draft-ietf-dane-srv-11.txt   draft-ietf-dane-srv-12.txt 
DNS-Based Authentication of Named Entities (DANE) T. Finch DNS-Based Authentication of Named Entities (DANE) T. Finch
Internet-Draft University of Cambridge Internet-Draft University of Cambridge
Intended status: Standards Track M. Miller Intended status: Standards Track M. Miller
Expires: August 21, 2015 Cisco Systems, Inc. Expires: September 24, 2015 Cisco Systems, Inc.
P. Saint-Andre P. Saint-Andre
&yet &yet
February 17, 2015 March 23, 2015
Using DNS-Based Authentication of Named Entities (DANE) TLSA Records Using DNS-Based Authentication of Named Entities (DANE) TLSA Records
with SRV Records with SRV Records
draft-ietf-dane-srv-11 draft-ietf-dane-srv-12
Abstract Abstract
The DANE specification (RFC 6698) describes how to use TLSA resource The DANE specification (RFC 6698) describes how to use TLSA resource
records secured by DNSSEC (RFC 4033) to associate a server's records secured by DNSSEC (RFC 4033) to associate a server's
connection endpoint with its TLS certificate. However, application connection endpoint with its TLS certificate. However, application
protocols that use SRV records (RFC 2782) to indirectly name the protocols that use SRV records (RFC 2782) to indirectly name the
target server connection endpoints for a service domain cannot apply target server connection endpoints for a service domain cannot apply
the rules from RFC 6698. Therefore this document provides guidelines the rules from RFC 6698. Therefore this document provides guidelines
that enable such protocols to locate and use TLSA records. that enable such protocols to locate and use TLSA records.
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 21, 2015. This Internet-Draft will expire on September 24, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 38 skipping to change at page 5, line 38
_imap._tcp.example.com. 86400 IN SRV 10 0 9143 imap.example.net. _imap._tcp.example.com. 86400 IN SRV 10 0 9143 imap.example.net.
leads to the TLSA query shown below: leads to the TLSA query shown below:
_9143._tcp.imap.example.net. IN TLSA ? _9143._tcp.imap.example.net. IN TLSA ?
3.4. Impact on TLS Usage 3.4. Impact on TLS Usage
The client SHALL determine if the TLSA records returned in the The client SHALL determine if the TLSA records returned in the
previous step are usable according to Section 4.1 of [RFC6698]. This previous step are usable according to Section 4.1 of [RFC6698]. This
affects the use TLS as follows: affects the use of TLS as follows:
o If the TLSA response is "secure" and usable, then the client MUST o If the TLSA response is "secure" and usable, then the client MUST
use TLS when connecting to the target server. The TLSA records use TLS when connecting to the target server. The TLSA records
are used when validating the server's certificate as described in are used when validating the server's certificate as described in
Section 4. Section 4.
o If the TLSA response is "bogus" or "indeterminate" (or the lookup o If the TLSA response is "bogus" or "indeterminate" (or the lookup
fails for reasons other than no records), then the client MUST NOT fails for reasons other than no records), then the client MUST NOT
connect to the target server (the client can still use other SRV connect to the target server (the client can still use other SRV
targets). targets).
skipping to change at page 10, line 50 skipping to change at page 10, line 50
Protocol: TLSA", RFC 6698, August 2012. Protocol: TLSA", RFC 6698, August 2012.
[RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify
Conversations about DNS-Based Authentication of Named Conversations about DNS-Based Authentication of Named
Entities (DANE)", RFC 7218, April 2014. Entities (DANE)", RFC 7218, April 2014.
11.2. Informative References 11.2. Informative References
[I-D.ietf-dane-smtp-with-dane] [I-D.ietf-dane-smtp-with-dane]
Dukhovni, V. and W. Hardaker, "SMTP security via Dukhovni, V. and W. Hardaker, "SMTP security via
opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-13 opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-15
(work in progress), October 2014. (work in progress), March 2015.
[I-D.ietf-xmpp-dna] [I-D.ietf-xmpp-dna]
Saint-Andre, P. and M. Miller, "Domain Name Associations Saint-Andre, P., Miller, M., and P. Hancke, "Domain Name
(DNA) in the Extensible Messaging and Presence Protocol Associations (DNA) in the Extensible Messaging and
(XMPP)", draft-ietf-xmpp-dna-08 (work in progress), Presence Protocol (XMPP)", draft-ietf-xmpp-dna-09 (work in
October 2014. progress), February 2015.
[RFC3403] Mealling, M., "Dynamic Delegation Discovery System (DDDS) [RFC3403] Mealling, M., "Dynamic Delegation Discovery System (DDDS)
Part Three: The Domain Name System (DNS) Database", RFC Part Three: The Domain Name System (DNS) Database", RFC
3403, October 2002. 3403, October 2002.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
October 2008. October 2008.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 6120, March 2011. Protocol (XMPP): Core", RFC 6120, March 2011.
skipping to change at page 12, line 8 skipping to change at page 12, line 8
_9143._tcp.imap.example.net. RRSIG TLSA ... _9143._tcp.imap.example.net. RRSIG TLSA ...
Mail messages received for addresses at example.com are retrieved via Mail messages received for addresses at example.com are retrieved via
IMAP at imap.example.net. Connections to imap.example.net port 9143 IMAP at imap.example.net. Connections to imap.example.net port 9143
that use STARTTLS will get a server certificate that authenticates that use STARTTLS will get a server certificate that authenticates
the name imap.example.net. the name imap.example.net.
A.2. XMPP A.2. XMPP
; XMPP domain ; XMPP domain
_xmpp-client.example.com. SRV 1 0 5222 im.example.net. _xmpp-client._tcp.example.com. SRV 1 0 5222 im.example.net.
_xmpp-client.example.com. RRSIG SRV ... _xmpp-client._tcp.example.com. RRSIG SRV ...
; target server host name ; target server host name
im.example.net. A 192.0.2.3 im.example.net. A 192.0.2.3
im.example.net. RRSIG A ... im.example.net. RRSIG A ...
im.example.net. AAAA 2001:db8:212:8::e:4 im.example.net. AAAA 2001:db8:212:8::e:4
im.example.net. RRSIG AAAA ... im.example.net. RRSIG AAAA ...
; TLSA resource record ; TLSA resource record
_5222._tcp.im.example.net. TLSA ... _5222._tcp.im.example.net. TLSA ...
 End of changes. 8 change blocks. 
13 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/