draft-ietf-dane-protocol-23.txt   rfc6698.txt 
Network Working Group P. Hoffman Internet Engineering Task Force (IETF) P. Hoffman
Internet-Draft VPN Consortium Request for Comments: 6698 VPN Consortium
Intended status: Standards Track J. Schlyter Category: Standards Track J. Schlyter
Expires: December 16, 2012 Kirei AB ISSN: 2070-1721 Kirei AB
June 14, 2012 August 2012
The DNS-Based Authentication of Named Entities (DANE) Transport Layer The DNS-Based Authentication of Named Entities (DANE)
Security (TLS) Protocol: TLSA Transport Layer Security (TLS) Protocol: TLSA
draft-ietf-dane-protocol-23
Abstract Abstract
Encrypted communication on the Internet often uses Transport Level Encrypted communication on the Internet often uses Transport Layer
Security (TLS), which depends on third parties to certify the keys Security (TLS), which depends on third parties to certify the keys
used. This document improves on that situation by enabling the used. This document improves on that situation by enabling the
administrators of domain names to specify the keys used in that administrators of domain names to specify the keys used in that
domain's TLS servers. This requires matching improvements in TLS domain's TLS servers. This requires matching improvements in TLS
client software, but no change in TLS server software. client software, but no change in TLS server software.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This is an Internet Standards Track document.
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on December 16, 2012. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6698.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction ....................................................3
1.1. Background and Motivation . . . . . . . . . . . . . . . . 4 1.1. Background and Motivation ..................................3
1.2. Securing the Association of a Domain Name with a 1.2. Securing the Association of a Domain Name with a
Server's Certificate . . . . . . . . . . . . . . . . . . . 5 Server's Certificate .......................................4
1.3. Method For Securing Certificate Associations . . . . . . . 6 1.3. Method for Securing Certificate Associations ...............5
1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 1.4. Terminology ................................................6
2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 7 2. The TLSA Resource Record ........................................7
2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 8 2.1. TLSA RDATA Wire Format .....................................7
2.1.1. The Certificate Usage Field . . . . . . . . . . . . . 8 2.1.1. The Certificate Usage Field .........................7
2.1.2. The Selector Field . . . . . . . . . . . . . . . . . . 9 2.1.2. The Selector Field ..................................8
2.1.3. The Matching Type Field . . . . . . . . . . . . . . . 10 2.1.3. The Matching Type Field .............................9
2.1.4. The Certificate Association Data Field . . . . . . . . 10 2.1.4. The Certificate Association Data Field ..............9
2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 10 2.2. TLSA RR Presentation Format ................................9
2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 11 2.3. TLSA RR Examples ..........................................10
3. Domain Names for TLSA Certificate Associations . . . . . . . . 11 3. Domain Names for TLSA Certificate Associations .................10
4. Use of TLSA Records in TLS . . . . . . . . . . . . . . . . . . 12 4. Use of TLSA Records in TLS .....................................11
4.1. Usable Certificate Associations . . . . . . . . . . . . . 12 4.1. Usable Certificate Associations ...........................11
5. TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 14 5. TLSA and DANE Use Cases and Requirements .......................13
6. Mandatory-to-Implement Features . . . . . . . . . . . . . . . 15 6. Mandatory-to-Implement Features ................................15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations ............................................15
7.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 16 7.1. TLSA RRtype ...............................................15
7.2. TLSA Certificate Usages . . . . . . . . . . . . . . . . . 16 7.2. TLSA Certificate Usages ...................................15
7.3. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 16 7.3. TLSA Selectors ............................................16
7.4. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 17 7.4. TLSA Matching Types .......................................16
8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 8. Security Considerations ........................................16
8.1. Comparing DANE to Public CAs . . . . . . . . . . . . . . . 19 8.1. Comparing DANE to Public CAs ..............................18
8.1.1. Risk of Key Compromise . . . . . . . . . . . . . . . . 19 8.1.1. Risk of Key Compromise .............................19
8.1.2. Impact of Key Compromise . . . . . . . . . . . . . . . 20 8.1.2. Impact of Key Compromise ...........................20
8.1.3. Detection of Key Compromise . . . . . . . . . . . . . 21 8.1.3. Detection of Key Compromise ........................20
8.1.4. Spoofing Hostnames . . . . . . . . . . . . . . . . . . 21 8.1.4. Spoofing Hostnames .................................20
8.2. DNS Caching . . . . . . . . . . . . . . . . . . . . . . . 21 8.2. DNS Caching ...............................................21
8.3. External DNSSEC Validators . . . . . . . . . . . . . . . . 22 8.3. External DNSSEC Validators ................................21
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 9. Acknowledgements ...............................................22
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 10. References ....................................................22
10.1. Normative References . . . . . . . . . . . . . . . . . . . 23 10.1. Normative References .....................................22
10.2. Informative References . . . . . . . . . . . . . . . . . . 23 10.2. Informative References ...................................23
Appendix A. Operational Considerations for Deploying TLSA Appendix A. Operational Considerations for Deploying TLSA
Records . . . . . . . . . . . . . . . . . . . . . . . 25 Records ...............................................25
A.1. Creating TLSA Records . . . . . . . . . . . . . . . . . . 25 A.1. Creating TLSA Records ......................................25
A.1.1. Ambiguities and Corner Cases When TLS Clients A.1.1. Ambiguities and Corner Cases When TLS Clients
Build Trust Chains . . . . . . . . . . . . . . . . . . 25 Build Trust Chains .....................................26
A.1.2. Choosing a Selector Type ...............................26
A.2. Provisioning TLSA Records in DNS ...........................28
A.2.1. Provisioning TLSA Records with Aliases .................28
A.3. Securing the Last Hop ......................................30
A.4. Handling Certificate Rollover ..............................31
A.1.2. Choosing a Selector Type . . . . . . . . . . . . . . . 26 Appendix B. Pseudocode for Using TLSA .............................32
A.2. Provisioning TLSA Records in DNS . . . . . . . . . . . . . 28 B.1. Helper Functions ...........................................32
A.2.1. Provisioning TLSA Records with Aliases . . . . . . . . 28 B.2. Main TLSA Pseudocode .......................................33
A.3. Securing the Last Hop . . . . . . . . . . . . . . . . . . 30 Appendix C. Examples ..............................................35
A.4. Handling Certificate Rollover . . . . . . . . . . . . . . 31
Appendix B. Pseudocode for Using TLSA . . . . . . . . . . . . . . 31
B.1. Helper Functions . . . . . . . . . . . . . . . . . . . . . 32
B.2. Main TLSA Pseudo Code . . . . . . . . . . . . . . . . . . 33
Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37
1. Introduction 1. Introduction
1.1. Background and Motivation 1.1. Background and Motivation
Applications that communicate over the Internet often need to prevent Applications that communicate over the Internet often need to prevent
eavesdropping, tampering, or forgery of their communications. The eavesdropping, tampering, or forgery of their communications. The
Transport Layer Security (TLS) protocol provides this kind of Transport Layer Security (TLS) protocol provides this kind of
communications security over the Internet, using channel encryption. communications security over the Internet, using channel encryption.
skipping to change at page 4, line 49 skipping to change at page 4, line 5
for any domain name. A single trusted CA that betrays its trust, for any domain name. A single trusted CA that betrays its trust,
either voluntarily or by providing less-than-vigorous protection for either voluntarily or by providing less-than-vigorous protection for
its secrets and capabilities, can undermine the security offered by its secrets and capabilities, can undermine the security offered by
any certificates employed with TLS. This problem arises because a any certificates employed with TLS. This problem arises because a
compromised CA can issue a replacement certificate that contains a compromised CA can issue a replacement certificate that contains a
fake key. Recent experiences with compromises of CAs or their fake key. Recent experiences with compromises of CAs or their
trusted partners have led to very serious security problems, such as trusted partners have led to very serious security problems, such as
the governments of multiple countries attempting to wiretap and/or the governments of multiple countries attempting to wiretap and/or
subvert major TLS-protected web sites trusted by millions of users. subvert major TLS-protected web sites trusted by millions of users.
The DNS Security Extensions (DNSSEC) provides a similar model that The DNS Security Extensions (DNSSEC) provide a similar model that
involves trusted keys signing the information for untrusted keys. involves trusted keys signing the information for untrusted keys.
However, DNSSEC provides three significant improvements. Keys are However, DNSSEC provides three significant improvements. Keys are
tied to names in the Domain Name System (DNS), rather than to tied to names in the Domain Name System (DNS), rather than to
arbitrary identifying strings; this is more convenient for Internet arbitrary identifying strings; this is more convenient for Internet
protocols. Signed keys for any domain are accessible online through protocols. Signed keys for any domain are accessible online through
a straightforward query using the standard DNSSEC protocol, so there a straightforward query using the standard DNSSEC protocol, so there
is no problem distributing the signed keys. Most significantly, the is no problem distributing the signed keys. Most significantly, the
keys associated with a domain name can only be signed by a key keys associated with a domain name can only be signed by a key
associated with the parent of that domain name; for example, the keys associated with the parent of that domain name; for example, the keys
for "example.com" can only be signed by the keys for "com", and the for "example.com" can only be signed by the keys for "com", and the
skipping to change at page 6, line 20 skipping to change at page 5, line 24
the DNS, securing the binding with DNSSEC. the DNS, securing the binding with DNSSEC.
There are many use cases for such functionality. [RFC6394] lists the There are many use cases for such functionality. [RFC6394] lists the
ones to which the DNS RRtype in this document apply. [RFC6394] also ones to which the DNS RRtype in this document apply. [RFC6394] also
lists many requirements, most of which this document is believed to lists many requirements, most of which this document is believed to
meet. Section 5 covers the applicability of this document to the use meet. Section 5 covers the applicability of this document to the use
cases in detail. The protocol in this document can generally be cases in detail. The protocol in this document can generally be
referred to as the "DANE TLSA" protocol. ("TLSA" does not stand for referred to as the "DANE TLSA" protocol. ("TLSA" does not stand for
anything; it is just the name of the RRtype.) anything; it is just the name of the RRtype.)
This document applies to both TLS [RFC5246] and DTLS [RFC6347]. In This document applies to both TLS [RFC5246] and Datagram TLS (DTLS)
order to make the document more readable, it mostly only talks about [RFC6347]. In order to make the document more readable, it mostly
"TLS", but in all cases, it means "TLS or DTLS". Although the only talks about "TLS", but in all cases, it means "TLS or DTLS".
references in this paragraph are to TLS and DTLS version 1.2, the Although the references in this paragraph are to TLS and DTLS
DANE TLSA protocol can also be used with earlier versions of TLS and version 1.2, the DANE TLSA protocol can also be used with earlier
DTLS. versions of TLS and DTLS.
This document only relates to securely associating certificates for This document only relates to securely associating certificates for
TLS and DTLS with host names; retrieving certificates from DNS for TLS and DTLS with host names; retrieving certificates from DNS for
other protocols is handled in other documents. For example, keys for other protocols is handled in other documents. For example, keys for
IPsec are covered in [RFC4025] and keys for SSH are covered in IPsec are covered in [RFC4025], and keys for Secure SHell (SSH) are
[RFC4255]. covered in [RFC4255].
1.3. Method For Securing Certificate Associations 1.3. Method for Securing Certificate Associations
A certificate association is formed from a piece of information A certificate association is formed from a piece of information
identifying a certificate and the domain name where the server identifying a certificate and the domain name where the server
application runs. The combination of a trust anchor and a domain application runs. The combination of a trust anchor and a domain
name can also be a certificate association. name can also be a certificate association.
A DNS query can return multiple certificate associations, such as in A DNS query can return multiple certificate associations, such as in
the case of a server that is changing from one certificate to another the case of a server that is changing from one certificate to another
(described in more detail in Appendix A.4). (described in more detail in Appendix A.4).
This document only applies to PKIX [RFC5280] certificates, not This document only applies to PKIX [RFC5280] certificates, not
certificates of other formats. certificates of other formats.
This document defines a secure method to associate the certificate This document defines a secure method to associate the certificate
that is obtained from the TLS server with a domain name using DNS; that is obtained from the TLS server with a domain name using DNS;
the DNS information needs to be be protected by DNSSEC. Because the the DNS information needs to be protected by DNSSEC. Because the
certificate association was retrieved based on a DNS query, the certificate association was retrieved based on a DNS query, the
domain name in the query is by definition associated with the domain name in the query is by definition associated with the
certificate. Note that this document does not cover how to associate certificate. Note that this document does not cover how to associate
certificates with domain names for application protocols that depend certificates with domain names for application protocols that depend
on SRV, NAPTR, and similar DNS resource records. It is expected that on SRV, NAPTR, and similar DNS resource records. It is expected that
future documents will cover methods for making those associations, future documents will cover methods for making those associations,
and those documents may or may not need to update this one. and those documents may or may not need to update this one.
DNSSEC, which is defined in [RFC4033], [RFC4034], and [RFC4035], uses DNSSEC, which is defined in [RFC4033], [RFC4034], and [RFC4035], uses
cryptographic keys and digital signatures to provide authentication cryptographic keys and digital signatures to provide authentication
skipping to change at page 7, line 37 skipping to change at page 6, line 43
certificate association securely using DNSSEC; other secure DNS certificate association securely using DNSSEC; other secure DNS
mechanisms are out of scope. mechanisms are out of scope.
1.4. Terminology 1.4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
This document also makes use of standard PKIX, DNSSEC, TLS, and DNS This document also makes use of standard PKIX, DNSSEC, TLS, and DNS
terminology. See [RFC5280], [RFC4033], [RFC5246], and [STD13] terminology. See [RFC5280], [RFC4033], [RFC5246], and STD 13
respectively, for these terms. In addition, terms related to TLS- [RFC1034] [RFC1035], respectively, for these terms. In addition,
protected application services and DNS names are taken from terms related to TLS-protected application services and DNS names are
[RFC6125]. taken from [RFC6125].
2. The TLSA Resource Record 2. The TLSA Resource Record
The TLSA DNS resource record (RR) is used to associate a TLS server The TLSA DNS resource record (RR) is used to associate a TLS server
certificate or public key with the domain name where the record is certificate or public key with the domain name where the record is
found, thus forming a "TLSA certificate association". The semantics found, thus forming a "TLSA certificate association". The semantics
of how the TLSA RR is interpreted are given later in this document. of how the TLSA RR is interpreted are given later in this document.
The type value for the TLSA RR type is defined in Section 7.1. The type value for the TLSA RR type is defined in Section 7.1.
The TLSA RR is class independent. The TLSA RR is class independent.
The TLSA RR has no special TTL requirements. The TLSA RR has no special Time to Live (TTL) requirements.
2.1. TLSA RDATA Wire Format 2.1. TLSA RDATA Wire Format
The RDATA for a TLSA RR consists of a one octet certificate usage The RDATA for a TLSA RR consists of a one-octet certificate usage
field, a one octet selector field, a one octet matching type field field, a one-octet selector field, a one-octet matching type field,
and the certificate association data field. and the certificate association data field.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cert. Usage | Selector | Matching Type | / | Cert. Usage | Selector | Matching Type | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /
/ / / /
/ Certificate Association Data / / Certificate Association Data /
/ / / /
skipping to change at page 8, line 40 skipping to change at page 7, line 49
Section 7.2) in order to make it easier to add additional certificate Section 7.2) in order to make it easier to add additional certificate
usages in the future. The certificate usages defined in this usages in the future. The certificate usages defined in this
document are: document are:
0 -- Certificate usage 0 is used to specify a CA certificate, or 0 -- Certificate usage 0 is used to specify a CA certificate, or
the public key of such a certificate, that MUST be found in any of the public key of such a certificate, that MUST be found in any of
the PKIX certification paths for the end entity certificate given the PKIX certification paths for the end entity certificate given
by the server in TLS. This certificate usage is sometimes by the server in TLS. This certificate usage is sometimes
referred to as "CA constraint" because it limits which CA can be referred to as "CA constraint" because it limits which CA can be
used to issue certificates for a given service on a host. The used to issue certificates for a given service on a host. The
presented certificate MUST pass PKIX certification path validation presented certificate MUST pass PKIX certification path
and a CA certificate that matches the TLSA record MUST be included validation, and a CA certificate that matches the TLSA record MUST
as part of a valid certification path. Because this certificate be included as part of a valid certification path. Because this
usage allows both trust anchors and CA certificates, the certificate usage allows both trust anchors and CA certificates,
certificate might or might not have the basicConstraints extension the certificate might or might not have the basicConstraints
present. extension present.
1 -- Certificate usage 1 is used to specify an end entity 1 -- Certificate usage 1 is used to specify an end entity
certificate, or the public key of such a certificate, that MUST be certificate, or the public key of such a certificate, that MUST be
matched with the end entity certificate given by the server in matched with the end entity certificate given by the server in
TLS. This certificate usage is sometimes referred to as "service TLS. This certificate usage is sometimes referred to as "service
certificate constraint" because it limits which end entity certificate constraint" because it limits which end entity
certificate can be used by a given service on a host. The target certificate can be used by a given service on a host. The target
certificate MUST pass PKIX certification path validation and MUST certificate MUST pass PKIX certification path validation and MUST
match the TLSA record. match the TLSA record.
2 -- Certificate usage 2 is used to specify a certificate, or the 2 -- Certificate usage 2 is used to specify a certificate, or the
public key of such a certificate, that MUST be used as the trust public key of such a certificate, that MUST be used as the trust
anchor when validating the end entity certificate given by the anchor when validating the end entity certificate given by the
server in TLS. This certificate usage is sometimes referred to as server in TLS. This certificate usage is sometimes referred to as
"trust anchor assertion" and allows a domain name administrator to "trust anchor assertion" and allows a domain name administrator to
specify a new trust anchor. For example, if the domain issues its specify a new trust anchor -- for example, if the domain issues
own certificates under its own CA that is not expected to be in its own certificates under its own CA that is not expected to be
the end users' collection of trust anchors. The target in the end users' collection of trust anchors. The target
certificate MUST pass PKIX certification path validation, with any certificate MUST pass PKIX certification path validation, with any
certificate matching the TLSA record considered to be a trust certificate matching the TLSA record considered to be a trust
anchor for this certification path validation. anchor for this certification path validation.
3 -- Certificate usage 3 is used to specify a certificate, or the 3 -- Certificate usage 3 is used to specify a certificate, or the
public key of such a certificate, that MUST match the end entity public key of such a certificate, that MUST match the end entity
certificate given by the server in TLS. This certificate usage is certificate given by the server in TLS. This certificate usage is
sometimes referred to as "domain-issued certificate" because it sometimes referred to as "domain-issued certificate" because it
allows for a domain name administrator to issue certificates for a allows for a domain name administrator to issue certificates for a
domain without involving a third-party CA. The target certificate domain without involving a third-party CA. The target certificate
skipping to change at page 9, line 41 skipping to change at page 8, line 50
to PKIX-formatted certificates in DER encoding [X.690]. If TLS to PKIX-formatted certificates in DER encoding [X.690]. If TLS
allows other formats later, or if extensions to this RRtype are made allows other formats later, or if extensions to this RRtype are made
that accept other formats for certificates, those certificates will that accept other formats for certificates, those certificates will
need their own certificate usage values. need their own certificate usage values.
2.1.2. The Selector Field 2.1.2. The Selector Field
A one-octet value, called "selector", specifies which part of the TLS A one-octet value, called "selector", specifies which part of the TLS
certificate presented by the server will be matched against the certificate presented by the server will be matched against the
association data. This value is defined in a new IANA registry (see association data. This value is defined in a new IANA registry (see
Section 7.3. The selectors defined in this document are: Section 7.3). The selectors defined in this document are:
0 -- Full certificate; the Certificate binary structure defined in 0 -- Full certificate: the Certificate binary structure as defined
[RFC5280] in [RFC5280]
1 -- SubjectPublicKeyInfo; DER-encoded binary structure defined in 1 -- SubjectPublicKeyInfo: DER-encoded binary structure as defined
[RFC5280] in [RFC5280]
(Note that the use of "selector" in this document is completely (Note that the use of "selector" in this document is completely
unrelated to the use of "selector" in DKIM [RFC6376].) unrelated to the use of "selector" in DomainKeys Identified Mail
(DKIM) [RFC6376].)
2.1.3. The Matching Type Field 2.1.3. The Matching Type Field
A one-octet value, called "matching type", specifies how the A one-octet value, called "matching type", specifies how the
certificate association is presented. This value is defined in a new certificate association is presented. This value is defined in a new
IANA registry (see Section 7.4). The types defined in this document IANA registry (see Section 7.4). The types defined in this document
are: are:
0 -- Exact match on selected content 0 -- Exact match on selected content
skipping to change at page 10, line 25 skipping to change at page 9, line 35
2 -- SHA-512 hash of selected content [RFC6234] 2 -- SHA-512 hash of selected content [RFC6234]
If the TLSA record's matching type is a hash, having the record use If the TLSA record's matching type is a hash, having the record use
the same hash algorithm that was used in the signature in the the same hash algorithm that was used in the signature in the
certificate (if possible) will assist clients that support a small certificate (if possible) will assist clients that support a small
number of hash algorithms. number of hash algorithms.
2.1.4. The Certificate Association Data Field 2.1.4. The Certificate Association Data Field
The "certificate association data" to be matched. These bytes are This field specifies the "certificate association data" to be
either raw data (that is, the full certificate or its matched. These bytes are either raw data (that is, the full
SubjectPublicKeyInfo, depending on the selector) for matching type 0, certificate or its SubjectPublicKeyInfo, depending on the selector)
or the hash of the raw data for matching types 1 and 2. The data for matching type 0, or the hash of the raw data for matching types 1
refers to the certificate in the association, not to the TLS ASN.1 and 2. The data refers to the certificate in the association, not to
Certificate object. the TLS ASN.1 Certificate object.
2.2. TLSA RR Presentation Format 2.2. TLSA RR Presentation Format
The presentation format of the RDATA portion (as defined in The presentation format of the RDATA portion (as defined in
[RFC1035]) is as follows: [RFC1035]) is as follows:
o The certificate usage field MUST be represented as an 8-bit o The certificate usage field MUST be represented as an 8-bit
unsigned integer. unsigned integer.
o The selector field MUST be represented as an 8-bit unsigned o The selector field MUST be represented as an 8-bit unsigned
skipping to change at page 11, line 47 skipping to change at page 11, line 9
1. The decimal representation of the port number on which a TLS- 1. The decimal representation of the port number on which a TLS-
based service is assumed to exist is prepended with an underscore based service is assumed to exist is prepended with an underscore
character ("_") to become the left-most label in the prepared character ("_") to become the left-most label in the prepared
domain name. This number has no leading zeros. domain name. This number has no leading zeros.
2. The protocol name of the transport on which a TLS-based service 2. The protocol name of the transport on which a TLS-based service
is assumed to exist is prepended with an underscore character is assumed to exist is prepended with an underscore character
("_") to become the second left-most label in the prepared domain ("_") to become the second left-most label in the prepared domain
name. The transport names defined for this protocol are "tcp", name. The transport names defined for this protocol are "tcp",
"udp" and "sctp". "udp", and "sctp".
3. The base domain name is appended to the result of step 2 to 3. The base domain name is appended to the result of step 2 to
complete the prepared domain name. The base domain name is the complete the prepared domain name. The base domain name is the
fully-qualified DNS domain name [RFC1035] of the TLS server, with fully qualified DNS domain name [RFC1035] of the TLS server, with
the additional restriction that every label MUST meet the rules the additional restriction that every label MUST meet the rules
of [RFC0952]. The latter restriction means that, if the query is of [RFC0952]. The latter restriction means that, if the query is
for an internationalized domain name, it MUST use the A-label for an internationalized domain name, it MUST use the A-label
form as defined in [RFC5890]. form as defined in [RFC5890].
For example, to request a TLSA resource record for an HTTP server For example, to request a TLSA resource record for an HTTP server
running TLS on port 443 at "www.example.com", running TLS on port 443 at "www.example.com",
"_443._tcp.www.example.com" is used in the request. To request a "_443._tcp.www.example.com" is used in the request. To request a
TLSA resource record for an SMTP server running the STARTTLS protocol TLSA resource record for an SMTP server running the STARTTLS protocol
on port 25 at "mail.example.com", "_25._tcp.mail.example.com" is on port 25 at "mail.example.com", "_25._tcp.mail.example.com" is
skipping to change at page 12, line 26 skipping to change at page 11, line 36
4. Use of TLSA Records in TLS 4. Use of TLSA Records in TLS
Section 2.1 of this document defines the mandatory matching rules for Section 2.1 of this document defines the mandatory matching rules for
the data from the TLSA certificate associations and the certificates the data from the TLSA certificate associations and the certificates
received from the TLS server. received from the TLS server.
The TLS session that is to be set up MUST be for the specific port The TLS session that is to be set up MUST be for the specific port
number and transport name that was given in the TLSA query. number and transport name that was given in the TLSA query.
Some specifications for applications that run over TLS, such as Some specifications for applications that run over TLS, such as
[RFC2818] for HTTP, require the server's certificate to have a domain [RFC2818] for HTTP, require that the server's certificate have a
name that matches the host name expected by the client. Some domain name that matches the host name expected by the client. Some
specifications such as [RFC6125] detail how to match the identity specifications, such as [RFC6125], detail how to match the identity
given in a PKIX certificate with those expected by the user. given in a PKIX certificate with those expected by the user.
If a TLSA record has certificate usage 2, the corresponding TLS If a TLSA record has certificate usage 2, the corresponding TLS
server SHOULD send the certificate that is referenced just like it server SHOULD send the certificate that is referenced just like it
currently sends intermediate certificates. currently sends intermediate certificates.
4.1. Usable Certificate Associations 4.1. Usable Certificate Associations
An implementation of this protocol makes a DNS query for TLSA An implementation of this protocol makes a DNS query for TLSA
records, validates these records using DNSSEC, and uses the resulting records, validates these records using DNSSEC, and uses the resulting
TLSA records and validation status to modify its responses to the TLS TLSA records and validation status to modify its responses to the TLS
server. server.
Determining whether a TLSA RRset can be used MUST be based on the Determining whether a TLSA RRSet can be used MUST be based on the
DNSSEC validation state (as defined in [RFC4033]). DNSSEC validation state (as defined in [RFC4033]).
o A TLSA RRset whose DNSSEC validation state is secure MUST be used o A TLSA RRSet whose DNSSEC validation state is secure MUST be used
as a certificate association for TLS unless a local policy would as a certificate association for TLS unless a local policy would
prohibit the use of the specific certificate association in the prohibit the use of the specific certificate association in the
secure TLSA RRset. secure TLSA RRSet.
o If the DNSSEC validation state on the response to the request for o If the DNSSEC validation state on the response to the request for
the TLSA RRset is bogus, this MUST cause TLS not to be started or, the TLSA RRSet is bogus, this MUST cause TLS not to be started or,
if the TLS negotiation is already in progress, MUST cause the if the TLS negotiation is already in progress, MUST cause the
connection to be aborted. connection to be aborted.
o A TLSA RRset whose DNSSEC validation state is indeterminate or o A TLSA RRSet whose DNSSEC validation state is indeterminate or
insecure cannot be used for TLS and MUST be considered unusable. insecure cannot be used for TLS and MUST be considered unusable.
Clients which validate the DNSSEC signatures themselves MUST use Clients that validate the DNSSEC signatures themselves MUST use
standard DNSSEC validation procedures. Clients that rely on another standard DNSSEC validation procedures. Clients that rely on another
entity to perform the DNSSEC signature validation MUST use a secure entity to perform the DNSSEC signature validation MUST use a secure
mechanism between themselves and the validator. Examples of secure mechanism between themselves and the validator. Examples of secure
transports to other hosts include TSIG [RFC2845], SIG(0) [RFC2931], transports to other hosts include TSIG [RFC2845], SIG(0) [RFC2931],
and IPsec [RFC6071]. Note that it is not sufficient to use secure and IPsec [RFC6071]. Note that it is not sufficient to use secure
transport to a DNS resolver that does not do DNSSEC signature transport to a DNS resolver that does not do DNSSEC signature
validation. See Section 8.3 for more security considerations related validation. See Section 8.3 for more security considerations related
to external validators. to external validators.
If a certificate association contains a certificate usage, selector, If a certificate association contains a certificate usage, selector,
skipping to change at page 14, line 21 skipping to change at page 13, line 31
The application can perform the TLSA lookup before initiating the TLS The application can perform the TLSA lookup before initiating the TLS
handshake, or do it during the TLS handshake: the choice is up to the handshake, or do it during the TLS handshake: the choice is up to the
client. client.
5. TLSA and DANE Use Cases and Requirements 5. TLSA and DANE Use Cases and Requirements
The different types of certificate associations defined in TLSA are The different types of certificate associations defined in TLSA are
matched with various sections of [RFC6394]. The use cases from matched with various sections of [RFC6394]. The use cases from
Section 3 of [RFC6394] are covered in this document as follows: Section 3 of [RFC6394] are covered in this document as follows:
3.1 CA Constraints -- Implemented using certificate usage 0. 3.1 CA Constraints -- Implemented using certificate usage 0.
3.2 Certificate Constraints -- Implemented using certificate usage 3.2 Certificate Constraints -- Implemented using certificate usage 1.
1.
3.3 Trust Anchor Assertion and Domain-Issued Certificates -- 3.3 Trust Anchor Assertion and Domain-Issued Certificates --
Implemented using certificate usages 2 and 3, respectively. Implemented using certificate usages 2 and 3, respectively.
The requirements from Section 4 of [RFC6394] are covered in this The requirements from Section 4 of [RFC6394] are covered in this
document as follows: document as follows:
Multiple Ports -- The TLSA records for different application Multiple Ports -- The TLSA records for different application services
services running on a single host can be distinguished through the running on a single host can be distinguished through the service
service name and port number prefixed to the host name (see name and port number prefixed to the host name (see Section 3).
Section 3).
No Downgrade -- Section 4 specifies the conditions under which a No Downgrade -- Section 4 specifies the conditions under which a
client can process and act upon TLSA records. Specifically, if client can process and act upon TLSA records. Specifically, if
the DNSSEC status for the TLSA resource record set is determined the DNSSEC status for the TLSA resource record set is determined
to be bogus, the TLS connection (if started) will fail. to be bogus, the TLS connection (if started) will fail.
Encapsulation -- Covered in the TLSA response semantics. Encapsulation -- Encapsulation is covered in the TLSA response
semantics.
Predictability -- The appendices of this specification provide Predictability -- The appendices of this specification provide
operational considerations and implementation guidance in order to operational considerations and implementation guidance in order to
enable application developers to form a consistent interpretation enable application developers to form a consistent interpretation
of the recommended client behavior. of the recommended client behavior.
Opportunistic Security -- If a client conformant to this Opportunistic Security -- If a client conformant to this
specification can reliably determine the presence of a TLSA specification can reliably determine the presence of a TLSA
record, it will attempt to use this information. Conversely, if a record, it will attempt to use this information. Conversely, if a
client can reliably determine the absence of any TLSA record, it client can reliably determine the absence of any TLSA record, it
will fall back to processing TLS in the normal fashion. This is will fall back to processing TLS in the normal fashion. This is
discussed in Section 4. discussed in Section 4.
Combination -- Multiple TLSA records can be published for a given Combination -- Multiple TLSA records can be published for a given
host name, thus enabling the client to construct multiple TLSA host name, thus enabling the client to construct multiple TLSA
certificate associations that reflect different assertions. No certificate associations that reflect different assertions. No
support is provided to combine two TLSA certificate associations support is provided to combine two TLSA certificate associations
in a single operation. in a single operation.
Roll-over -- TLSA records are processed in the normal manner within Roll-over -- TLSA records are processed in the normal manner within
the scope of DNS protocol, including the TTL expiration of the the scope of the DNS protocol, including the TTL expiration of the
records. This ensures that clients will not latch onto assertions records. This ensures that clients will not latch onto assertions
made by expired TLSA records, and will be able to transition from made by expired TLSA records, and will be able to transition from
using one public key or certificate usage to another. using one public key or certificate usage to another.
Simple Key Management -- The SubjectPublicKeyInfo selector in the Simple Key Management -- The SubjectPublicKeyInfo selector in the
TLSA record provides a mode that enables a domain holder to only TLSA record provides a mode that enables a domain holder to only
have to maintain a single long-lived public/private key pair have to maintain a single long-lived public/private key pair
without the need to manage certificates. Appendix A outlines the without the need to manage certificates. Appendix A outlines the
usefulness and the potential downsides to using this mode. usefulness and the potential downsides to using this mode.
Minimal Dependencies -- This specification relies on DNSSEC to Minimal Dependencies -- This specification relies on DNSSEC to
protect the origin authenticity and integrity of the TLSA resource protect the origin authenticity and integrity of the TLSA resource
record set. Additionally, if DNSSEC validation is not performed record set. Additionally, if DNSSEC validation is not performed
on the system that wishes to use TLSA certificate bindings, this on the system that wishes to use TLSA certificate bindings, this
specification requires that the "last mile" be over a secure specification requires that the "last mile" be over a secure
transport. There are no other deployment dependencies for this transport. There are no other deployment dependencies for this
approach. approach.
Minimal Options -- The operating modes map precisely to the DANE use Minimal Options -- The operating modes map precisely to the DANE use
cases and requirements. DNSSEC use is mandatory in that this cases and requirements. DNSSEC use is mandatory in that this
specification encourages applications to use only those TLSA specification encourages applications to use only those TLSA
records that are shown to be validated. records that are shown to be validated.
Wild Cards -- Covered in a limited manner in the TLSA request Wildcards -- Wildcards are covered in a limited manner in the TLSA
syntax; see Appendix A. request syntax; see Appendix A.
Redirection -- Covered in the TLSA request syntax; see Appendix A. Redirection -- Redirection is covered in the TLSA request syntax; see
Appendix A.
6. Mandatory-to-Implement Features 6. Mandatory-to-Implement Features
TLS clients conforming to this specification MUST be able to TLS clients conforming to this specification MUST be able to
correctly interpret TLSA records with certificate usages 0, 1, 2, and correctly interpret TLSA records with certificate usages 0, 1, 2,
3. TLS clients conforming to this specification MUST be able to and 3. TLS clients conforming to this specification MUST be able to
compare a certificate association with a certificate from the TLS compare a certificate association with a certificate from the TLS
handshake using selector types 0 and 1, and matching type 0 (no hash handshake using selector types 0 and 1, and matching type 0 (no hash
used) and matching type 1 (SHA-256), and SHOULD be able to make such used) and matching type 1 (SHA-256), and SHOULD be able to make such
comparisons with matching type 2 (SHA-512). comparisons with matching type 2 (SHA-512).
7. IANA Considerations 7. IANA Considerations
IANA is requested to make the assignments in this section. IANA IANA has made the assignments in this section.
might also consider making a "DANE" section in the main IANA registry
to help developers find related registries that might be created in
the future.
In the following sections, "RFC Required" was chosen for TLSA In the following sections, "RFC Required" was chosen for TLSA
certificate usages and "Specification Required" for selectors and certificate usages and "Specification Required" for selectors and
matching types because of the amount of detail that is likely to be matching types because of the amount of detail that is likely to be
needed for implementers to correctly implement new certificate usages needed for implementers to correctly implement new certificate usages
as compared to new selectors and matching types. as compared to new selectors and matching types.
7.1. TLSA RRtype 7.1. TLSA RRtype
This document uses a new DNS RR type, TLSA, whose value (52) was This document uses a new DNS RR type, TLSA, whose value (52) was
allocated by IANA from the Resource Record (RR) TYPEs subregistry of allocated by IANA from the Resource Record (RR) TYPEs subregistry of
the Domain Name System (DNS) Parameters registry. the Domain Name System (DNS) Parameters registry.
7.2. TLSA Certificate Usages 7.2. TLSA Certificate Usages
This document creates a new registry, "Certificate Usages for TLSA This document creates a new registry, "TLSA Certificate Usages". The
Resource Records". The registry policy is "RFC Required". The registry policy is "RFC Required". The initial entries in the
initial entries in the registry are: registry are:
Value Short description Reference Value Short description Reference
---------------------------------------------------------- ----------------------------------------------------------
0 CA constraint [This] 0 CA constraint RFC 6698
1 Service certificate constraint [This] 1 Service certificate constraint RFC 6698
2 Trust anchor assertion [This] 2 Trust anchor assertion RFC 6698
3 Domain-issued certificate [This] 3 Domain-issued certificate RFC 6698
4-254 Unassigned 4-254 Unassigned
255 Private use 255 Private use
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
7.3. TLSA Selectors 7.3. TLSA Selectors
This document creates a new registry, "Selectors for TLSA Resource This document creates a new registry, "TLSA Selectors". The registry
Records". The registry policy is "Specification Required". The policy is "Specification Required". The initial entries in the
initial entries in the registry are: registry are:
Value Short description Reference Value Short description Reference
---------------------------------------------------------- ----------------------------------------------------------
0 Full Certificate [This] 0 Full certificate RFC 6698
1 SubjectPublicKeyInfo [This] 1 SubjectPublicKeyInfo RFC 6698
2-254 Unassigned 2-254 Unassigned
255 Private use 255 Private use
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
7.4. TLSA Matching Types 7.4. TLSA Matching Types
This document creates a new registry, "Matching Types for TLSA This document creates a new registry, "TLSA Matching Types". The
Resource Records". The registry policy is "Specification Required". registry policy is "Specification Required". The initial entries in
The initial entries in the registry are: the registry are:
Value Short description Reference Value Short description Reference
-------------------------------------------------------- ----------------------------------------------------------
0 No hash used [This] 0 No hash used RFC 6698
1 SHA-256 RFC 6234 1 SHA-256 RFC 6234
2 SHA-512 RFC 6234 2 SHA-512 RFC 6234
3-254 Unassigned 3-254 Unassigned
255 Private use 255 Private use
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
8. Security Considerations 8. Security Considerations
The security of the DNS RRtype described in this document relies on The security of the DNS RRtype described in this document relies on
the security of DNSSEC to verify that the TLSA record has not been the security of DNSSEC to verify that the TLSA record has not been
altered. altered.
A DNS administrator who goes rogue and changes both the A, AAAA, A rogue DNS administrator who changes the A, AAAA, and/or TLSA
and/or TLSA records for a domain name can cause the client to go to records for a domain name can cause the client to go to an
an unauthorized server that will appear authorized, unless the client unauthorized server that will appear authorized, unless the client
performs PKIX certification path validation and rejects the performs PKIX certification path validation and rejects the
certificate. That administrator could probably get a certificate certificate. That administrator could probably get a certificate
issued by some CA anyway, so this is not an additional threat. issued by some CA anyway, so this is not an additional threat.
If the authentication mechanism for adding or changing TLSA data in a If the authentication mechanism for adding or changing TLSA data in a
zone is weaker than the authentication mechanism for changing the A zone is weaker than the authentication mechanism for changing the A
and/or AAAA records, a man-in-the-middle who can redirect traffic to and/or AAAA records, a man-in-the-middle who can redirect traffic to
their site may be able to impersonate the attacked host in TLS if his site may be able to impersonate the attacked host in TLS if he
they can use the weaker authentication mechanism. A better design can use the weaker authentication mechanism. A better design for
for authenticating DNS would be to have the same level of authenticating DNS would be to have the same level of authentication
authentication used for all DNS additions and changes for a used for all DNS additions and changes for a particular domain name.
particular domain name.
SSL proxies can sometimes act as a man-in-the-middle for TLS clients. Secure Socket Layer (SSL) proxies can sometimes act as a man-in-the-
In these scenarios, the clients add a new trust anchor whose private middle for TLS clients. In these scenarios, the clients add a new
key is kept on the SSL proxy; the proxy intercepts TLS requests, trust anchor whose private key is kept on the SSL proxy; the proxy
creates a new TLS session with the intended host, and sets up a TLS intercepts TLS requests, creates a new TLS session with the intended
session with the client using a certificate that chains to the trust host, and sets up a TLS session with the client using a certificate
anchor installed in the client by the proxy. In such environments, that chains to the trust anchor installed in the client by the proxy.
using TLSA records will prevent the SSL proxy from functioning as In such environments, using TLSA records will prevent the SSL proxy
expected because the TLS client will get a certificate association from functioning as expected because the TLS client will get a
from the DNS that will not match the certificate that the SSL proxy certificate association from the DNS that will not match the
uses with the client. The client, seeing the proxy's new certificate certificate that the SSL proxy uses with the client. The client,
for the supposed destination will not set up a TLS session. seeing the proxy's new certificate for the supposed destination, will
not set up a TLS session.
Client treatment of any information included in the trust anchor is a Client treatment of any information included in the trust anchor is a
matter of local policy. This specification does not mandate that matter of local policy. This specification does not mandate that
such information be inspected or validated by the server's domain such information be inspected or validated by the server's domain
name administrator. name administrator.
If a server's certificate is revoked, or if an intermediate CA in a If a server's certificate is revoked, or if an intermediate CA in a
chain between the server and a trust anchor has its certificate chain between the server and a trust anchor has its certificate
revoked, a TLSA record with a certificate usage of 2 that matches the revoked, a TLSA record with a certificate usage of 2 that matches the
revoked certificate would in essence override the revocation because revoked certificate would in essence override the revocation because
the client would treat that revoked certificate as a trust anchor and the client would treat that revoked certificate as a trust anchor and
thus not check its revocation status. Because of this, domain thus not check its revocation status. Because of this, domain
administrators need to be responsible for being sure that the key or administrators need to be responsible for being sure that the keys or
certificate used in TLSA records with a certificate usage of 2 are in certificates used in TLSA records with a certificate usage of 2 are
fact able to be used as reliable trust anchors. in fact able to be used as reliable trust anchors.
Certificates that are delivered in TLSA with certificate usage 2 Certificates that are delivered in TLSA with certificate usage 2
fundamentally change the way the TLS server's end entity certificate fundamentally change the way the TLS server's end entity certificate
is evaluated. For example, the server's certificate might chain to is evaluated. For example, the server's certificate might chain to
an existing CA through an intermediate CA that has certain policy an existing CA through an intermediate CA that has certain policy
restrictions, and the certificate would not pass those restrictions restrictions, and the certificate would not pass those restrictions
and thus normally be rejected. That intermediate CA could issue and thus normally be rejected. That intermediate CA could issue
itself a new certificate without the policy restrictions and tell its itself a new certificate without the policy restrictions and tell its
customers to use that certificate with certificate usage 2. This in customers to use that certificate with certificate usage 2. This in
essence allows an intermediate CA to become a trust anchor for essence allows an intermediate CA to become a trust anchor for
skipping to change at page 20, line 4 skipping to change at page 19, line 14
8.1.1. Risk of Key Compromise 8.1.1. Risk of Key Compromise
The risk that a given certificate that has a valid signing chain is The risk that a given certificate that has a valid signing chain is
fake is related to the number of keys that can contribute to the fake is related to the number of keys that can contribute to the
validation of the certificate, the quality of protection each private validation of the certificate, the quality of protection each private
key receives, the value of each key to an attacker, and the value of key receives, the value of each key to an attacker, and the value of
falsifying the certificate. falsifying the certificate.
DNSSEC allows any set of domains to be configured as trust anchors DNSSEC allows any set of domains to be configured as trust anchors
and/or DLVs, but most clients are likely to use the root zone as its and/or DLVs, but most clients are likely to use the root zone as
only trust anchor. Also, because a given DNSKEY can only sign their only trust anchor. Also, because a given DNSKEY can only sign
resource records for that zone, the number of private keys capable of resource records for that zone, the number of private keys capable of
compromising a given TLSA resource record is limited to the number of compromising a given TLSA resource record is limited to the number of
zones between the TLSA resource record and the nearest trust anchor, zones between the TLSA resource record and the nearest trust anchor,
plus any configured DLV domains. Typically, this will be six keys, plus any configured DLV domains. Typically, this will be six keys,
half of which will be KSKs. half of which will be KSKs.
PKIX only describes how to validate a certificate based on a client- PKIX only describes how to validate a certificate based on a client-
chosen set of trust anchors, but says nothing about how many trust chosen set of trust anchors, but says nothing about how many trust
anchors to use or how they should be constrained. As currently anchors to use or how they should be constrained. As currently
deployed, most PKIX clients use a large number of trust anchors deployed, most PKIX clients use a large number of trust anchors
skipping to change at page 20, line 31 skipping to change at page 19, line 41
A combination of technical protections, process controls, and A combination of technical protections, process controls, and
personnel experience contribute to the quality of security that keys personnel experience contribute to the quality of security that keys
receive. receive.
o The security surrounding DNSSEC DNSKEYs varies significantly. The o The security surrounding DNSSEC DNSKEYs varies significantly. The
KSK/ZSK split allows the KSK to be stored offline and protected KSK/ZSK split allows the KSK to be stored offline and protected
more carefully than the ZSK, but not all domains do so. The more carefully than the ZSK, but not all domains do so. The
security applied to a zone's DNSKEYs should be proportional to the security applied to a zone's DNSKEYs should be proportional to the
value of the domain, but that is difficult to estimate. For value of the domain, but that is difficult to estimate. For
example, the root DNSKEY has protections and controls comparable example, the root DNSKEY has protections and controls comparable
to or exceeding that of public CAs. On the other end of the to or exceeding those of public CAs. On the other end of the
spectrum, small domains might provide no more protection to their spectrum, small domains might provide no more protection to their
keys than they do to their other data. keys than they do to their other data.
o The security surrounding public CAs also varies. However, due to o The security surrounding public CAs also varies. However, due to
financial incentives and standards imposed by clients for financial incentives and standards imposed by clients for
acceptance into their trust anchor stores, CAs generally employ acceptance into their trust anchor stores, CAs generally employ
security experts and protect their keys carefully, though highly- security experts and protect their keys carefully, though highly
public compromises have occurred. public compromises have occurred.
8.1.2. Impact of Key Compromise 8.1.2. Impact of Key Compromise
The impact of a key compromise differs significantly between the two The impact of a key compromise differs significantly between the two
models. models.
o DNSKEYs are inherently limited in what they can sign, so a o DNSKEYs are inherently limited in what they can sign, so a
compromise of the DNSKEY for "example.com" provides no avenue of compromise of the DNSKEY for "example.com" provides no avenue of
attack against "example.org". Even the impact of a compromise of attack against "example.org". Even the impact of a compromise of
skipping to change at page 21, line 26 skipping to change at page 20, line 38
(if any) are not. (if any) are not.
8.1.3. Detection of Key Compromise 8.1.3. Detection of Key Compromise
If a key is compromised, rapid and reliable detection is important in If a key is compromised, rapid and reliable detection is important in
order to limit the impact of the compromise. In this regard, neither order to limit the impact of the compromise. In this regard, neither
model prevents an attacker from near-invisibly attacking their model prevents an attacker from near-invisibly attacking their
victim, provided that the necessary keys are compromised. victim, provided that the necessary keys are compromised.
If a public CA is compromised, only the victim will see the If a public CA is compromised, only the victim will see the
fraudulent certificate, as there is typically no publicly-accessible fraudulent certificate, as there is typically no publicly accessible
directory of all the certificates issued by a CA that can be directory of all the certificates issued by a CA that can be
inspected. DNS resource records are typically published publicly. inspected. DNS resource records are typically published publicly.
However, the attacker could also allow the uncompromised records to However, the attacker could also allow the uncompromised records to
be published to the Internet as usual but provide a compromised DNS be published to the Internet as usual but provide a compromised DNS
view to the victim to achieve the same effect. view to the victim to achieve the same effect.
8.1.4. Spoofing Hostnames 8.1.4. Spoofing Hostnames
Some CAs implement technical controls to ensure that certificates are Some CAs implement technical controls to ensure that certificates are
not issued to domains with names similar to popular & prone-to-attack not issued to domains with names similar to domains that are popular
domains. Of course, an attacker can attempt to circumvent this and prone to attack. Of course, an attacker can attempt to
restriction by finding a CA willing to issue the certificate anyway. circumvent this restriction by finding a CA willing to issue the
However, by using DNSSEC and TLSA, the attacker can circumvent this certificate anyway. However, by using DNSSEC and TLSA, the attacker
check completely. can circumvent this check completely.
8.2. DNS Caching 8.2. DNS Caching
Implementations of this protocol rely heavily on the DNS, and are Implementations of this protocol rely heavily on the DNS, and are
thus prone to security attacks based on the deliberate mis- thus prone to security attacks based on the deliberate
association of TLSA records and DNS names. Implementations need to mis-association of TLSA records and DNS names. Implementations need
be cautious in assuming the continuing validity of an association to be cautious in assuming the continuing validity of an association
between a TLSA record and a DNS name. between a TLSA record and a DNS name.
In particular, implementations SHOULD rely on their DNS resolver for In particular, implementations SHOULD rely on their DNS resolver for
confirmation of an association between a TLSA record and a DNS name, confirmation of an association between a TLSA record and a DNS name,
rather than caching the result of previous domain name lookups. Many rather than caching the result of previous domain name lookups. Many
platforms already can cache domain name lookups locally when platforms already can cache domain name lookups locally when
appropriate, and they SHOULD be configured to do so. It is proper appropriate, and they SHOULD be configured to do so. It is proper
for these lookups to be cached, however, only when the TTL (Time To for these lookups to be cached, however, only when the TTL (Time To
Live) information reported by the DNS makes it likely that the cached Live) information reported by the DNS makes it likely that the cached
information will remain useful. information will remain useful.
If implementations cache the results of domain name lookups in order If implementations cache the results of domain name lookups in order
to achieve a performance improvement, they MUST observe the TTL to achieve a performance improvement, they MUST observe the TTL
information reported by DNS. Implementations that fail to follow information reported by DNS. Implementations that fail to follow
this rule could be spoofed or have access denied when a previously- this rule could be spoofed or have access denied when a previously
accessed server's TLSA record changes, such as during a certificate accessed server's TLSA record changes, such as during a certificate
rollover. rollover.
8.3. External DNSSEC Validators 8.3. External DNSSEC Validators
Due to a lack of DNSSEC support in the most commonly-deployed stub Due to a lack of DNSSEC support in the most commonly deployed stub
resolvers today, some ISPs have begun checking DNSSEC in the resolvers today, some ISPs have begun checking DNSSEC in the
recursive resolvers they provide to their customers, setting the AD recursive resolvers they provide to their customers, setting the
flag as appropriate. DNSSEC-aware clients could use that data, Authentic Data (AD) flag as appropriate. DNSSEC-aware clients could
ignoring the fact that the DNSSEC data has been validated externally. use that data, ignoring the fact that the DNSSEC data has been
Because there is typically no authentication of the recursive validated externally. Because there is typically no authentication
resolver or integrity protection of the the data and AD flag between of the recursive resolver or integrity protection of the data and AD
the client and the recursive resolver, this can be trivially spoofed flag between the client and the recursive resolver, this can be
by an attacker. trivially spoofed by an attacker.
However, even with secure communications between a host and the However, even with secure communications between a host and the
external validating resolver, there is a risk that the external external validating resolver, there is a risk that the external
validator could become compromised. Nothing prevents a compromised validator could become compromised. Nothing prevents a compromised
external DNSSEC validator from claiming that all the records it external DNSSEC validator from claiming that all the records it
provides are secure, even if the data is falsified, unless the client provides are secure, even if the data is falsified, unless the client
checks the DNSSEC data itself (rendering the the external validator checks the DNSSEC data itself (rendering the external validator
unnecessary). unnecessary).
For this reason, DNSSEC validation is best performed on-host, even For this reason, DNSSEC validation is best performed on-host, even
when a secure path to an external validator is available. when a secure path to an external validator is available.
9. Acknowledgements 9. Acknowledgements
Many of the ideas in this document have been discussed over many Many of the ideas in this document have been discussed over many
years. More recently, the ideas have been discussed by the authors years. More recently, the ideas have been discussed by the authors
and others in a more focused fashion. In particular, some of the and others in a more focused fashion. In particular, some of the
ideas and words here originated with Paul Vixie, Dan Kaminsky, Jeff ideas and words here originated with Paul Vixie, Dan Kaminsky, Jeff
Hodges, Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Hodges, Phillip Hallam-Baker, Simon Josefsson, Warren Kumari, Adam
Langley, Ben Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit, Langley, Ben Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit,
Ondrej Sury, Richard Barnes, Jim Schaad, Stephen Farrell, Suresh Ondrej Sury, Richard Barnes, Jim Schaad, Stephen Farrell, Suresh
Krishnaswamy, Peter Palfrader, Pieter Lexis, Wouter Wijngaards, John Krishnaswamy, Peter Palfrader, Pieter Lexis, Wouter Wijngaards, John
Gilmore, and Murray Kucherawy. Gilmore, and Murray Kucherawy.
This document has also been greatly helped by many active This document has also been greatly helped by many active
participants of the DANE Working Group. participants of the DANE Working Group.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005. RFC 4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005. RFC 4034, March 2005.
skipping to change at page 23, line 44 skipping to change at page 23, line 14
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011. Security (TLS)", RFC 6125, March 2011.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012. Security Version 1.2", RFC 6347, January 2012.
[STD13] Mockapetris, P., "Domain Name System", STD 13,
November 1987.
10.2. Informative References 10.2. Informative References
[RFC0952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet [RFC0952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet
host table specification", RFC 952, October 1985. host table specification", RFC 952, October 1985.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
February 2000. February 2000.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
Wellington, "Secret Key Transaction Authentication for DNS Wellington, "Secret Key Transaction Authentication for DNS
(TSIG)", RFC 2845, May 2000. (TSIG)", RFC 2845, May 2000.
[RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
SIG(0)s)", RFC 2931, September 2000. ( SIG(0)s)", RFC 2931, September 2000.
[RFC4025] Richardson, M., "A Method for Storing IPsec Keying [RFC4025] Richardson, M., "A Method for Storing IPsec Keying
Material in DNS", RFC 4025, March 2005. Material in DNS", RFC 4025, March 2005.
[RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely [RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely
Publish Secure Shell (SSH) Key Fingerprints", RFC 4255, Publish Secure Shell (SSH) Key Fingerprints", RFC 4255,
January 2006. January 2006.
[RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices", [RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
RFC 4641, September 2006. RFC 4641, September 2006.
[RFC5074] Weiler, S., "DNSSEC Lookaside Validation (DLV)", RFC 5074, [RFC5074] Weiler, S., "DNSSEC Lookaside Validation (DLV)", RFC 5074,
November 2007. November 2007.
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, August 2010. RFC 5890, August 2010.
[RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS)
Extension Definitions", RFC 6066, January 2011. Extensions: Extension Definitions", RFC 6066,
January 2011.
[RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and
Internet Key Exchange (IKE) Document Roadmap", RFC 6071, Internet Key Exchange (IKE) Document Roadmap", RFC 6071,
February 2011. February 2011.
[RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.
[RFC6376] Crocker, D., Hansen, T., and M. Kucherawy, "DomainKeys [RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
Identified Mail (DKIM) Signatures", RFC 6376, "DomainKeys Identified Mail (DKIM) Signatures", RFC 6376,
September 2011. September 2011.
[RFC6394] Barnes, R., "Use Cases and Requirements for DNS-Based [RFC6394] Barnes, R., "Use Cases and Requirements for DNS-Based
Authentication of Named Entities (DANE)", RFC 6394, Authentication of Named Entities (DANE)", RFC 6394,
October 2011. October 2011.
[X.690] "Recommendation ITU-T X.690 (2002) | ISO/IEC 8825-1:2002, [X.690] "Recommendation ITU-T X.690 (2002) | ISO/IEC 8825-1:2002,
Information technology - ASN.1 encoding rules: Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", 2002. (DER)", July 2002.
Appendix A. Operational Considerations for Deploying TLSA Records Appendix A. Operational Considerations for Deploying TLSA Records
A.1. Creating TLSA Records A.1. Creating TLSA Records
When creating TLSA records, care must be taken to avoid When creating TLSA records, care must be taken to avoid
misconfigurations. Section 4 of this document states that a TLSA misconfigurations. Section 4 of this document states that a TLSA
RRset whose validation state is secure MUST be used. This means that RRSet whose validation state is secure MUST be used. This means that
the existence of such a RRset effectively disables other forms of the existence of such a RRSet effectively disables other forms of
name and path validation. A misconfigured TLSA RRset will name and path validation. A misconfigured TLSA RRSet will
effectively disable access to the TLS server for all conforming effectively disable access to the TLS server for all conforming
clients, and this document does not provide any means of making a clients, and this document does not provide any means of making a
gradual transition to using TLSA. gradual transition to using TLSA.
When creating TLSA records with certificate usage 0 (CA Certificate) When creating TLSA records with certificate usage 0 (CA certificate)
or usage 2 (Trust Anchor), one needs to understand the implications or usage 2 (trust anchor), one needs to understand the implications
when choosing between selector type 0 (full certificate) and 1 when choosing between selector type 0 (Full certificate) and 1
(SubjectPublicKeyInfo). A careful choice is required because (SubjectPublicKeyInfo). A careful choice is required because
different methods for building trust chains are used by different TLS different methods for building trust chains are used by different TLS
clients. The following outlines the cases that one ought to be aware clients. The following outlines the cases that one ought to be aware
of and discusses the implications of the choice of selector type. of and discusses the implications of the choice of selector type.
Certificate usage 2 is not affected by the different types of chain Certificate usage 2 is not affected by the different types of chain
building when the end entity certificate is the same as the trust building when the end entity certificate is the same as the trust
anchor certificate. anchor certificate.
A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains
skipping to change at page 26, line 4 skipping to change at page 25, line 42
TLS clients can implement their own chain-building code rather than TLS clients can implement their own chain-building code rather than
rely on the chain presented by the TLS server. This means that, rely on the chain presented by the TLS server. This means that,
except for the end entity certificate, any certificate presented in except for the end entity certificate, any certificate presented in
the suggested chain might or might not be present in the final chain the suggested chain might or might not be present in the final chain
built by the client. built by the client.
Certificates that the client can use to replace certificates from the Certificates that the client can use to replace certificates from the
original chain include: original chain include:
o Client's trust anchors o Client's trust anchors
o Certificates cached locally o Certificates cached locally
o Certificates retrieved from a URI listed in an Authority o Certificates retrieved from a URI listed in an Authority
Information Access X.509v3 extension Information Access X.509v3 extension
CAs frequently reissue certificates with different validity periods, CAs frequently reissue certificates with different validity periods,
signature algorithms (such as an different hash algorithm in the signature algorithms (such as a different hash algorithm in the
signature algorithm), CA key pairs (such as for a cross-certificate), signature algorithm), CA key pairs (such as for a cross-certificate),
or PKIX extensions where the public key and subject remain the same. or PKIX extensions where the public key and subject remain the same.
These reissued certificates are the certificates TLS client can use These reissued certificates are the certificates that the TLS client
in place of an original certificate. can use in place of an original certificate.
Clients are known to exchange or remove certificates that could cause Clients are known to exchange or remove certificates that could cause
TLSA certificate associations that rely on the full certificate to TLSA certificate associations that rely on the full certificate to
fail. For example: fail. For example:
o The client considers the signature algorithm of a certificate to o The client considers the signature algorithm of a certificate to
no longer be sufficiently secure no longer be sufficiently secure.
o The client might not have an associated root certificate in its o The client might not have an associated root certificate in its
trust store and instead uses a cross-certificate with an identical trust store and instead uses a cross-certificate with an identical
subject and public key. subject and public key.
A.1.2. Choosing a Selector Type A.1.2. Choosing a Selector Type
In this section, "false-negative failure" means that a client will In this section, "false-negative failure" means that a client will
not accept the TLSA certificate association for a certificate not accept the TLSA certificate association for a certificate
designated by DNS administrator. Also, "false-positive acceptance" designated by the DNS administrator. Also, "false-positive
means that the client accepts a TLSA association for a certificate acceptance" means that the client accepts a TLSA association for a
that is not designated by the DNS administrator. certificate that is not designated by the DNS administrator.
A.1.2.1. Selector Type 0 (Full Certificate) A.1.2.1. Selector Type 0 (Full Certificate)
The "Full certificate" selector provides the most precise The "Full certificate" selector provides the most precise
specification of a TLSA certificate association, capturing all fields specification of a TLSA certificate association, capturing all
of the PKIX certificate. For a DNS administrator, the best course to fields of the PKIX certificate. For a DNS administrator, the best
avoid false-negative failures in the client when using this selector course to avoid false-negative failures in the client when using this
is: selector is:
1. If a CA issued a replacement certificate, don't associate to CA 1. If a CA issued a replacement certificate, don't associate to CA
certificates that have a signature algorithm with a hash that is certificates that have a signature algorithm with a hash that is
considered weak by local policy. considered weak by local policy.
2. Determine how common client applications process the TLSA 2. Determine how common client applications process the TLSA
certificate association using a fresh client installation, that certificate association using a fresh client installation -- that
is, with the local certificate cache empty. is, with the local certificate cache empty.
A.1.2.2. Selector Type 1 (SubjectPublicKeyInfo) A.1.2.2. Selector Type 1 (SubjectPublicKeyInfo)
A SubjectPublicKeyInfo selector gives greater flexibility in avoiding A SubjectPublicKeyInfo selector gives greater flexibility in avoiding
some false-negative failures caused by trust-chain-building some false-negative failures caused by trust-chain-building
algorithms used in clients. algorithms used in clients.
One specific use-case ought to be noted: creating a TLSA certificate One specific use case ought to be noted: creating a TLSA certificate
association to CA certificate I1 that directly signed end entity association to CA certificate I1 that directly signed end entity
certificate S1 of the server. The case can be illustrated by certificate S1 of the server. The case can be illustrated by the
following graph: following graph:
+----+ +----+ +----+ +----+
| I1 | | I2 | | I1 | | I2 |
+----+ +----+ +----+ +----+
| | | |
v v v v
+----+ +----+ +----+ +----+
| S1 | | S1 | | S1 | | S1 |
+----+ +----+ +----+ +----+
Certificate chain sent by A different validation path Certificate chain sent by A different validation path
server in TLS handshake built by the TLS client server in TLS handshake built by the TLS client
I2 is a reissued version of CA certificate I1 (that is, it has a I2 is a reissued version of CA certificate I1 (that is, it has a
different hash in its signature algorithm). different hash in its signature algorithm).
In the above scenario, both certificates I1 and I2 that sign S1 need In the above scenario, both certificates I1 and I2 that sign S1 need
to have identical SubjectPublicKeyInfos because the key used to sign to have identical SubjectPublicKeyInfo fields because the key used to
S1 is fixed. An association to SubjectPublicKeyInfo (selector type sign S1 is fixed. An association to SubjectPublicKeyInfo (selector
1) will always succeed in such a case, but an association with a full type 1) will always succeed in such a case, but an association with a
certificate (selector type 0) might not work due to a false-negative full certificate (selector type 0) might not work due to a false-
failure. negative failure.
The attack surface is a bit broader compared to "full certificate" The attack surface is a bit broader compared to the "Full
selector: the DNS administrator might unintentionally specify an certificate" selector: the DNS administrator might unintentionally
association that would lead to false-positive acceptance. specify an association that would lead to false-positive acceptance.
o The administrator must know or trust that the CA does not engage o The administrator must know or trust that the CA does not engage
in bad practices, such as not sharing the key of I1 for unrelated in bad practices, such as not sharing the key of I1 for unrelated
CA certificates leading to trust-chain redirect. If possible, the CA certificates (which would lead to trust-chain redirection). If
administrator ought to review all CA certificates that have the possible, the administrator ought to review all CA certificates
same SPKI. that have the same SubjectPublicKeyInfo field.
o The administrator ought to understand whether some PKIX extension o The administrator ought to understand whether some PKIX extension
may adversely affect security of the association. If possible, may adversely affect security of the association. If possible,
administrators ought to review all CA certificates that share the administrators ought to review all CA certificates that share the
SubjectPublicKeyInfo. SubjectPublicKeyInfo.
o The administrator ought to understand that any CA could, in the o The administrator ought to understand that any CA could, in the
future, issue a certificate that contains the same future, issue a certificate that contains the same
SubjectPublicKeyInfo. Therefore, new chains can crop up in the SubjectPublicKeyInfo. Therefore, new chains can crop up in the
future without any warning. future without any warning.
skipping to change at page 29, line 40 skipping to change at page 29, line 44
; TLSA record in both the original and target domain ; TLSA record in both the original and target domain
; ;
sub5.example.com. IN CNAME sub6.example.com. sub5.example.com. IN CNAME sub6.example.com.
_443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab... _443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab...
sub6.example.com. IN A 192.0.2.1 sub6.example.com. IN A 192.0.2.1
sub6.example.com. IN AAAA 2001:db8::1 sub6.example.com. IN AAAA 2001:db8::1
_443._tcp.sub6.example.com. IN TLSA 1 1 1 ac49d9ba4570ac49... _443._tcp.sub6.example.com. IN TLSA 1 1 1 ac49d9ba4570ac49...
In this example, someone looking for the TLSA record for In this example, someone looking for the TLSA record for
sub5.example.com would always get the record whose value starts sub5.example.com would always get the record whose value starts with
"308202c5308201ab"; the TLSA record whose value starts "308202c5308201ab"; the TLSA record whose value starts with
"ac49d9ba4570ac49" would only be sought by someone who is looking for "ac49d9ba4570ac49" would only be sought by someone who is looking for
the TLSA record for sub6.example.com, and never for sub5.example.com. the TLSA record for sub6.example.com, and never for sub5.example.com.
Note that deploying different certificates for multiple services Note that deploying different certificates for multiple services
located at a shared TLS listener often requires the use of TLS SNI located at a shared TLS listener often requires the use of TLS SNI
(Server Name Indication) [RFC6066]. (Server Name Indication) [RFC6066].
Note that these methods use the normal method for DNS aliasing using Note that these methods use the normal method for DNS aliasing using
CNAME: the DNS client requests the record type that they actually CNAME: the DNS client requests the record type that they actually
want. want.
skipping to change at page 31, line 7 skipping to change at page 31, line 16
TLSA records include: TLSA records include:
o The application can have its own DNS resolver and DNSSEC o The application can have its own DNS resolver and DNSSEC
validation stack. validation stack.
o The application can communicate through a trusted channel (such as o The application can communicate through a trusted channel (such as
requests to the operating system under which the application is requests to the operating system under which the application is
running) to a local DNS resolver that does DNSSEC validation. running) to a local DNS resolver that does DNSSEC validation.
o The application can communicate through a secured channel (such as o The application can communicate through a secured channel (such as
requests running over TLS, IPsec, TSIG or SIG(0)) to a non-local requests running over TLS, IPsec, TSIG, or SIG(0)) to a non-local
DNS resolver that does DNSSEC validation. DNS resolver that does DNSSEC validation.
o The application can communicate through a secured channel (such as o The application can communicate through a secured channel (such as
requests running over TLS, IPsec, TSIG or SIG(0)) to a non-local requests running over TLS, IPsec, TSIG, or SIG(0)) to a non-local
DNS resolver that does not do DNSSEC validation, but gets DNS resolver that does not do DNSSEC validation, but gets
responses through a secured channel from a different DNS resolver responses through a secured channel from a different DNS resolver
that does DNSSEC validation. that does DNSSEC validation.
A.4. Handling Certificate Rollover A.4. Handling Certificate Rollover
Certificate rollover is handled in much the same was as for rolling Certificate rollover is handled in much the same way as for rolling
DNSSEC zone signing keys using the pre-publish key rollover method DNSSEC zone signing keys using the pre-publish key rollover method
[RFC4641]. Suppose example.com has a single TLSA record for a TLS [RFC4641]. Suppose example.com has a single TLSA record for a TLS
service on TCP port 990: service on TCP port 990:
_990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015... _990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015...
To start the rollover process, obtain or generate the new certificate To start the rollover process, obtain or generate the new certificate
or SubjectPublicKeyInfo to be used after the rollover and generate or SubjectPublicKeyInfo to be used after the rollover and generate
the new TLSA record. Add that record alongside the old one: the new TLSA record. Add that record alongside the old one:
skipping to change at page 31, line 43 skipping to change at page 32, line 7
nameservers and the TTL of the old record has expired, switch to the nameservers and the TTL of the old record has expired, switch to the
new certificate on the TLS server. Once this has occurred, the old new certificate on the TLS server. Once this has occurred, the old
TLSA record can be removed: TLSA record can be removed:
_990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30... _990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30...
This completes the certificate rollover. This completes the certificate rollover.
Appendix B. Pseudocode for Using TLSA Appendix B. Pseudocode for Using TLSA
This appendix describes the interactions given earlier in this This appendix describes, in pseudocode format, the interactions given
specification in pseudocode format. If the steps below disagree with earlier in this specification. If the steps below disagree with the
the text earlier in the document, the steps earlier in the document text earlier in the document, the steps earlier in the document ought
ought to be considered correct and this text incorrect. to be considered correct and this text incorrect.
Note that this pseudocode is more strict than the normative text. Note that this pseudocode is more strict than the normative text.
For instance, it forces an order on the evaluation of criteria which For instance, it forces an order on the evaluation of criteria, which
is not mandatory from the normative text. is not mandatory from the normative text.
B.1. Helper Functions B.1. Helper Functions
// implement the function for exiting // implement the function for exiting
function Finish (F) = { function Finish (F) = {
if (F == ABORT_TLS) { if (F == ABORT_TLS) {
abort the TLS handshake or prevent TLS from starting abort the TLS handshake or prevent TLS from starting
exit exit
} }
skipping to change at page 33, line 15 skipping to change at page 33, line 24
} }
// SHA-512 hash of selected content // SHA-512 hash of selected content
if (M == 2) { if (M == 2) {
return (SHA-512(X) == Y) return (SHA-512(X) == Y)
} }
// unreachable // unreachable
} }
B.2. Main TLSA Pseudo Code B.2. Main TLSA Pseudocode
TLS connect using [transport] to [name] on [port] and receiving end TLS connect using [transport] to [name] on [port] and receiving end
entity cert C for the TLS server: entity cert C for the TLS server:
(TLSArecords, ValState) = DNSSECValidatedLookup( (TLSArecords, ValState) = DNSSECValidatedLookup(
domainname=_[port]._[transport].[name], RRtype=TLSA) domainname=_[port]._[transport].[name], RRtype=TLSA)
// check for states that would change processing // check for states that would change processing
if (ValState == BOGUS) { if (ValState == BOGUS) {
Finish(ABORT_TLS) Finish(ABORT_TLS)
skipping to change at page 33, line 43 skipping to change at page 34, line 4
// unusable records include unknown certUsage, unknown // unusable records include unknown certUsage, unknown
// selectorType, unknown matchingType, erroneous RDATA, and // selectorType, unknown matchingType, erroneous RDATA, and
// prohibited by local policy // prohibited by local policy
if (R is unusable) { if (R is unusable) {
remove R from TLSArecords remove R from TLSArecords
} }
} }
if (length(TLSArecords) == 0) { if (length(TLSArecords) == 0) {
Finish(NO_TLSA) Finish(NO_TLSA)
} }
// A TLS client might have multiple trust anchors that it might use // A TLS client might have multiple trust anchors that it might use
// when validating the TLS server's end entity certificate. Also, // when validating the TLS server's end entity (EE) certificate.
// there can be multiple PKIX certification paths for the // Also, there can be multiple PKIX certification paths for the
// certificates given by the server in TLS. Thus, there are // certificates given by the server in TLS. Thus, there are
// possibly many chains that might need to be tested during // possibly many chains that might need to be tested during
// PKIX path validation. // PKIX path validation.
for each R in TLSArecords { for each R in TLSArecords {
// pass PKIX certificate validation and chain through a CA cert // pass PKIX certificate validation and chain through a CA cert
// that comes from TLSA // that comes from TLSA
if (R.certUsage == 0) { if (R.certUsage == 0) {
for each PKIX certification path H { for each PKIX certification path H {
if (C passes PKIX certification path validation in H) { if (C passes PKIX certification path validation in H) {
skipping to change at page 35, line 17 skipping to change at page 35, line 28
} }
// if here, then none of the TLSA records ended in "Finish(ACCEPT)" // if here, then none of the TLSA records ended in "Finish(ACCEPT)"
// so abort TLS // so abort TLS
Finish(ABORT_TLS) Finish(ABORT_TLS)
Appendix C. Examples Appendix C. Examples
The following are examples of self-signed certificates that have been The following are examples of self-signed certificates that have been
been generated with various selectors and matching types. They were generated with various selectors and matching types. They were
generated with one piece of software, and validated by an individual generated with one piece of software, and validated by an individual
using other tools. using other tools.
S = Selector S = Selector
M = Matching Type M = Matching Type
S M Association Data S M Association Data
0 0 30820454308202BC020900AB58D24E77AD2AF6300D06092A86 0 0 30820454308202BC020900AB58D24E77AD2AF6300D06092A86
4886F70D0101050500306C310B3009060355040613024E4C31163014 4886F70D0101050500306C310B3009060355040613024E4C31163014
0603550408130D4E6F6F72642D486F6C6C616E643112301006035504 0603550408130D4E6F6F72642D486F6C6C616E643112301006035504
skipping to change at page 37, line 10 skipping to change at page 37, line 17
1 2 D43165B4CDF8F8660AECCCC5344D9D9AE45FFD7E6AAB7AB9EE 1 2 D43165B4CDF8F8660AECCCC5344D9D9AE45FFD7E6AAB7AB9EE
C169B58E11F227ED90C17330CC17B5CCEF0390066008C720CEC6AAE5 C169B58E11F227ED90C17330CC17B5CCEF0390066008C720CEC6AAE5
33A934B3A2D7E232C94AB4 33A934B3A2D7E232C94AB4
Authors' Addresses Authors' Addresses
Paul Hoffman Paul Hoffman
VPN Consortium VPN Consortium
Email: paul.hoffman@vpnc.org EMail: paul.hoffman@vpnc.org
Jakob Schlyter Jakob Schlyter
Kirei AB Kirei AB
Email: jakob@kirei.se EMail: jakob@kirei.se
 End of changes. 106 change blocks. 
279 lines changed or deleted 273 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/