching Types for TLSA This document creates a new registry, "Matching Types for TLSA
Resource Records". The registry policy is "Specification Required". Resource Records". The registry policy is "Specification Required".
The initial entries in the registry are: The initial entries in the registry are:
Value Short description Reference Value Short description Reference
--------------------------------------------- ---------------------------------------------
0 No hash used [This] 0 No hash used [This]
1 SHA-256 NIST FIPS 180-3 1 SHA-256 NIST FIPS 180-3
2 SHA-512 NIST FIPS 180-3 2 SHA-512 NIST FIPS 180-3
skipping to change at page 15, line 4 skipping to change at page 16, line 12
Resource Records". The registry policy is "Specification Required". Resource Records". The registry policy is "Specification Required".
The initial entries in the registry are: The initial entries in the registry are:
Value Short description Reference Value Short description Reference
--------------------------------------------- ---------------------------------------------
0 No hash used [This] 0 No hash used [This]
1 SHA-256 NIST FIPS 180-3 1 SHA-256 NIST FIPS 180-3
2 SHA-512 NIST FIPS 180-3 2 SHA-512 NIST FIPS 180-3
3-254 Unassigned 3-254 Unassigned
255 Private use 255 Private use
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
9. Security Considerations 8. Security Considerations
The security of the protocols described in this document relies on The security of the DNS RRtype described in this document relies on
the security of DNSSEC as used by the client requesting A/AAAA and the security of DNSSEC as used by the client requesting A/AAAA and
TLSA records. TLSA records.
A DNS administrator who goes rogue and changes both the A/AAAA and A DNS administrator who goes rogue and changes both the A/AAAA and
TLSA records for a domain name can cause the user to go to an TLSA records for a domain name can cause the user to go to an
unauthorized server that will appear authorized, unless the client unauthorized server that will appear authorized, unless the client
performs certificate validation and rejects the certificate. That performs PKIX certification path validation and rejects the
administrator could probably get a certificate issued anyway, so this certificate. That administrator could probably get a certificate
is not an additional threat. issued anyway, so this is not an additional threat.
If the authentication mechanism for adding or changing TLSA data in a If the authentication mechanism for adding or changing TLSA data in a
zone is weaker than the authentication mechanism for changing the zone is weaker than the authentication mechanism for changing the
A/AAAA records, a man-in-the-middle who can redirect traffic to their A/AAAA records, a man-in-the-middle who can redirect traffic to their
site may be able to impersonate the attacked host in TLS if they can site may be able to impersonate the attacked host in TLS if they can
use the weaker authentication mechanism. A better design for use the weaker authentication mechanism. A better design for
authenticating DNS would be to have the same level of authentication authenticating DNS would be to have the same level of authentication
used for all DNS additions and changes for a particular host. used for all DNS additions and changes for a particular owner name.
SSL proxies can sometimes act as a man-in-the-middle for TLS clients. SSL proxies can sometimes act as a man-in-the-middle for TLS clients.
In these scenarios, the clients add a new trust anchor whose private In these scenarios, the clients add a new trust anchor whose private
key is kept on the SSL proxy; the proxy intercepts TLS requests, key is kept on the SSL proxy; the proxy intercepts TLS requests,
creates a new TLS session with the intended host, and sets up a TLS creates a new TLS session with the intended host, and sets up a TLS
session with the client using a certificate that chains to the trust session with the client using a certificate that chains to the trust
anchor installed in the client by the proxy. In such environments, anchor installed in the client by the proxy. In such environments,
the TLSA protocol will prevent the SSL proxy from functioning as the using TLSA records will prevent the SSL proxy from functioning as
expected because the TLS client will get a certificate association expected because the TLS client will get a certificate association
from the DNS that will not match the certificate that the SSL proxy from the DNS that will not match the certificate that the SSL proxy
uses with the client. The client, seeing the proxy's new certificate uses with the client. The client, seeing the proxy's new certificate
for the supposed destination will not set up a TLS session. Thus, for the supposed destination will not set up a TLS session.
such proxies might choose to aggressively block TLSA requests and/or
responses, even though this is not a recommended practice.
Client treatment of any information included in the trust anchor is a Client treatment of any information included in the certificate trust
matter of local policy. This specification does not mandate that anchor is a matter of local policy. This specification does not
such information be inspected or validated by the domain name mandate that such information be inspected or validated by the domain
administrator. name administrator.
If a server's certificate is revoked, or if an intermediate CA in a If a server's certificate is revoked, or if an intermediate CA in a
chain between the end entity and a trust anchor has its certificate chain between the end entity and a trust anchor has its certificate
revoked, a TLSA record with a certificate type of 2 that matches the revoked, a TLSA record with a certificate type of 2 that matches the
revoked certificate would in essence override the revocation because revoked certificate would in essence override the revocation because
the client would treat that revoked certificate as a trust anchor and the client would treat that revoked certificate as a trust anchor and
thus not check its revocation status. Because of this, domain thus not check its revocation status. Because of this, domain
administrators need to be responsible for being sure that the key or administrators need to be responsible for being sure that the key or
certificate used in TLSA records with a certificate type of 2 are in certificate used in TLSA records with a certificate type of 2 are in
fact able to be used as reliable trust anchors. fact able to be used as reliable trust anchors.
skipping to change at page 16, line 22 skipping to change at page 17, line 28
is evaluated. For example, the server's certificate might chain to is evaluated. For example, the server's certificate might chain to
an existing CA through an intermediate CA that has certain policy an existing CA through an intermediate CA that has certain policy
restrictions, and the certificate would not pass those restrictions restrictions, and the certificate would not pass those restrictions
and thus normally be rejected. That intermediate CA could issue and thus normally be rejected. That intermediate CA could issue
itself a new certificate without the policy restrictions and tell its itself a new certificate without the policy restrictions and tell its
customers to use that certificate with usage type 2. This in essence customers to use that certificate with usage type 2. This in essence
allows an intermediate CA to be come a trust anchor for certificates allows an intermediate CA to be come a trust anchor for certificates
that the end user might have expected to chain to an existing trust that the end user might have expected to chain to an existing trust
anchor. anchor.
10. Acknowledgements If an administrator wishes to stop using a TLSA record, the
administrator can simply remove it from the DNS. Normal clients will
stop using the TLSA record after the TTL has expired. Replay attacks
against the TLSA record are not possible after the expiration date on
the RRsig of the TLSA record that was removed.
8.1. DNS Caching
Implementations of this protocol rely heavily on the DNS, and are
thus prone to security attacks based on the deliberate mis-
association of TLSA records and DNS names. Implementations need to
be cautious in assuming the continuing validity of an TLSA records/
DNS name association.
In particular, implementations SHOULD rely on their DNS resolver for
confirmation of an association between a TLSA record and a DNS name,
rather than caching the result of previous domain name lookups. Many
platforms already can cache domain name lookups locally when
appropriate, and they SHOULD be configured to do so. It is proper
for these lookups to be cached, however, only when the TTL (Time To
Live) information reported by the DNS makes it likely that the cached
information will remain useful.
If implementations cache the results of domain name lookups in order
to achieve a performance improvement, they MUST observe the TTL
information reported by DNS. Implementations that fail to follow
this rule this rule could be spoofed when a previously-accessed
server's TLSA record changes, such as during a certificate rollover.
9. Acknowledgements
Many of the ideas in this document have been discussed over many Many of the ideas in this document have been discussed over many
years. More recently, the ideas have been discussed by the authors years. More recently, the ideas have been discussed by the authors
and others in a more focused fashion. In particular, some of the and others in a more focused fashion. In particular, some of the
ideas and words here originated with Paul Vixie, Dan Kaminsky, Jeff ideas and words here originated with Paul Vixie, Dan Kaminsky, Jeff
Hodges, Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Hodges, Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam
Langley, Ben Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit, Langley, Ben Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit,
Ondrej Sury, Richard Barnes, Jim Schaad, Stephen Farrell, Suresh Ondrej Sury, Richard Barnes, Jim Schaad, Stephen Farrell, Suresh
Krishnaswamy, Peter Palfrader, and Pieter Lexis. Krishnaswamy, Peter Palfrader, Pieter Lexis, Wouter Wijngaards and
John Gilmore.
This document has also been greatly helped by many active This document has also been greatly helped by many active
participants of the DANE Working Group. participants of the DANE Working Group.
11. References 10. References
11.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005. RFC 4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
skipping to change at page 17, line 26 skipping to change at page 19, line 14
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011. Security (TLS)", RFC 6125, March 2011.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012. Security Version 1.2", RFC 6347, January 2012.
11.2. Informative References 10.2. Informative References
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
February 2000. February 2000.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B.
Wellington, "Secret Key Transaction Authentication for DNS Wellington, "Secret Key Transaction Authentication for DNS
(TSIG)", RFC 2845, May 2000. (TSIG)", RFC 2845, May 2000.
skipping to change at page 18, line 17 skipping to change at page 20, line 9
February 2011. February 2011.
[RFC6394] Barnes, R., "Use Cases and Requirements for DNS-Based [RFC6394] Barnes, R., "Use Cases and Requirements for DNS-Based
Authentication of Named Entities (DANE)", RFC 6394, Authentication of Named Entities (DANE)", RFC 6394,
October 2011. October 2011.
Appendix A. Operational Considerations for Deploying TLSA Records Appendix A. Operational Considerations for Deploying TLSA Records
A.1. Creating TLSA Records A.1. Creating TLSA Records
When creating TLSA records care must be taken to avoid
misconfigurations. Section 4 of this document states that a TLSA
RRset whose validation state is secure MUST be used. This means that
the existence of such a RRset effectively disables other forms of
name and path validation. A misconfigured TLSA RRset will
effectively disable access to the TLS server for all conforming
clients, and this document does not provide any means of making a
gradual transition to using TLSA.
When creating TLSA records with certificate usage type 0 (CA When creating TLSA records with certificate usage type 0 (CA
Certificate) or type 2 (Trust Anchor), one needs to understand the Certificate) or type 2 (Trust Anchor), one needs to understand the
implications when choosing between selector type 0 (full certificate) implications when choosing between selector type 0 (full certificate)
and 1 (SubjectPublicKeyInfo). A careful choice is required because and 1 (SubjectPublicKeyInfo). A careful choice is required because
different methods for building trust chains are used by different TLS different methods for building trust chains are used by different TLS
clients. The following outlines the cases that one should be aware clients. The following outlines the cases that one should be aware
of and discusses the implications of the choice of selector type. of and discusses the implications of the choice of selector type.
Certificate usage 2 is not affected by the different types of chain Certificate usage 2 is not affected by the different types of chain
building when the end entity certificate is the same as the trust building when the end entity certificate is the same as the trust
anchor certificate. anchor certificate.
A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains
TLS clients may implement their own chain-building code rather than TLS clients may implement their own chain-building code rather than
rely on the chain presented by the TLS server. This means that, rely on the chain presented by the TLS server. This means that,
except for the end entity certificate, any certificate presented in except for the end entity certificate, any certificate presented in
the suggested chain may or may not be present in the final chain the suggested chain might or might not be present in the final chain
built by the client. built by the client.
Certificates that the client can use to replace certificates from Certificates that the client can use to replace certificates from
original chain include: original chain include:
o Client's trust anchors o Client's trust anchors
o Certificates cached locally o Certificates cached locally
o Certificates retrieved from a URI listed in an Authority o Certificates retrieved from a URI listed in an Authority
skipping to change at page 19, line 13 skipping to change at page 21, line 13
These reissued certificates are the certificates TLS client can use These reissued certificates are the certificates TLS client can use
in place of an original certificate. in place of an original certificate.
Clients are known to exchange or remove certificates that could cause Clients are known to exchange or remove certificates that could cause
TLSA association that rely on the full certificate to fail. For TLSA association that rely on the full certificate to fail. For
example: example:
o The client considers the signature algorithm of a certificate to o The client considers the signature algorithm of a certificate to
no longer be sufficiently secure no longer be sufficiently secure
o The client may not have an associated root certificate in its o The client might not have an associated root certificate in its
trust store and instead uses a cross-certificate with an identical trust store and instead uses a cross-certificate with an identical
subject and public key. subject and public key.
A.1.2. Choosing a Selector Type A.1.2. Choosing a Selector Type
In this section, "false-negative failure" means that a client will In this section, "false-negative failure" means that a client will
not accept the TLSA association for certificate designated by DNS not accept the TLSA association for certificate designated by DNS
administrator. Also, "false-positive acceptance" means that the administrator. Also, "false-positive acceptance" means that the
client accepts a TLSA association for a certificate that is not client accepts a TLSA association for a certificate that is not
designated by the DNS administrator. designated by the DNS administrator.
skipping to change at page 19, line 48 skipping to change at page 21, line 48
association using a fresh client installation, that is, with the association using a fresh client installation, that is, with the
local certificate cache empty. local certificate cache empty.
A.1.2.2. Selector Type 1 (SubjectPublicKeyInfo) A.1.2.2. Selector Type 1 (SubjectPublicKeyInfo)
A SubjectPublicKeyInfo selector gives greater flexibility in avoiding A SubjectPublicKeyInfo selector gives greater flexibility in avoiding
some false-negative failures caused by trust-chain-building some false-negative failures caused by trust-chain-building
algorithms used in clients. algorithms used in clients.
One specific use-case should be noted: creating a TLSA association to One specific use-case should be noted: creating a TLSA association to
certificate I1 that directly signed end entity certificate S1 of certificate I1 that directly signed end entity certificate S1 of the
server. Since the key used to sign S1 is fixed, association to I1 server. Since the key used to sign S1 is fixed, association to I1
must succeed: if a client swaps I1 for I2 (a different certificate), must succeed: if a client swaps I1 for I2 (a different certificate),
its SPKI must match SPKI of I1. Such association would not suffer its SPKI must match SPKI of I1. Such and association would not
from a false-negative failure on client's side if the client uses a suffer from a false-negative failure on client's side if the client
reissued CA certificate I2 in place of I1. uses a reissued CA certificate I2 in place of I1.
The attack surface is a bit broader compared to "full certificate" The attack surface is a bit broader compared to "full certificate"
selector: the DNS administrator might unintentionally specify an selector: the DNS administrator might unintentionally specify an
association that would lead to false-positive acceptance. association that would lead to false-positive acceptance.
o The administrator must know or trust the CA not to engage in bad o The administrator must know or trust the CA not to engage in bad
practices, such as not sharing key of I1 for unrelated CA practices, such as not sharing key of I1 for unrelated CA
certificates leading to trust-chain redirect. If possible, the certificates leading to trust-chain redirect. If possible, the
administrator should review all CA certificates that have the same administrator should review all CA certificates that have the same
SPKI. SPKI.
skipping to change at page 22, line 47 skipping to change at page 24, line 47
Wildcards are generally not terribly useful for RRtypes that require Wildcards are generally not terribly useful for RRtypes that require
prefixing because you can only wildcard at a layer below the host prefixing because you can only wildcard at a layer below the host
name. For example, if you want to have the same TLSA record for name. For example, if you want to have the same TLSA record for
every TCP port for www.example.com, you might have every TCP port for www.example.com, you might have
*._tcp.www.example.com. IN TLSA 1 1 1 5c1502a6549c423b... *._tcp.www.example.com. IN TLSA 1 1 1 5c1502a6549c423b...
This is possibly useful in some scenarios where the same service is This is possibly useful in some scenarios where the same service is
offered on many ports. offered on many ports.
A.2.2. Provisioning with NS Records
[[ THIS SECTION NEEDS TO BE WRITTEN OR REMOVED. This was proposed,
and questioned, and not yet followed through on. This section will
be removed in the next draft if no one volunteers to write it. ]]
A.3. Securing the Last Hop A.3. Securing the Last Hop
As described in Section 5, an application processing TLSA records As described in Section 4, an application processing TLSA records
must know the DNSSEC validity of those records. There are many ways must know the DNSSEC validity of those records. There are many ways
for the application to securely find this out, and this specification for the application to securely find this out, and this specification
does not mandate any single method. does not mandate any single method.
Some common methods for an application to know the DNSSEC validity of Some common methods for an application to know the DNSSEC validity of
TLSA records include: TLSA records include:
o The application can have its own DNS resolver and DNSSEC o The application can have its own DNS resolver and DNSSEC
validation stack. validation stack.
skipping to change at page 25, line 37 skipping to change at page 27, line 33
// unreachable // unreachable
} }
B.2. Main TLSA Pseudo Code B.2. Main TLSA Pseudo Code
TLS connect using [transport] to [name] on [port] and receiving end TLS connect using [transport] to [name] on [port] and receiving end
entity cert C for the TLS server: entity cert C for the TLS server:
(TLSArecords, ValState) = DNSSECValidatedLookup( (TLSArecords, ValState) = DNSSECValidatedLookup(
domainname=_[port]._[transport].[name], RRtype=TLSA, class=IN) domainname=_[port]._[transport].[name], RRtype=TLSA)
// check for states that would change processing // check for states that would change processing
if (ValState == BOGUS) { if (ValState == BOGUS) {
Finish(ABORT_TLS) Finish(ABORT_TLS)
} }
if ((ValState == INDETERMINATE) or (ValState == INSECURE)) { if ((ValState == INDETERMINATE) or (ValState == INSECURE)) {
Finish(NO_TLSA) Finish(NO_TLSA)
} }
// if here, ValState must be SECURE // if here, ValState must be SECURE
skipping to change at page 26, line 10 skipping to change at page 28, line 4
} }
// if here, ValState must be SECURE // if here, ValState must be SECURE
for each R in TLSArecords { for each R in TLSArecords {
// unusable records include unknown certUsage, unknown // unusable records include unknown certUsage, unknown
// selectorType, unknown matchingType, erroneous RDATA, and // selectorType, unknown matchingType, erroneous RDATA, and
// prohibited by local policy // prohibited by local policy
if (R is unusable) { if (R is unusable) {
remove R from TLSArecords remove R from TLSArecords
} }
} }
if (length(TLSArecords) == 0) { if (length(TLSArecords) == 0) {
Finish(NO_TLSA) Finish(NO_TLSA)
} }
// A TLS client might have multiple trust anchors that it might use // A TLS client might have multiple trust anchors that it might use
// when validating the TLS server's end entity certificate. Also, // when validating the TLS server's end entity certificate. Also,
// there can be multiple PKIX validation chains for the // there can be multiple PKIX certification paths for the
// certificates given by the server in TLS. Thus, there are // certificates given by the server in TLS. Thus, there are
// possibly many chains that might need to be tested during // possibly many chains that might need to be tested during
// PKIX validation. // PKIX path validation.
for each R in TLSArecords { for each R in TLSArecords {
// pass PKIX validation and chain through CA cert from TLSA // pass PKIX certificate validation and chain through a CA cert
// that comes from TLSA
if (R.certUsage == 0) { if (R.certUsage == 0) {
for each PKIX validation chain H { for each PKIX certification path H {
if (C passes PKIX validation in H) { if (C passes PKIX certification path validation in H) {
for each D in H { for each D in H {
if ((D is a CA certificate) and if ((D is a CA certificate) and
Match(R.matchingType, Select(R.selectorType, D), Match(R.matchingType, Select(R.selectorType, D),
R.cert)) { R.cert)) {
Finish(ACCEPT) Finish(ACCEPT)
} }
} }
} }
} }
} }
// pass PKIX validation and match EE cert from TLSA // pass PKIX certificate validation and match EE cert from TLSA
if (R.certUsage == 1) { if (R.certUsage == 1) {
for each PKIX validation chain H { for each PKIX certification path H {
if ((C passes PKIX validation in H) and if ((C passes PKIX certificate validation in H) and
Match(R.matchingType, Select(R.selectorType, C), Match(R.matchingType, Select(R.selectorType, C),
R.cert)) { R.cert)) {
Finish(ACCEPT) Finish(ACCEPT)
} }
} }
} }
// pass PKIX validation using TLSA record as trust anchor // pass PKIX certificaten validation using TLSA record as the
// trust anchor
if (R.certUsage == 2) { if (R.certUsage == 2) {
for each PKIX validation chain H that has R as the trust anchor { for each PKIX certification path H that has R as the
if (C passes PKIX validation in H) and trust anchor {
if (C passes PKIX certification validation in H) and
Match(R.matchingType, Select(R.selectorType, C), Match(R.matchingType, Select(R.selectorType, C),
R.cert)) { R.cert)) {
Finish(ACCEPT) Finish(ACCEPT)
} }
} }
} }
// match the TLSA record and the TLS certificate // match the TLSA record and the TLS certificate
if (R.certUsage == 3) { if (R.certUsage == 3) {
if Match(R.matchingType, Select(R.selectorType, C), R.cert) if Match(R.matchingType, Select(R.selectorType, C), R.cert)
Finish(ACCEPT) Finish(ACCEPT)
} }
} }
} }
// if here, then none of the TLSA records ended in "Finish(ACCEPT)" // if here, then none of the TLSA records ended in "Finish(ACCEPT)"
// so abort TLS // so abort TLS
Finish(ABORT_TLS) Finish(ABORT_TLS)
Appendix C. Examples
The following are examples of self-signed certificates that have been
been generated with various selectors and matching types. They were
generated with one piece of software, and validated by an individual
using other tools.
S = Selector
M = Matching Type
S M Association Data
0 0 30820454308202BC020900AB58D24E77AD2AF6300D06092A86
4886F70D0101050500306C310B3009060355040613024E4C31163014
0603550408130D4E6F6F72642D486F6C6C616E643112301006035504
071309416D7374657264616D310C300A060355040A13034F53333123
30210603550403131A64616E652E6B6965762E70726163746963756D
2E6F73332E6E6C301E170D3132303131363136353730335A170D3232
303131333136353730335A306C310B3009060355040613024E4C3116
30140603550408130D4E6F6F72642D486F6C6C616E64311230100603
5504071309416D7374657264616D310C300A060355040A13034F5333
312330210603550403131A64616E652E6B6965762E70726163746963
756D2E6F73332E6E6C308201A2300D06092A864886F70D0101010500
0382018F003082018A0282018100E62C84A5AFE59F0A2A6B250DEE68
7AC8C5C604F57D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B
6AD5DEA0C8771C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE
281A68230B24B9DA1A98DCBE51195B60E42FD7517C328D983E26A827
C877AB914EE4C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D5
8C389CC3D6D8C20662E19CF768F32441B7F7D14AEA8966CE7C32A172
2AB38623D008029A9E4702883F8B977A1A1E5292BF8AD72239D40393
37B86A3AC60FA001290452177BF1798609A05A130F033457A5212629
FBDDB8E70E2A9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D
4BD77DFA34035563C126AA2C3328B900E7990AC9787F01DA82F74C3D
4B6674CCECE1FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE775
6213BD3D60831175BE290442B4AFC5AE6F46B769855A067C1097E617
962529E166F22AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A44
9C8D0D31BC683C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2
DDFF6B4CAC050203010001300D06092A864886F70D01010505000382
0181002B2ABE063E9C86AC4A1F7835372091079C8276A9C2C5D1EC57
64DE523FDDABDEAB3FD34E6FE6CBA054580A6785A663595D90132B93
D473929E81FA0887D2FFF78A81C7D014B97778AB6AC9E5E690F6F5A9
E92BB5FBAB71B857AE69B6E18BDCCB0BA6FCD9D4B084A34F3635148C
495D48FE635903B888EC1DEB2610548EDD48D63F86513A4562469831
48C0D5DB82D73A4C350A42BB661D763430FC6C8E5F9D13EA1B76AA52
A4C358E5EA04000F794618303AB6CEEA4E9A8E9C74D73C1B0B7BAF16
DEDE7696B5E2F206F777100F5727E1684D4132F5E692F47AF6756EA8
B421000BE031B5D8F0220E436B51FB154FE9595333C13A2403F9DE08
E5DDC5A22FD6182E339593E26374450220BC14F3E40FF33F084526B0
9C34250702E8A352B332CCCB0F9DE2CF2B338823B92AFC61C0B6B8AB
DB5AF718ED8DDA97C298E46B82A01B14814868CFA4F2C36268BFFF4A
591F42658BF75918902D3E426DFE1D5FF0FC6A212071F6DA8BD833FE
2E560D87775E8EE9333C05B6FB8EB56589D910DB5EA903
0 1 EFDDF0D915C7BDC5782C0881E1B2A95AD099FBDD06D7B1F779
82D9364338D955
0 2 81EE7F6C0ECC6B09B7785A9418F54432DE630DD54DC6EE9E3C
49DE547708D236D4C413C3E97E44F969E635958AA410495844127C04
883503E5B024CF7A8F6A94
1 0 308201A2300D06092A864886F70D01010105000382018F0030
82018A0282018100E62C84A5AFE59F0A2A6B250DEE687AC8C5C604F5
7D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B6AD5DEA0C877
1C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE281A68230B24
B9DA1A98DCBE51195B60E42FD7517C328D983E26A827C877AB914EE4
C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D58C389CC3D6D8
C20662E19CF768F32441B7F7D14AEA8966CE7C32A1722AB38623D008
029A9E4702883F8B977A1A1E5292BF8AD72239D4039337B86A3AC60F
A001290452177BF1798609A05A130F033457A5212629FBDDB8E70E2A
9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D4BD77DFA3403
5563C126AA2C3328B900E7990AC9787F01DA82F74C3D4B6674CCECE1
FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE7756213BD3D6083
1175BE290442B4AFC5AE6F46B769855A067C1097E617962529E166F2
2AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A449C8D0D31BC68
3C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2DDFF6B4CAC05
0203010001
1 1 8755CDAA8FE24EF16CC0F2C918063185E433FAAF1415664911
D9E30A924138C4
1 2 D43165B4CDF8F8660AECCCC5344D9D9AE45FFD7E6AAB7AB9EE
C169B58E11F227ED90C17330CC17B5CCEF0390066008C720CEC6AAE5
33A934B3A2D7E232C94AB4
Authors' Addresses Authors' Addresses
Paul Hoffman Paul Hoffman
VPN Consortium VPN Consortium
Email: paul.hoffman@vpnc.org Email: paul.hoffman@vpnc.org
Jakob Schlyter Jakob Schlyter
Kirei AB Kirei AB
 End of changes. 78 change blocks. 
220 lines changed or deleted 389 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/