draft-ietf-dane-srv-09.txt   draft-ietf-dane-srv-10.txt 
DNS-Based Authentication of Named Entities (DANE) T. Finch DNS-Based Authentication of Named Entities (DANE) T. Finch
Internet-Draft University of Cambridge Internet-Draft University of Cambridge
Intended status: Standards Track M. Miller Intended status: Standards Track M. Miller
Expires: August 17, 2015 Cisco Systems, Inc. Expires: August 20, 2015 Cisco Systems, Inc.
P. Saint-Andre P. Saint-Andre
&yet &yet
February 13, 2015 February 16, 2015
Using DNS-Based Authentication of Named Entities (DANE) TLSA Records Using DNS-Based Authentication of Named Entities (DANE) TLSA Records
with SRV Records with SRV Records
draft-ietf-dane-srv-09 draft-ietf-dane-srv-10
Abstract Abstract
The DANE specification (RFC 6698) describes how to use TLSA resource The DANE specification (RFC 6698) describes how to use TLSA resource
records secured by DNSSEC (RFC 4033) to associate a server's records secured by DNSSEC (RFC 4033) to associate a server's
connection endpoint with its TLS certificate. However, application connection endpoint with its TLS certificate. However, application
protocols that use SRV records (RFC 2782) to indirectly name the protocols that use SRV records (RFC 2782) to indirectly name the
target server connection endpoints for a service domain cannot apply target server connection endpoints for a service domain cannot apply
the rules from RFC 6698. Therefore this document provides guidelines the rules from RFC 6698. Therefore this document provides guidelines
that enable such protocols to locate and use TLSA records. that enable such protocols to locate and use TLSA records.
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 17, 2015. This Internet-Draft will expire on August 20, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 39 skipping to change at page 3, line 39
server host name, as detailed in [I-D.ietf-dane-ops]. server host name, as detailed in [I-D.ietf-dane-ops].
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this memo are to be interpreted as described in "OPTIONAL" in this memo are to be interpreted as described in
[RFC2119]. [RFC2119].
This draft uses the definitions for "secure", "insecure", "bogus", This draft uses the definitions for "secure", "insecure", "bogus",
and "indeterminate" from [RFC4035]. This draft uses the acronyms and "indeterminate" from Section 4.3 of [RFC4035]. This draft uses
from [RFC7218] for the values of TLSA fields where appropriate. the acronyms from [RFC7218] for the values of TLSA fields where
appropriate.
Additionally, this document uses the following terms: Additionally, this document uses the following terms:
connection endpoint: A tuple of a fully qualified DNS host name, connection endpoint: A tuple of a fully qualified DNS host name,
transport protocol, and port number that a client uses to transport protocol, and port number that a client uses to
establish a connection to the target server. establish a connection to the target server.
service domain: The fully qualified DNS domain name that identifies service domain: The fully qualified DNS domain name that identifies
an application service; corresponds to the term "source domain" an application service; corresponds to the term "source domain"
from [RFC6125]. from [RFC6125].
skipping to change at page 4, line 27 skipping to change at page 4, line 27
occur because of various DNS-related errors; guidance on avoiding occur because of various DNS-related errors; guidance on avoiding
downgrade attacks can be found in Section 2.1 of downgrade attacks can be found in Section 2.1 of
[I-D.ietf-dane-smtp-with-dane]. [I-D.ietf-dane-smtp-with-dane].
For this specification to apply, the entire DNS RRset that is For this specification to apply, the entire DNS RRset that is
returned MUST be "secure" according to DNSSEC validation (Section 5 returned MUST be "secure" according to DNSSEC validation (Section 5
of [RFC4035]). In the case where the answer is obtained via a chain of [RFC4035]). In the case where the answer is obtained via a chain
of CNAME and/or DNAME aliases, the whole chain of CNAME and DNAME of CNAME and/or DNAME aliases, the whole chain of CNAME and DNAME
RRsets MUST also be secure. RRsets MUST also be secure.
If the lookup result is "insecure" (or no SRV records are located), If the SRV lookup fails because the RRset is "bogus" (or the lookup
this protocol does not apply and the client SHOULD fall back to its fails for reasons other than no records), the client MUST abort its
non-DNSSEC, non-DANE (and possibly non-SRV) behavior. If the SRV attempt to connect to the desired service. If the lookup result is
lookup fails because the RRset is "bogus", the client MUST abort its "insecure" (or no SRV records exist), this protocol does not apply
attempt to connect to the desired service. and the client SHOULD fall back to its non-DNSSEC, non-DANE (and
possibly non-SRV) behavior.
When the lookup returns a "secure" RRset (possibly via a chain of When the lookup returns a "secure" RRset (possibly via a chain of
"secure" CNAME/DNAME records), the client now has an authentic list "secure" CNAME/DNAME records), the client now has an authentic list
of target server connection endpoints with weight and priority of target server connection endpoints with weight and priority
values. It performs server ordering and selection using the weight values. It performs server ordering and selection using the weight
and priority values without regard to the presence or absence of and priority values without regard to the presence or absence of
DNSSEC or TLSA records. It also takes note of the DNSSEC validation DNSSEC or TLSA records. It also takes note of the DNSSEC validation
status of the SRV response for use when checking certificate names status of the SRV response for use when checking certificate names
(see Section 4). The client can then proceed to making address (see Section 4). The client can then proceed to making address
queries on the target server host names as described in the following queries on the target server host names as described in the following
skipping to change at page 5, line 41 skipping to change at page 5, line 45
The client SHALL determine if the TLSA records returned in the The client SHALL determine if the TLSA records returned in the
previous step are usable according to Section 4.1 of [RFC6698]. This previous step are usable according to Section 4.1 of [RFC6698]. This
affects the use TLS as follows: affects the use TLS as follows:
o If the TLSA response is "secure" and usable, then the client MUST o If the TLSA response is "secure" and usable, then the client MUST
use TLS when connecting to the target server. The TLSA records use TLS when connecting to the target server. The TLSA records
are used when validating the server's certificate as described in are used when validating the server's certificate as described in
Section 4. Section 4.
o If the TLSA lookup fails, then the client SHALL proceed as if the o If the TLSA response is "bogus" or "indeterminate" (or the lookup
target server had no TLSA records. It MAY connect to the target fails for reasons other than no records), then the client MUST NOT
server with or without TLS, subject to the policies of the connect to the target server (the client can still use other SRV
application protocol or client implementation. targets).
o If the TLSA response is "bogus" or "indeterminate", then the o If the TLSA response is "insecure" (or no TLSA records exist),
client MUST NOT connect to the target server (the client can still then the client SHALL proceed as if the target server had no TLSA
use other SRV targets). records. It MAY connect to the target server with or without TLS,
subject to the policies of the application protocol or client
implementation.
4. TLS Checks 4. TLS Checks
When connecting to a server, the client MUST use TLS if the responses When connecting to a server, the client MUST use TLS if the responses
to the SRV and TLSA queries were "secure" as described above. The to the SRV and TLSA queries were "secure" as described above. The
rules described in the next two sections apply to such secure rules described in the next two sections apply to such secure
responses; Section 4.2 where there is at least one usable TLSA responses; Section 4.2 where there is at least one usable TLSA
record, and Section 4.1 otherwise. record, and Section 4.1 otherwise.
4.1. SRV Records Only 4.1. SRV Records Only
skipping to change at page 10, line 50 skipping to change at page 10, line 50
Protocol: TLSA", RFC 6698, August 2012. Protocol: TLSA", RFC 6698, August 2012.
[RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify
Conversations about DNS-Based Authentication of Named Conversations about DNS-Based Authentication of Named
Entities (DANE)", RFC 7218, April 2014. Entities (DANE)", RFC 7218, April 2014.
11.2. Informative References 11.2. Informative References
[I-D.ietf-dane-smtp-with-dane] [I-D.ietf-dane-smtp-with-dane]
Dukhovni, V. and W. Hardaker, "SMTP security via Dukhovni, V. and W. Hardaker, "SMTP security via
opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-10 opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-13
(work in progress), May 2014. (work in progress), October 2014.
[I-D.ietf-xmpp-dna] [I-D.ietf-xmpp-dna]
Saint-Andre, P. and M. Miller, "Domain Name Associations Saint-Andre, P. and M. Miller, "Domain Name Associations
(DNA) in the Extensible Messaging and Presence Protocol (DNA) in the Extensible Messaging and Presence Protocol
(XMPP)", draft-ietf-xmpp-dna-05 (work in progress), (XMPP)", draft-ietf-xmpp-dna-08 (work in progress),
February 2014. October 2014.
[RFC3403] Mealling, M., "Dynamic Delegation Discovery System (DDDS) [RFC3403] Mealling, M., "Dynamic Delegation Discovery System (DDDS)
Part Three: The Domain Name System (DNS) Database", RFC Part Three: The Domain Name System (DNS) Database", RFC
3403, October 2002. 3403, October 2002.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
October 2008. October 2008.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 6120, March 2011. Protocol (XMPP): Core", RFC 6120, March 2011.
 End of changes. 10 change blocks. 
22 lines changed or deleted 26 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/