draft-ietf-dane-srv-10.txt   draft-ietf-dane-srv-11.txt 
DNS-Based Authentication of Named Entities (DANE) T. Finch DNS-Based Authentication of Named Entities (DANE) T. Finch
Internet-Draft University of Cambridge Internet-Draft University of Cambridge
Intended status: Standards Track M. Miller Intended status: Standards Track M. Miller
Expires: August 20, 2015 Cisco Systems, Inc. Expires: August 21, 2015 Cisco Systems, Inc.
P. Saint-Andre P. Saint-Andre
&yet &yet
February 16, 2015 February 17, 2015
Using DNS-Based Authentication of Named Entities (DANE) TLSA Records Using DNS-Based Authentication of Named Entities (DANE) TLSA Records
with SRV Records with SRV Records
draft-ietf-dane-srv-10 draft-ietf-dane-srv-11
Abstract Abstract
The DANE specification (RFC 6698) describes how to use TLSA resource The DANE specification (RFC 6698) describes how to use TLSA resource
records secured by DNSSEC (RFC 4033) to associate a server's records secured by DNSSEC (RFC 4033) to associate a server's
connection endpoint with its TLS certificate. However, application connection endpoint with its TLS certificate. However, application
protocols that use SRV records (RFC 2782) to indirectly name the protocols that use SRV records (RFC 2782) to indirectly name the
target server connection endpoints for a service domain cannot apply target server connection endpoints for a service domain cannot apply
the rules from RFC 6698. Therefore this document provides guidelines the rules from RFC 6698. Therefore this document provides guidelines
that enable such protocols to locate and use TLSA records. that enable such protocols to locate and use TLSA records.
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 20, 2015. This Internet-Draft will expire on August 21, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 21 skipping to change at page 4, line 21
When the client makes an SRV query, a successful result will When the client makes an SRV query, a successful result will
typically be a list of one or more SRV records (or possibly a chain typically be a list of one or more SRV records (or possibly a chain
of CNAME / DNAME aliases leading to such a list). of CNAME / DNAME aliases leading to such a list).
NOTE: Implementers need to be aware that unsuccessful results can NOTE: Implementers need to be aware that unsuccessful results can
occur because of various DNS-related errors; guidance on avoiding occur because of various DNS-related errors; guidance on avoiding
downgrade attacks can be found in Section 2.1 of downgrade attacks can be found in Section 2.1 of
[I-D.ietf-dane-smtp-with-dane]. [I-D.ietf-dane-smtp-with-dane].
For this specification to apply, the entire DNS RRset that is For this specification to apply, the entire chain of DNS RRset(s)
returned MUST be "secure" according to DNSSEC validation (Section 5 returned MUST be "secure" according to DNSSEC validation (Section 5
of [RFC4035]). In the case where the answer is obtained via a chain of [RFC4035]). In the case where the answer is obtained via a chain
of CNAME and/or DNAME aliases, the whole chain of CNAME and DNAME of CNAME and/or DNAME aliases, the whole chain of CNAME and DNAME
RRsets MUST also be secure. RRsets MUST also be secure.
If the SRV lookup fails because the RRset is "bogus" (or the lookup If the SRV lookup fails because the RRset is "bogus" (or the lookup
fails for reasons other than no records), the client MUST abort its fails for reasons other than no records), the client MUST abort its
attempt to connect to the desired service. If the lookup result is attempt to connect to the desired service. If the lookup result is
"insecure" (or no SRV records exist), this protocol does not apply "insecure" (or no SRV records exist), this protocol does not apply
and the client SHOULD fall back to its non-DNSSEC, non-DANE (and and the client SHOULD fall back to its non-DNSSEC, non-DANE (and
 End of changes. 5 change blocks. 
5 lines changed or deleted 5 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/