draft-ietf-dane-protocol-19.txt   draft-ietf-dane-protocol-20.txt 
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft VPN Consortium Internet-Draft VPN Consortium
Intended status: Standards Track J. Schlyter Intended status: Standards Track J. Schlyter
Expires: October 13, 2012 Kirei AB Expires: October 31, 2012 Kirei AB
April 11, 2012 April 29, 2012
The DNS-Based Authentication of Named Entities (DANE) Protocol for The DNS-Based Authentication of Named Entities (DANE) Transport Layer
Transport Layer Security (TLS) Security (TLS) Protocol: TLSA
draft-ietf-dane-protocol-19 draft-ietf-dane-protocol-20
Abstract Abstract
Encrypted communication on the Internet often uses Transport Level Encrypted communication on the Internet often uses Transport Level
Security (TLS), which depends on third parties to certify the keys Security (TLS), which depends on third parties to certify the keys
used. This document improves on that situation by enabling the used. This document improves on that situation by enabling the
administrators of domain names to specify the keys used in that administrators of domain names to specify the keys used in that
domain's TLS servers. This requires matching improvements in TLS domain's TLS servers. This requires matching improvements in TLS
client software, but no change in TLS server software. client software, but no change in TLS server software.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 13, 2012. This Internet-Draft will expire on October 31, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Background of the Problem . . . . . . . . . . . . . . . . 4 1.1. Background and Motivation . . . . . . . . . . . . . . . . 4
1.2. Securing the Association with a Server's Certificate . . . 5 1.2. Securing the Association of a Domain Name with a
Server's Certificate . . . . . . . . . . . . . . . . . . . 5
1.3. Method For Securing Certificate Associations . . . . . . . 6 1.3. Method For Securing Certificate Associations . . . . . . . 6
1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7
2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 7 2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 7
2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 7 2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 8
2.1.1. The Certificate Usage Field . . . . . . . . . . . . . 8 2.1.1. The Certificate Usage Field . . . . . . . . . . . . . 8
2.1.2. The Selector Field . . . . . . . . . . . . . . . . . . 9 2.1.2. The Selector Field . . . . . . . . . . . . . . . . . . 9
2.1.3. The Matching Type Field . . . . . . . . . . . . . . . 9 2.1.3. The Matching Type Field . . . . . . . . . . . . . . . 10
2.1.4. The Certificate Association Data Field . . . . . . . . 10 2.1.4. The Certificate Association Data Field . . . . . . . . 10
2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 10 2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 10
2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 10 2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 11
3. Domain Names for TLS Certificate Associations . . . . . . . . 11 3. Domain Names for TLSA Certificate Associations . . . . . . . . 11
4. Use of TLSA Records in TLS . . . . . . . . . . . . . . . . . . 11 4. Use of TLSA Records in TLS . . . . . . . . . . . . . . . . . . 12
4.1. Usable Certificate Associations . . . . . . . . . . . . . 12
5. TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 13 5. TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 13
6. Mandatory-to-Implement Features . . . . . . . . . . . . . . . 15 6. Mandatory-to-Implement Features . . . . . . . . . . . . . . . 15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
7.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 15 7.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 16
7.2. TLSA Usages . . . . . . . . . . . . . . . . . . . . . . . 15 7.2. TLSA Certificate Usages . . . . . . . . . . . . . . . . . 16
7.3. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 16 7.3. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 16
7.4. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 16 7.4. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 17
8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17
8.1. Comparing DANE to Public CAs . . . . . . . . . . . . . . . 18 8.1. Comparing DANE to Public CAs . . . . . . . . . . . . . . . 18
8.2. DNS Caching . . . . . . . . . . . . . . . . . . . . . . . 19 8.2. DNS Caching . . . . . . . . . . . . . . . . . . . . . . . 19
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
10.1. Normative References . . . . . . . . . . . . . . . . . . . 20 10.1. Normative References . . . . . . . . . . . . . . . . . . . 20
10.2. Informative References . . . . . . . . . . . . . . . . . . 20 10.2. Informative References . . . . . . . . . . . . . . . . . . 21
Appendix A. Operational Considerations for Deploying TLSA Appendix A. Operational Considerations for Deploying TLSA
Records . . . . . . . . . . . . . . . . . . . . . . . 21 Records . . . . . . . . . . . . . . . . . . . . . . . 22
A.1. Creating TLSA Records . . . . . . . . . . . . . . . . . . 21 A.1. Creating TLSA Records . . . . . . . . . . . . . . . . . . 22
A.1.1. Ambiguities and Corner Cases When TLS Clients A.1.1. Ambiguities and Corner Cases When TLS Clients
Build Trust Chains . . . . . . . . . . . . . . . . . . 22 Build Trust Chains . . . . . . . . . . . . . . . . . . 22
A.1.2. Choosing a Selector Type . . . . . . . . . . . . . . . 23 A.1.2. Choosing a Selector Type . . . . . . . . . . . . . . . 23
A.2. Provisioning TLSA Records in DNS . . . . . . . . . . . . . 24 A.2. Provisioning TLSA Records in DNS . . . . . . . . . . . . . 25
A.2.1. Provisioning TLSA Records with Aliases . . . . . . . . 24 A.2.1. Provisioning TLSA Records with Aliases . . . . . . . . 25
A.3. Securing the Last Hop . . . . . . . . . . . . . . . . . . 27 A.3. Securing the Last Hop . . . . . . . . . . . . . . . . . . 27
A.4. Handling Certificate Rollover . . . . . . . . . . . . . . 27 A.4. Handling Certificate Rollover . . . . . . . . . . . . . . 28
Appendix B. Pseudocode for Using TLSA . . . . . . . . . . . . . . 28 Appendix B. Pseudocode for Using TLSA . . . . . . . . . . . . . . 28
B.1. Helper Functions . . . . . . . . . . . . . . . . . . . . . 28 B.1. Helper Functions . . . . . . . . . . . . . . . . . . . . . 29
B.2. Main TLSA Pseudo Code . . . . . . . . . . . . . . . . . . 29 B.2. Main TLSA Pseudo Code . . . . . . . . . . . . . . . . . . 30
Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 31 Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction 1. Introduction
1.1. Background of the Problem 1.1. Background and Motivation
Applications that communicate over the Internet often need to prevent Applications that communicate over the Internet often need to prevent
eavesdropping, tampering, or forgery of their communications. The eavesdropping, tampering, or forgery of their communications. The
Transport Layer Security (TLS) protocol provides this kind of Transport Layer Security (TLS) protocol provides this kind of
communications security over the Internet, using encryption. communications security over the Internet, using channel encryption.
The security properties of encryption systems depend strongly on the The security properties of encryption systems depend strongly on the
keys that they use. If secret keys are revealed, or if public keys keys that they use. If secret keys are revealed, or if public keys
can be replaced by bogus keys, these systems provide little or no can be replaced by bogus keys, these systems provide little or no
security. security.
TLS uses certificates to bind keys and names. A certificate combines TLS uses certificates to bind keys and names. A certificate combines
a published key with other information such as the name of the a published key with other information such as the name of the
service that uses the key, and this combination is digitally signed service that uses the key, and this combination is digitally signed
by another key. Having a certificate for a key is only helpful if by another key. Having a certificate for a key is only helpful if
skipping to change at page 4, line 40 skipping to change at page 4, line 40
vendors who build TLS clients. They then sign certificates, and vendors who build TLS clients. They then sign certificates, and
supply those to TLS servers. TLS client software uses a set of these supply those to TLS servers. TLS client software uses a set of these
CA keys as "trust anchors" to validate the signatures on certificates CA keys as "trust anchors" to validate the signatures on certificates
that the client receives from TLS servers. Client software typically that the client receives from TLS servers. Client software typically
allows any CA to usefully sign any other certificate. allows any CA to usefully sign any other certificate.
The public CA model upon which TLS has depended is fundamentally The public CA model upon which TLS has depended is fundamentally
vulnerable because it allows any of these CAs to issue a certificate vulnerable because it allows any of these CAs to issue a certificate
for any domain name. A single trusted CA that betrays its trust, for any domain name. A single trusted CA that betrays its trust,
either voluntarily or by providing less-than-vigorous protection for either voluntarily or by providing less-than-vigorous protection for
its secrets and capabilities, can compromise any other certificate its secrets and capabilities, can undermine the security offered by
that TLS uses, by signing a replacement certificate that contains a any certificates employed with TLS. This problem arises because a
bogus key. Recent experiences with compromises of CAs or their compromised CA can issue a replacement certificate that contains a
trusted partners have lead to very serious security problems, such as bogus key (that is, a key not corresponding to the entity identified
the subversion of major web sites trusted by millions of users. in the certificate). Recent experiences with compromises of CAs or
their trusted partners have led to very serious security problems,
such as the governments of multiple countries attempting to wiretap
and/or subvert major TLS-protected web sites trusted by millions of
users.
The DNS Security Extensions (DNSSEC) provides a similar model that The DNS Security Extensions (DNSSEC) provides a similar model that
involves trusted keys signing the information for untrusted keys. involves trusted keys signing the information for untrusted keys.
However, DNSSEC provides three significant improvements. Keys are However, DNSSEC provides three significant improvements. Keys are
tied to names in the Domain Name System (DNS), rather than to tied to names in the Domain Name System (DNS), rather than to
arbitrary identifying strings; this is more convenient for Internet arbitrary identifying strings; this is more convenient for Internet
protocols. Signed keys for any domain are accessible online through protocols. Signed keys for any domain are accessible online through
a straightforward query using the standard DNSSEC protocol, so there a straightforward query using the standard DNSSEC protocol, so there
is no problem distributing the signed keys. Most significantly, the is no problem distributing the signed keys. Most significantly, the
keys associated with a domain name can only be signed by a key keys associated with a domain name can only be signed by a key
skipping to change at page 5, line 26 skipping to change at page 5, line 30
certificates that are used by TLS. DANE is envisioned as a certificates that are used by TLS. DANE is envisioned as a
preferable basis for binding public keys to DNS names, because the preferable basis for binding public keys to DNS names, because the
entities that vouch for the binding of public key data to DNS names entities that vouch for the binding of public key data to DNS names
are the same entities responsible for managing the DNS names in are the same entities responsible for managing the DNS names in
question. While the resulting system still has residual security question. While the resulting system still has residual security
vulnerabilities, it restricts the scope of assertions that can be vulnerabilities, it restricts the scope of assertions that can be
made by any entity, consistent with the naming scope imposed by the made by any entity, consistent with the naming scope imposed by the
DNS hierarchy. As a result, DANE embodies the security "principle of DNS hierarchy. As a result, DANE embodies the security "principle of
least privilege" that is lacking in the current public CA model. least privilege" that is lacking in the current public CA model.
1.2. Securing the Association with a Server's Certificate 1.2. Securing the Association of a Domain Name with a Server's
Certificate
A TLS client begins a connection by exchanging messages with a TLS A TLS client begins a connection by exchanging messages with a TLS
server. It looks up the server's name using the DNS to get an server. For many application protocols, it looks up the server's
Internet Protocol (IP) address associated with the name. It then name using the DNS to get an Internet Protocol (IP) address
begins a connection to a client-chosen port at that address, and associated with the name. It then begins a connection to a client-
sends an initial message there. However, the client does not yet define port at that address, and sends an initial message there.
know whether an adversary is intercepting and/or altering its However, the client does not yet know whether an adversary is
communication before it reaches the TLS server. It does not even intercepting and/or altering its communication before it reaches the
know whether the real TLS server associated with that domain name has TLS server. It does not even know whether the real TLS server
ever received its initial messages. associated with that domain name has ever received its initial
messages.
The first response from the server in TLS may contain a certificate. The first response from the server in TLS may contain a certificate.
In order for the TLS client to authenticate that it is talking to the In order for the TLS client to authenticate that it is talking to the
expected TLS server, the client must validate that this certificate expected TLS server, the client must validate that this certificate
is associated with the domain name used by the client to get to the is associated with the domain name used by the client to get to the
server. Currently, the client must extract the domain name from the server. Currently, the client must extract the domain name from the
certificate and must successfully validate the certificate, including certificate and must successfully validate the certificate, including
chaining to a trust anchor. chaining to a trust anchor.
There is a different way to authenticate the association of the There is a different way to authenticate the association of the
skipping to change at page 6, line 11 skipping to change at page 6, line 18
is authorized to give identifying information about the zone, it is authorized to give identifying information about the zone, it
makes sense to allow that administrator to also make an authoritative makes sense to allow that administrator to also make an authoritative
binding between the domain name and a certificate that might be used binding between the domain name and a certificate that might be used
by a host at that domain name. The easiest way to do this is to use by a host at that domain name. The easiest way to do this is to use
the DNS, securing the binding with DNSSEC. the DNS, securing the binding with DNSSEC.
There are many use cases for such functionality. [RFC6394] lists the There are many use cases for such functionality. [RFC6394] lists the
ones to which the DNS RRtype in this document apply. [RFC6394] also ones to which the DNS RRtype in this document apply. [RFC6394] also
lists many requirements, most of which this document is believed to lists many requirements, most of which this document is believed to
meet. Section 5 covers the applicability of this document to the use meet. Section 5 covers the applicability of this document to the use
cases in detail. cases in detail. The protocol in this document can generally be
referred to as the "DANE TLSA" protocol. ("TLSA" does not stand for
anything; it is just the name of the RRtype.)
This document applies to both TLS [RFC5246] and DTLS [RFC6347]. In This document applies to both TLS [RFC5246] and DTLS [RFC6347]. In
order to make the document more readable, it mostly only talks about order to make the document more readable, it mostly only talks about
"TLS", but in all cases, it means "TLS or DTLS". This document only "TLS", but in all cases, it means "TLS or DTLS". This document only
relates to securely associating certificates for TLS and DTLS with relates to securely associating certificates for TLS and DTLS with
host names; other security protocols and other forms of host names; other security protocols are handled in other documents.
identification of TLS servers (such as IP addresses) are handled in For example, keys for IPsec are covered in [RFC4025] and keys for SSH
other documents. For example, keys for IPsec are covered in are covered in [RFC4255]. Although the references in this paragraph
[RFC4025] and keys for SSH are covered in [RFC4255]. are to TLS and DTLS version 1.2, the DANE TLSA protocol can also be
used with earlier versions of TLS and DTLS.
1.3. Method For Securing Certificate Associations 1.3. Method For Securing Certificate Associations
A certificate association is formed from a piece of information A certificate association is formed from a piece of information
identifying a certificate and the domain name where the data is identifying a certificate and the domain name where the server
found. The combination of a trust anchor and a domain name can also application runs. The combination of a trust anchor and a domain
be a certificate association. name can also be a certificate association.
A DNS query can return multiple certificate associations, such as in A DNS query can return multiple certificate associations, such as in
the case of a server is changing from one certificate to another. the case of a server that is changing from one certificate to another
(described in more detail in Appendix A.4).
This document only applies to PKIX [RFC5280] certificates, not This document only applies to PKIX [RFC5280] certificates, not
certificates of other formats. certificates of other formats. Later updates to this document might
specify how to use certificates in other formats.
This document defines a secure method to associate the certificate This document defines a secure method to associate the certificate
that is obtained from the TLS server with a domain name using DNS; that is obtained from the TLS server with a domain name using DNS;
the DNS information needs to be be protected by DNSSEC. Because the the DNS information needs to be be protected by DNSSEC. Because the
certificate association was retrieved based on a DNS query, the certificate association was retrieved based on a DNS query, the
domain name in the query is by definition associated with the domain name in the query is by definition associated with the
certificate. certificate. Note that this document does not cover how to associate
certificates with domain names for application protocols that depend
on SRV, NAPTR, and similar DNS resource records; it is expected that
later updates to this document might cover methods for making those
associations.
DNSSEC, which is defined in [RFC4033], [RFC4034], and [RFC4035], uses DNSSEC, which is defined in [RFC4033], [RFC4034], and [RFC4035], uses
cryptographic keys and digital signatures to provide authentication cryptographic keys and digital signatures to provide authentication
of DNS data. Information that is retrieved from the DNS and that is of DNS data. Information that is retrieved from the DNS and that is
validated using DNSSEC is thereby proved to be the authoritative validated using DNSSEC is thereby proved to be the authoritative
data. The DNSSEC signature needs to be validated on all responses data. The DNSSEC signature needs to be validated on all responses
that use DNSSEC in order to assure the proof of origin of the data. that use DNSSEC in order to assure the proof of origin of the data.
This document does not specify how DNSSEC validation occurs because This document does not specify how DNSSEC validation occurs because
there are many different proposals for how a client might get there are many different proposals for how a client might get
skipping to change at page 7, line 28 skipping to change at page 7, line 43
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
This document also makes use of standard PKIX, DNSSEC, TLS, and DNS This document also makes use of standard PKIX, DNSSEC, TLS, and DNS
terminology. See [RFC5280], [RFC4033], [RFC5246], and [STD13] terminology. See [RFC5280], [RFC4033], [RFC5246], and [STD13]
respectively, for these terms. In addition, terms related to TLS- respectively, for these terms. In addition, terms related to TLS-
protected application services and DNS names are taken from protected application services and DNS names are taken from
[RFC6125]. [RFC6125].
2. The TLSA Resource Record 2. The TLSA Resource Record
The TLSA DNS resource record (RR) is used to associate a certificate The TLSA DNS resource record (RR) is used to associate a TLS server
with the domain name where the record is found. The semantics of how certificate or public key with the domain name where the record is
the TLSA RR is interpreted are given later in this document. found, thus forming a "TLS certificate association". The semantics
of how the TLSA RR is interpreted are given later in this document.
The type value for the TLSA RR type is defined in Section 7.1. The type value for the TLSA RR type is defined in Section 7.1.
The TLSA RR is class independent. The TLSA RR is class independent.
The TLSA RR has no special TTL requirements. The TLSA RR has no special TTL requirements.
2.1. TLSA RDATA Wire Format 2.1. TLSA RDATA Wire Format
The RDATA for a TLSA RR consists of a one octet usage type field, a The RDATA for a TLSA RR consists of a one octet certificate usage
one octet selector field, a one octet matching type field and the field, a one octet selector field, a one octet matching type field
certificate association data field. and the certificate association data field.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Usage | Selector | Matching Type | / | Cert. Usage | Selector | Matching Type | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /
/ / / /
/ Certificate Association Data / / Certificate Association Data /
/ / / /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2.1.1. The Certificate Usage Field 2.1.1. The Certificate Usage Field
A one-octet value, called "certificate usage" or just "usage", A one-octet value, called "certificate usage", specifies the provided
specifies the provided association that will be used to match the association that will be used to match the certificate presented in
target certificate from the TLS handshake. This value is defined in the TLS handshake. This value is defined in a new IANA registry (see
a new IANA registry (see Section 7.2) in order to make it easier to Section 7.2) in order to make it easier to add additional certificate
add additional certificate usages in the future. The usages defined usages in the future. The certificate usages defined in this
in this document are: document are:
0 -- Certificate usage 0 is used to specify a CA certificate, or 0 -- Certificate usage 0 is used to specify a CA certificate, or
the public key of such a certificate, that MUST be found in any of the public key of such a certificate, that MUST be found in any of
the PKIX certification paths for the end entity certificate given the PKIX certification paths for the end entity certificate given
by the server in TLS. This usage is sometimes referred to as "CA by the server in TLS. This certifcate usage is sometimes referred
constraint" because it limits which CA can be used to issue to as "CA constraint" because it limits which CA can be used to
certificates for a given service on a host. The target issue certificates for a given service on a host. The presented
certificate MUST pass PKIX certification path validation and a CA certificate MUST pass PKIX certification path validation and a CA
certificate that matches the TLSA record MUST be included as part certificate that matches the TLSA record MUST be included as part
of a valid certification path. Because this usage allows both of a valid certification path. Because this certifcate usage
trust anchors and CA certificates, the certificate might or might allows both trust anchors and CA certificates, the certificate
not have the basicConstraints extension present. might or might not have the basicConstraints extension present.
1 -- Certificate usage 1 is used to specify an end entity 1 -- Certificate usage 1 is used to specify an end entity
certificate, or the public key of such a certificate, that must be certificate, or the public key of such a certificate, that must be
matched with the end entity certificate given by the server in matched with the end entity certificate given by the server in
TLS. This usage is sometimes referred to as "service certificate TLS. This certifcate usage is sometimes referred to as "service
constraint" because it limits which end entity certificate can be certificate constraint" because it limits which end entity
used by a given service on a host. The target certificate MUST certificate can be used by a given service on a host. The target
pass PKIX certification path validation and MUST match the TLSA certificate MUST pass PKIX certification path validation and MUST
record. match the TLSA record.
2 -- Certificate usage 2 is used to specify a certificate, or the 2 -- Certificate usage 2 is used to specify a certificate, or the
public key of such a certificate, that must be used as the trust public key of such a certificate, that must be used as the trust
anchor when validating the end entity certificate given by the anchor when validating the end entity certificate given by the
server in TLS. This usage is sometimes referred to as "trust server in TLS. This certifcate usage is sometimes referred to as
anchor assertion" and allows a domain name administrator to "trust anchor assertion" and allows a domain name administrator to
specify a new trust anchor. For example, if the domain issues its specify a new trust anchor. For example, if the domain issues its
own certificates under its own CA that is not expected to be in own certificates under its own CA that is not expected to be in
the end users' collection of trust anchors. The target the end users' collection of trust anchors. The target
certificate MUST pass PKIX certification path validation, with any certificate MUST pass PKIX certification path validation, with any
certificate matching the TLSA record considered to be a trust certificate matching the TLSA record considered to be a trust
anchor for this certification path validation. anchor for this certification path validation.
3 -- Certificate usage 3 is used to specify a certificate, or the 3 -- Certificate usage 3 is used to specify a certificate, or the
public key of such a certificate, that must match the end entity public key of such a certificate, that must match the end entity
certificate given by the server in TLS. This usage is sometimes certificate given by the server in TLS. This certifcate usage is
referred to as "domain-issued certificate" because it allows for a sometimes referred to as "domain-issued certificate" because it
domain name administrator to issue certificates for a domain allows for a domain name administrator to issue certificates for a
without involving a third-party CA. The target certificate MUST domain without involving a third-party CA. The target certificate
match the TLSA record. The difference between certificate usage 1 MUST match the TLSA record. The difference between certificate
and certificate usage 3 is that certificate usage 1 requires that usage 1 and certificate usage 3 is that certificate usage 1
the certificate pass PKIX validation, but PKIX validation is not requires that the certificate pass PKIX validation, but PKIX
tested for certificate usage 3. validation is not tested for certificate usage 3.
The certificate usages defined in this document explicitly only apply The certificate usages defined in this document explicitly only apply
to PKIX-formatted certificates in DER encoding. If TLS allows other to PKIX-formatted certificates in DER encoding [X.690]. If TLS
formats later, or if extensions to this RRtype are made that accept allows other formats later, or if extensions to this RRtype are made
other formats for certificates, those certificates will need their that accept other formats for certificates, those certificates will
own certificate usage values. need their own certificate usage values.
2.1.2. The Selector Field 2.1.2. The Selector Field
A one-octet value, called "selector", specifies which part of the TLS A one-octet value, called "selector", specifies which part of the TLS
certificate presented by the server will be matched against the certificate presented by the server will be matched against the
association data. This value is defined in a new IANA registry (see association data. This value is defined in a new IANA registry (see
Section 7.3. The selectors defined in this document are: Section 7.3. The selectors defined in this document are:
0 -- Full certificate 0 -- Full certificate
skipping to change at page 10, line 4 skipping to change at page 10, line 15
2.1.3. The Matching Type Field 2.1.3. The Matching Type Field
A one-octet value, called "matching type", specifies how the A one-octet value, called "matching type", specifies how the
certificate association is presented. This value is defined in a new certificate association is presented. This value is defined in a new
IANA registry (see Section 7.4). The types defined in this document IANA registry (see Section 7.4). The types defined in this document
are: are:
0 -- Exact match on selected content 0 -- Exact match on selected content
1 -- SHA-256 hash of selected content [RFC6234] 1 -- SHA-256 hash of selected content [RFC6234]
2 -- SHA-512 hash of selected content [RFC6234] 2 -- SHA-512 hash of selected content [RFC6234]
If the TLSA record's matching type is a hash, having the record use If the TLSA record's matching type is a hash, having the record use
the same hash algorithm that was used in the signature in the the same hash algorithm that was used in the signature in the
certificate (if possible) will assist clients that support a small certificate (if possible) will assist clients that support a small
number of hash algorithms. number of hash algorithms.
2.1.4. The Certificate Association Data Field 2.1.4. The Certificate Association Data Field
The "certificate association data" to be matched. This field The "certificate association data" to be matched. These bytes are
contains the data to be matched. These bytes are either raw data either raw data (that is, the full certificate or its
(that is, the full certificate or its SubjectPublicKeyInfo, depending SubjectPublicKeyInfo, depending on the selector) for matching type 0,
on the selector) for matching type 0, or the hash of the raw data for or the hash of the raw data for matching types 1 and 2. The data
matching types 1 and 2. The data refers to the certificate in the refers to the certificate in the association, not to the TLS ASN.1
association, not to the TLS ASN.1 Certificate object. Certificate object.
2.2. TLSA RR Presentation Format 2.2. TLSA RR Presentation Format
The presentation format of the RDATA portion is as follows: The presentation format of the RDATA portion (as defined in
[RFC1035]) is as follows:
o The certificate usage field MUST be represented as an 8-bit o The certificate usage field MUST be represented as an 8-bit
unsigned decimal integer. unsigned decimal integer.
o The selector field MUST be represented as an 8-bit unsigned o The selector field MUST be represented as an 8-bit unsigned
decimal integer. decimal integer.
o The matching type field MUST be represented as an 8-bit unsigned o The matching type field MUST be represented as an 8-bit unsigned
decimal integer. decimal integer.
skipping to change at page 11, line 17 skipping to change at page 11, line 32
a5a520e7f2e06bb944f4dca346baf63c a5a520e7f2e06bb944f4dca346baf63c
1b177615d466f6c4b71c216a50292bd5 1b177615d466f6c4b71c216a50292bd5
8c9ebdd2f74e38fe51ffd48c43326cbc ) 8c9ebdd2f74e38fe51ffd48c43326cbc )
An example of a full certificate association of a PKIX end entity An example of a full certificate association of a PKIX end entity
certificate: certificate:
_443._tcp.www.example.com. IN TLSA ( _443._tcp.www.example.com. IN TLSA (
3 0 0 30820307308201efa003020102020... ) 3 0 0 30820307308201efa003020102020... )
3. Domain Names for TLS Certificate Associations 3. Domain Names for TLSA Certificate Associations
Unless there is a protocol-specific specification that is different Unless there is a protocol-specific specification that is different
than this one, TLSA resource records are stored at a prefixed DNS than this one, TLSA resource records are stored at a prefixed DNS
domain name. The prefix is prepared in the following manner: domain name. The prefix is prepared in the following manner:
1. The decimal representation of the port number on which a TLS- 1. The decimal representation of the port number on which a TLS-
based service is assumed to exist is prepended with an underscore based service is assumed to exist is prepended with an underscore
character ("_") to become the left-most label in the prepared character ("_") to become the left-most label in the prepared
domain name. This number has no leading zeros. domain name. This number has no leading zeros.
skipping to change at page 12, line 12 skipping to change at page 12, line 27
The TLS session that is to be set up MUST be for the specific port The TLS session that is to be set up MUST be for the specific port
number and transport name that was given in the TLSA query. number and transport name that was given in the TLSA query.
Some specifications for applications that run over TLS, such as Some specifications for applications that run over TLS, such as
[RFC2818] for HTTP, require the server's certificate to have a domain [RFC2818] for HTTP, require the server's certificate to have a domain
name that matches the host name expected by the client. Some name that matches the host name expected by the client. Some
specifications such as [RFC6125] detail how to match the identity specifications such as [RFC6125] detail how to match the identity
given in a PKIX certificate with those expected by the user. given in a PKIX certificate with those expected by the user.
If a TLSA record has certificate usage 2, the corresponding TLS
server SHOULD send the certificate that is referenced just like it
currently sends intermediate certificates.
4.1. Usable Certificate Associations
An implementation of this protocol makes a DNS query for TLSA An implementation of this protocol makes a DNS query for TLSA
records, validates these records using DNSSEC, and uses the resulting records, validates these records using DNSSEC, and uses the resulting
TLSA records and validation status to modify its responses to the TLS TLSA records and validation status to modify its responses to the TLS
server. server.
If a TLSA record has usage type 2 for the certifcate, the
corresponding TLS server SHOULD send the certificate that is
referenced just like it currently sends intermediate certificates.
Determining whether a TLSA RRset can be used MUST be based on the Determining whether a TLSA RRset can be used MUST be based on the
DNSSEC validation state (as defined in [RFC4033]). DNSSEC validation state (as defined in [RFC4033]).
o A TLSA RRset whose DNSSEC validation state is secure MUST be used o A TLSA RRset whose DNSSEC validation state is secure MUST be used
as a certificate association for TLS unless a local policy would as a certificate association for TLS unless a local policy would
prohibit the use of the specific certificate association in the prohibit the use of the specific certificate association in the
secure TLSA RRset. secure TLSA RRset.
o If the DNSSEC validation state on the response to the request for o If the DNSSEC validation state on the response to the request for
the TLSA RRset is bogus, this MUST cause TLS not to be started or, the TLSA RRset is bogus, this MUST cause TLS not to be started or,
skipping to change at page 13, line 20 skipping to change at page 13, line 38
If an application receives zero usable certificate associations from If an application receives zero usable certificate associations from
a DNS request or from its cache, it processes TLS in the normal a DNS request or from its cache, it processes TLS in the normal
fashion without any input from the TLSA records. If an application fashion without any input from the TLSA records. If an application
receives one or more usable certificate associations, it attempts to receives one or more usable certificate associations, it attempts to
match each certificate association with the TLS server's end entity match each certificate association with the TLS server's end entity
certificate until a successful match is found. During the TLS certificate until a successful match is found. During the TLS
handshake, if none of the certificate associations matches the handshake, if none of the certificate associations matches the
certificate given by the TLS server, the TLS client MUST abort the certificate given by the TLS server, the TLS client MUST abort the
handshake. handshake.
The application can perform the TLSA lookup before initiating the TLS
handshake, or do it during the TLS handshake: the choice is up to the
client.
5. TLSA and DANE Use Cases and Requirements 5. TLSA and DANE Use Cases and Requirements
The different types of certificate associations defined in TLSA are The different types of certificate associations defined in TLSA are
matched with various sections of [RFC6394]. The use cases from matched with various sections of [RFC6394]. The use cases from
Section 3 of [RFC6394] are covered in this document as follows: Section 3 of [RFC6394] are covered in this document as follows:
3.1 CA Constraints -- Implemented using certificate usage 0. 3.1 CA Constraints -- Implemented using certificate usage 0.
3.2 Certificate Constraints -- Implemented using certificate usage 3.2 Certificate Constraints -- Implemented using certificate usage
1. 1.
skipping to change at page 14, line 8 skipping to change at page 14, line 31
No Downgrade -- Section 4 specifies the conditions under which a No Downgrade -- Section 4 specifies the conditions under which a
client can process and act upon TLSA records. Specifically, if client can process and act upon TLSA records. Specifically, if
the DNSSEC status for the TLSA resource record set is determined the DNSSEC status for the TLSA resource record set is determined
to be bogus, the TLS connection (if started) will fail. to be bogus, the TLS connection (if started) will fail.
Encapsulation -- Covered in the TLSA response semantics. Encapsulation -- Covered in the TLSA response semantics.
Predictability -- The appendices of this specification provide Predictability -- The appendices of this specification provide
operational considerations and implementation guidance in order to operational considerations and implementation guidance in order to
enable application developers to form a consistent interpretation enable application developers to form a consistent interpretation
of the recommended DANE client behavior. of the recommended client behavior.
Opportunistic Security -- If a client conformant to this Opportunistic Security -- If a client conformant to this
specification can reliably determine the presence of a TLSA specification can reliably determine the presence of a TLSA
record, it will attempt to use this information. Conversely, if a record, it will attempt to use this information. Conversely, if a
client can reliably determine the absence of any TLSA record, it client can reliably determine the absence of any TLSA record, it
will fall back to processing TLS in the normal fashion. This is will fall back to processing TLS in the normal fashion. This is
discussed in Section 4. discussed in Section 4.
Combination -- Multiple TLSA records can be published for a given Combination -- Multiple TLSA records can be published for a given
host name, thus enabling the client to construct multiple TLSA host name, thus enabling the client to construct multiple TLSA
certificate associations that reflect different DANE assertions. certificate associations that reflect different assertions. No
No support is provided to combine two TLSA certificate support is provided to combine two TLSA certificate associations
associations in a single operation. in a single operation.
Roll-over -- TLSA records are processed in the normal manner within Roll-over -- TLSA records are processed in the normal manner within
the scope of DNS protocol, including the TTL expiration of the the scope of DNS protocol, including the TTL expiration of the
records. This ensures that clients will not latch onto assertions records. This ensures that clients will not latch onto assertions
made by expired TLSA records, and will be able to transition from made by expired TLSA records, and will be able to transition from
using one DANE public key or certificate usage type to another. using one public key or certificate usage to another.
Simple Key Management -- The SubjectPublicKeyInfo selector in the Simple Key Management -- The SubjectPublicKeyInfo selector in the
TLSA record provides a mode that enables a domain holder to only TLSA record provides a mode that enables a domain holder to only
have to maintain a single long-lived public/private key pair have to maintain a single long-lived public/private key pair
without the need to manage certificates. Appendix A outlines the without the need to manage certificates. Appendix A outlines the
usefulness and the potential downsides to using this mode. usefulness and the potential downsides to using this mode.
Minimal Dependencies -- This specification relies on DNSSEC to Minimal Dependencies -- This specification relies on DNSSEC to
protect the origin authenticity and integrity of the TLSA resource protect the origin authenticity and integrity of the TLSA resource
record set. Additionally, if DNSSEC validation is not performed record set. Additionally, if DNSSEC validation is not performed
skipping to change at page 15, line 30 skipping to change at page 16, line 5
and/or recommended for TLSA records after the algorithms are fully and/or recommended for TLSA records after the algorithms are fully
defined. At that time, this specification will be updated. defined. At that time, this specification will be updated.
7. IANA Considerations 7. IANA Considerations
IANA is requested to make the assignments in this section. IANA IANA is requested to make the assignments in this section. IANA
might also consider making a "DANE" section in the main IANA registry might also consider making a "DANE" section in the main IANA registry
to help developers find related registries that might be created in to help developers find related registries that might be created in
the future. the future.
In the following sections, "RFC Required" was chosen for TLSA usages In the following sections, "RFC Required" was chosen for TLSA
and "Specification Required" for selectors and matching types because certficate usages and "Specification Required" for selectors and
of the amount of detail that is likely to be needed for implementers matching types because of the amount of detail that is likely to be
to correctly implement new usages as compared to new selectors and needed for implementers to correctly implement new certificate usages
matching types. as compared to new selectors and matching types.
7.1. TLSA RRtype 7.1. TLSA RRtype
This document uses a new DNS RR type, TLSA, whose value is TBD. A This document uses a new DNS RR type, TLSA, whose value (52) was
separate request for the RR type will be submitted to the expert allocated by IANA from the Resource Record (RR) TYPEs subregistry of
reviewer, and future versions of this document will have that value the Domain Name System (DNS) Parameters registry.
instead of TBD.
7.2. TLSA Usages 7.2. TLSA Certificate Usages
This document creates a new registry, "Certificate Usages for TLSA This document creates a new registry, "Certificate Usages for TLSA
Resource Records". The registry policy is "RFC Required". The Resource Records". The registry policy is "RFC Required". The
initial entries in the registry are: initial entries in the registry are:
Value Short description Reference Value Short description Reference
---------------------------------------------------------- ----------------------------------------------------------
0 CA constraint [This] 0 CA constraint [This]
1 Service certificate constraint [This] 1 Service certificate constraint [This]
2 Trust anchor assertion [This] 2 Trust anchor assertion [This]
3 Domain-issued certificate [This] 3 Domain-issued certificate [This]
4-254 Unassigned 4-254 Unassigned
255 Private use 255 Private use
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
7.3. TLSA Selectors 7.3. TLSA Selectors
This document creates a new registry, "Selectors for TLSA Resource This document creates a new registry, "Selectors for TLSA Resource
Records". The registry policy is "Specification Required". The Records". The registry policy is "Specification Required". The
skipping to change at page 17, line 8 skipping to change at page 17, line 25
2 SHA-512 RFC 6234 2 SHA-512 RFC 6234
3-254 Unassigned 3-254 Unassigned
255 Private use 255 Private use
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
8. Security Considerations 8. Security Considerations
The security of the DNS RRtype described in this document relies on The security of the DNS RRtype described in this document relies on
the security of DNSSEC as used by the client requesting A/AAAA and the security of DNSSEC to verify that the TLSA record has not been
TLSA records. altered.
A DNS administrator who goes rogue and changes both the A/AAAA and A DNS administrator who goes rogue and changes both the A, AAAA,
TLSA records for a domain name can cause the user to go to an and/or TLSA records for a domain name can cause the user to go to an
unauthorized server that will appear authorized, unless the client unauthorized server that will appear authorized, unless the client
performs PKIX certification path validation and rejects the performs PKIX certification path validation and rejects the
certificate. That administrator could probably get a certificate certificate. That administrator could probably get a certificate
issued by some CA anyway, so this is not an additional threat. issued by some CA anyway, so this is not an additional threat.
If the authentication mechanism for adding or changing TLSA data in a If the authentication mechanism for adding or changing TLSA data in a
zone is weaker than the authentication mechanism for changing the zone is weaker than the authentication mechanism for changing the A
A/AAAA records, a man-in-the-middle who can redirect traffic to their and/or AAAA records, a man-in-the-middle who can redirect traffic to
site may be able to impersonate the attacked host in TLS if they can their site may be able to impersonate the attacked host in TLS if
use the weaker authentication mechanism. A better design for they can use the weaker authentication mechanism. A better design
authenticating DNS would be to have the same level of authentication for authenticating DNS would be to have the same level of
used for all DNS additions and changes for a particular domain name. authentication used for all DNS additions and changes for a
particular domain name.
SSL proxies can sometimes act as a man-in-the-middle for TLS clients. SSL proxies can sometimes act as a man-in-the-middle for TLS clients.
In these scenarios, the clients add a new trust anchor whose private In these scenarios, the clients add a new trust anchor whose private
key is kept on the SSL proxy; the proxy intercepts TLS requests, key is kept on the SSL proxy; the proxy intercepts TLS requests,
creates a new TLS session with the intended host, and sets up a TLS creates a new TLS session with the intended host, and sets up a TLS
session with the client using a certificate that chains to the trust session with the client using a certificate that chains to the trust
anchor installed in the client by the proxy. In such environments, anchor installed in the client by the proxy. In such environments,
using TLSA records will prevent the SSL proxy from functioning as using TLSA records will prevent the SSL proxy from functioning as
expected because the TLS client will get a certificate association expected because the TLS client will get a certificate association
from the DNS that will not match the certificate that the SSL proxy from the DNS that will not match the certificate that the SSL proxy
skipping to change at page 18, line 5 skipping to change at page 18, line 23
If a server's certificate is revoked, or if an intermediate CA in a If a server's certificate is revoked, or if an intermediate CA in a
chain between the end entity and a trust anchor has its certificate chain between the end entity and a trust anchor has its certificate
revoked, a TLSA record with a certificate type of 2 that matches the revoked, a TLSA record with a certificate type of 2 that matches the
revoked certificate would in essence override the revocation because revoked certificate would in essence override the revocation because
the client would treat that revoked certificate as a trust anchor and the client would treat that revoked certificate as a trust anchor and
thus not check its revocation status. Because of this, domain thus not check its revocation status. Because of this, domain
administrators need to be responsible for being sure that the key or administrators need to be responsible for being sure that the key or
certificate used in TLSA records with a certificate type of 2 are in certificate used in TLSA records with a certificate type of 2 are in
fact able to be used as reliable trust anchors. fact able to be used as reliable trust anchors.
Certificates that are delivered in TLSA with usage type 2 Certificates that are delivered in TLSA with certificate usage 2
fundamentally change the way the TLS server's end entity certificate fundamentally change the way the TLS server's end entity certificate
is evaluated. For example, the server's certificate might chain to is evaluated. For example, the server's certificate might chain to
an existing CA through an intermediate CA that has certain policy an existing CA through an intermediate CA that has certain policy
restrictions, and the certificate would not pass those restrictions restrictions, and the certificate would not pass those restrictions
and thus normally be rejected. That intermediate CA could issue and thus normally be rejected. That intermediate CA could issue
itself a new certificate without the policy restrictions and tell its itself a new certificate without the policy restrictions and tell its
customers to use that certificate with usage type 2. This in essence customers to use that certificate with certificate usage 2. This in
allows an intermediate CA to be come a trust anchor for certificates essence allows an intermediate CA to be come a trust anchor for
that the end user might have expected to chain to an existing trust certificates that the end user might have expected to chain to an
anchor. existing trust anchor.
If an administrator wishes to stop using a TLSA record, the If an administrator wishes to stop using a TLSA record, the
administrator can simply remove it from the DNS. Normal clients will administrator can simply remove it from the DNS. Normal clients will
stop using the TLSA record after the TTL has expired. Replay attacks stop using the TLSA record after the TTL has expired. Replay attacks
against the TLSA record are not possible after the expiration date on against the TLSA record are not possible after the expiration date on
the RRsig of the TLSA record that was removed. the RRsig of the TLSA record that was removed.
The client's full trust of a certificate retrieved from a TLSA record The client's full trust of a certificate retrieved from a TLSA record
with a certificate usage type of 2 or 3 may be a matter of local with a certificate usage of 2 or 3 may be a matter of local policy.
policy. While such trust is limited to the specific domain name for While such trust is limited to the specific domain name for which the
which the TLSA query was made, local policy may deny the trust or TLSA query was made, local policy may deny the trust or further
further restrict the conditions under which that trust is permitted. restrict the conditions under which that trust is permitted.
8.1. Comparing DANE to Public CAs 8.1. Comparing DANE to Public CAs
Comparing the risk for current common TLS clients against the risk Comparing the risk for current common TLS clients against the risk
for DANE clients using external DNSSEC validators is difficult. The for DANE clients using external DNSSEC validators is difficult. The
common model for TLS clients is that they trust a large number of common model for TLS clients is that they trust a large number of
commercial CAs who can issue certificates for any domain name. A commercial CAs who can issue certificates for any domain name. A
DANE client trusting an external DNSSEC validator is as vulnerable as DANE-aware TLS client that that is trusting an external DNSSEC
such a TLS client in that any CA or any external validator can assert validator is as vulnerable as a DANE-unaware TLS client because any
any key for any domain. CA or any external validator can assert any key for any domain.
If it is less likely that a user will hear about its trusted DNSSEC If it is less likely that a user will hear about its trusted DNSSEC
validators being hacked that it is of a public CA being compromised, validators being compromised that it is of a public CA being
a DANE client with an external validator could be worse off than a compromised, a client with an external validator could be worse off
current TLS client that is depending on the current public CAs. A than a current TLS client that is depending on the current public
counter-argument to this is a single external DNSSEC validator is a CAs. A counter-argument to this is a single external DNSSEC
much less interesting target than a public CA, particularly if many validator is a much less interesting target than a public CA,
DANE clients use their own DNSSEC validators or validators that particularly if many clients use their own DNSSEC validators or
reside on the computer on which they are running. validators that reside on the computer on which they are running.
Current public CAs are assumed to have better defenses than current Current public CAs are assumed to have better defenses than current
DNSSEC validators, but that perception cannot be proven one way or DNSSEC validators, but that perception cannot be proven one way or
another. Similarly, if DNSSEC validation becomes more common after another. Similarly, if DNSSEC validation becomes more common after
the release of this document, it cannot be predicted whether or not the release of this document, it cannot be predicted whether or not
that will increase the level of security of DNSSEC validators more or that will increase the level of security of DNSSEC validators more or
less than the security of public CAs. Thus, it is difficult to less than the security of public CAs. Thus, it is difficult to
foresee which system has a higher risk. foresee which system has a higher risk.
8.2. DNS Caching 8.2. DNS Caching
skipping to change at page 20, line 43 skipping to change at page 21, line 13
Security (TLS)", RFC 6125, March 2011. Security (TLS)", RFC 6125, March 2011.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012. Security Version 1.2", RFC 6347, January 2012.
[STD13] Mockapetris, P., "Domain Name System", STD 13, [STD13] Mockapetris, P., "Domain Name System", STD 13,
November 1987. November 1987.
10.2. Informative References 10.2. Informative References
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
February 2000. February 2000.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B.
Wellington, "Secret Key Transaction Authentication for DNS Wellington, "Secret Key Transaction Authentication for DNS
(TSIG)", RFC 2845, May 2000. (TSIG)", RFC 2845, May 2000.
skipping to change at page 21, line 36 skipping to change at page 22, line 9
(SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.
[RFC6376] Crocker, D., Hansen, T., and M. Kucherawy, "DomainKeys [RFC6376] Crocker, D., Hansen, T., and M. Kucherawy, "DomainKeys
Identified Mail (DKIM) Signatures", RFC 6376, Identified Mail (DKIM) Signatures", RFC 6376,
September 2011. September 2011.
[RFC6394] Barnes, R., "Use Cases and Requirements for DNS-Based [RFC6394] Barnes, R., "Use Cases and Requirements for DNS-Based
Authentication of Named Entities (DANE)", RFC 6394, Authentication of Named Entities (DANE)", RFC 6394,
October 2011. October 2011.
[X.690] "Recommendation ITU-T X.690 (2002) | ISO/IEC 8825-1:2002,
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", 2002.
Appendix A. Operational Considerations for Deploying TLSA Records Appendix A. Operational Considerations for Deploying TLSA Records
A.1. Creating TLSA Records A.1. Creating TLSA Records
When creating TLSA records, care must be taken to avoid When creating TLSA records, care must be taken to avoid
misconfigurations. Section 4 of this document states that a TLSA misconfigurations. Section 4 of this document states that a TLSA
RRset whose validation state is secure MUST be used. This means that RRset whose validation state is secure MUST be used. This means that
the existence of such a RRset effectively disables other forms of the existence of such a RRset effectively disables other forms of
name and path validation. A misconfigured TLSA RRset will name and path validation. A misconfigured TLSA RRset will
effectively disable access to the TLS server for all conforming effectively disable access to the TLS server for all conforming
clients, and this document does not provide any means of making a clients, and this document does not provide any means of making a
gradual transition to using TLSA. gradual transition to using TLSA.
When creating TLSA records with certificate usage type 0 (CA When creating TLSA records with certificate usage 0 (CA Certificate)
Certificate) or type 2 (Trust Anchor), one needs to understand the or usage 2 (Trust Anchor), one needs to understand the implications
implications when choosing between selector type 0 (full certificate) when choosing between selector type 0 (full certificate) and 1
and 1 (SubjectPublicKeyInfo). A careful choice is required because (SubjectPublicKeyInfo). A careful choice is required because
different methods for building trust chains are used by different TLS different methods for building trust chains are used by different TLS
clients. The following outlines the cases that one ought to be aware clients. The following outlines the cases that one ought to be aware
of and discusses the implications of the choice of selector type. of and discusses the implications of the choice of selector type.
Certificate usage 2 is not affected by the different types of chain Certificate usage 2 is not affected by the different types of chain
building when the end entity certificate is the same as the trust building when the end entity certificate is the same as the trust
anchor certificate. anchor certificate.
A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains
skipping to change at page 22, line 39 skipping to change at page 23, line 20
Information Access X.509v3 extension Information Access X.509v3 extension
CAs frequently reissue certificates with different validity periods, CAs frequently reissue certificates with different validity periods,
signature algorithms (such as an different hash algorithm in the signature algorithms (such as an different hash algorithm in the
signature algorithm), CA key pairs (such as for a cross-certificate), signature algorithm), CA key pairs (such as for a cross-certificate),
or PKIX extensions where the public key and subject remain the same. or PKIX extensions where the public key and subject remain the same.
These reissued certificates are the certificates TLS client can use These reissued certificates are the certificates TLS client can use
in place of an original certificate. in place of an original certificate.
Clients are known to exchange or remove certificates that could cause Clients are known to exchange or remove certificates that could cause
TLSA associations that rely on the full certificate to fail. For TLSA certificate associations that rely on the full certificate to
example: fail. For example:
o The client considers the signature algorithm of a certificate to o The client considers the signature algorithm of a certificate to
no longer be sufficiently secure no longer be sufficiently secure
o The client might not have an associated root certificate in its o The client might not have an associated root certificate in its
trust store and instead uses a cross-certificate with an identical trust store and instead uses a cross-certificate with an identical
subject and public key. subject and public key.
A.1.2. Choosing a Selector Type A.1.2. Choosing a Selector Type
In this section, "false-negative failure" means that a client will In this section, "false-negative failure" means that a client will
not accept the TLSA association for a certificate designated by DNS not accept the TLSA certificate association for a certificate
administrator. Also, "false-positive acceptance" means that the designated by DNS administrator. Also, "false-positive acceptance"
client accepts a TLSA association for a certificate that is not means that the client accepts a TLSA association for a certificate
designated by the DNS administrator. that is not designated by the DNS administrator.
A.1.2.1. Selector Type 0 (Full Certificate) A.1.2.1. Selector Type 0 (Full Certificate)
The "Full certificate" selector provides the most precise The "Full certificate" selector provides the most precise
specification of a TLS certificate association, capturing all fields specification of a TLSA certificate association, capturing all fields
of the PKIX certificate. For a DNS administrator, the best course to of the PKIX certificate. For a DNS administrator, the best course to
avoid false-negative failures in the client when using this selector avoid false-negative failures in the client when using this selector
is: is:
1. If a CA issued a replacement certificate, don't associate to CA 1. If a CA issued a replacement certificate, don't associate to CA
certificates that have a signature algorithm with a hash that is certificates that have a signature algorithm with a hash that is
considered weak by local policy. considered weak by local policy.
2. Determine how common client applications process the TLSA 2. Determine how common client applications process the TLSA
association using a fresh client installation, that is, with the certificate association using a fresh client installation, that
local certificate cache empty. is, with the local certificate cache empty.
A.1.2.2. Selector Type 1 (SubjectPublicKeyInfo) A.1.2.2. Selector Type 1 (SubjectPublicKeyInfo)
A SubjectPublicKeyInfo selector gives greater flexibility in avoiding A SubjectPublicKeyInfo selector gives greater flexibility in avoiding
some false-negative failures caused by trust-chain-building some false-negative failures caused by trust-chain-building
algorithms used in clients. algorithms used in clients.
One specific use-case ought to be noted: creating a TLSA association One specific use-case ought to be noted: creating a TLSA certificate
to CA certificate I1 that directly signed end entity certificate S1 association to CA certificate I1 that directly signed end entity
of the server. The case can be illustrated by following graph: certificate S1 of the server. The case can be illustrated by
following graph:
+----+ +----+ +----+ +----+
| I1 | | I2 | | I1 | | I2 |
+----+ +----+ +----+ +----+
| | | |
v v v v
+----+ +----+ +----+ +----+
| S1 | | S1 | | S1 | | S1 |
+----+ +----+ +----+ +----+
Certificate chain sent by A different validation path Certificate chain sent by A different validation path
 End of changes. 66 change blocks. 
165 lines changed or deleted 201 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/