1 Internet Engineering Task Force (IETF) P. Hoffman
2 Request for Comments: 6698 VPN Consortium
3 Category: Standards Track J. Schlyter
4 ISSN: 2070-1721 Kirei AB
5 August 2012
6
7
8 The DNS-Based Authentication of Named Entities (DANE)
9 Transport Layer Security (TLS) Protocol: TLSA
10
11 Abstract
12
13 Encrypted communication on the Internet often uses Transport Layer
14 Security (TLS), which depends on third parties to certify the keys
15 used. This document improves on that situation by enabling the
16 administrators of domain names to specify the keys used in that
17 domain's TLS servers. This requires matching improvements in TLS
18 client software, but no change in TLS server software.
19
20 Status of This Memo
21
22 This is an Internet Standards Track document.
23
24 This document is a product of the Internet Engineering Task Force
25 (IETF). It represents the consensus of the IETF community. It has
26 received public review and has been approved for publication by the
27 Internet Engineering Steering Group (IESG). Further information on
28 Internet Standards is available in Section 2 of RFC 5741.
29
30 Information about the current status of this document, any errata,
31 and how to provide feedback on it may be obtained at
32 http://www.rfc-editor.org/info/rfc6698.
33
34 Copyright Notice
35
36 Copyright (c) 2012 IETF Trust and the persons identified as the
37 document authors. All rights reserved.
38
39 This document is subject to BCP 78 and the IETF Trust's Legal
40 Provisions Relating to IETF Documents
41 (http://trustee.ietf.org/license-info) in effect on the date of
42 publication of this document. Please review these documents
43 carefully, as they describe your rights and restrictions with respect
44 to this document. Code Components extracted from this document must
45 include Simplified BSD License text as described in Section 4.e of
46 the Trust Legal Provisions and are provided without warranty as
47 described in the Simplified BSD License.
48
49
50
51
52 Hoffman & Schlyter Standards Track [Page 1]
53 RFC 6698 DNS-Based Authentication for TLS August 2012
54
55
56 Table of Contents
57
58 1. Introduction ....................................................3
59 1.1. Background and Motivation ..................................3
60 1.2. Securing the Association of a Domain Name with a
61 Server's Certificate .......................................4
62 1.3. Method for Securing Certificate Associations ...............5
63 1.4. Terminology ................................................6
64 2. The TLSA Resource Record ........................................7
65 2.1. TLSA RDATA Wire Format .....................................7
66 2.1.1. The Certificate Usage Field .........................7
67 2.1.2. The Selector Field ..................................8
68 2.1.3. The Matching Type Field .............................9
69 2.1.4. The Certificate Association Data Field ..............9
70 2.2. TLSA RR Presentation Format ................................9
71 2.3. TLSA RR Examples ..........................................10
72 3. Domain Names for TLSA Certificate Associations .................10
73 4. Use of TLSA Records in TLS .....................................11
74 4.1. Usable Certificate Associations ...........................11
75 5. TLSA and DANE Use Cases and Requirements .......................13
76 6. Mandatory-to-Implement Features ................................15
77 7. IANA Considerations ............................................15
78 7.1. TLSA RRtype ...............................................15
79 7.2. TLSA Certificate Usages ...................................15
80 7.3. TLSA Selectors ............................................16
81 7.4. TLSA Matching Types .......................................16
82 8. Security Considerations ........................................16
83 8.1. Comparing DANE to Public CAs ..............................18
84 8.1.1. Risk of Key Compromise .............................19
85 8.1.2. Impact of Key Compromise ...........................20
86 8.1.3. Detection of Key Compromise ........................20
87 8.1.4. Spoofing Hostnames .................................20
88 8.2. DNS Caching ...............................................21
89 8.3. External DNSSEC Validators ................................21
90 9. Acknowledgements ...............................................22
91 10. References ....................................................22
92 10.1. Normative References .....................................22
93 10.2. Informative References ...................................23
94 Appendix A. Operational Considerations for Deploying TLSA
95 Records ...............................................25
96 A.1. Creating TLSA Records ......................................25
97 A.1.1. Ambiguities and Corner Cases When TLS Clients
98 Build Trust Chains .....................................26
99 A.1.2. Choosing a Selector Type ...............................26
100 A.2. Provisioning TLSA Records in DNS ...........................28
101 A.2.1. Provisioning TLSA Records with Aliases .................28
102 A.3. Securing the Last Hop ......................................30
103 A.4. Handling Certificate Rollover ..............................31
104
105
106
107 Hoffman & Schlyter Standards Track [Page 2]
108 RFC 6698 DNS-Based Authentication for TLS August 2012
109
110
111 Appendix B. Pseudocode for Using TLSA .............................32
112 B.1. Helper Functions ...........................................32
113 B.2. Main TLSA Pseudocode .......................................33
114 Appendix C. Examples ..............................................35
115
The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.
This RFC is included in the DNS RFCs annotation project whose home page is here.
This RFC is implemented in BIND 9.18 (all versions).
116 1. Introduction
117
118 1.1. Background and Motivation
119
120 Applications that communicate over the Internet often need to prevent
121 eavesdropping, tampering, or forgery of their communications. The
122 Transport Layer Security (TLS) protocol provides this kind of
123 communications security over the Internet, using channel encryption.
124
125 The security properties of encryption systems depend strongly on the
126 keys that they use. If secret keys are revealed, or if public keys
127 can be replaced by fake keys (that is, a key not corresponding to the
128 entity identified in the certificate), these systems provide little
129 or no security.
130
131 TLS uses certificates to bind keys and names. A certificate combines
132 a published key with other information such as the name of the
133 service that uses the key, and this combination is digitally signed
134 by another key. Having a key in a certificate is only helpful if one
135 trusts the other key that signed the certificate. If that other key
136 was itself revealed or substituted, then its signature is worthless
137 in proving anything about the first key.
138
139 On the Internet, this problem has been solved for years by entities
140 called "Certification Authorities" (CAs). CAs protect their secret
141 key vigorously, while supplying their public key to the software
142 vendors who build TLS clients. They then sign certificates, and
143 supply those to TLS servers. TLS client software uses a set of these
144 CA keys as "trust anchors" to validate the signatures on certificates
145 that the client receives from TLS servers. Client software typically
146 allows any CA to usefully sign any other certificate.
147
148 The public CA model upon which TLS has depended is fundamentally
149 vulnerable because it allows any of these CAs to issue a certificate
150 for any domain name. A single trusted CA that betrays its trust,
151 either voluntarily or by providing less-than-vigorous protection for
152 its secrets and capabilities, can undermine the security offered by
153 any certificates employed with TLS. This problem arises because a
154 compromised CA can issue a replacement certificate that contains a
155 fake key. Recent experiences with compromises of CAs or their
156 trusted partners have led to very serious security problems, such as
157 the governments of multiple countries attempting to wiretap and/or
158 subvert major TLS-protected web sites trusted by millions of users.
159
160
161
162 Hoffman & Schlyter Standards Track [Page 3]
163 RFC 6698 DNS-Based Authentication for TLS August 2012
164
165
166 The DNS Security Extensions (DNSSEC) provide a similar model that
167 involves trusted keys signing the information for untrusted keys.
168 However, DNSSEC provides three significant improvements. Keys are
169 tied to names in the Domain Name System (DNS), rather than to
170 arbitrary identifying strings; this is more convenient for Internet
171 protocols. Signed keys for any domain are accessible online through
172 a straightforward query using the standard DNSSEC protocol, so there
173 is no problem distributing the signed keys. Most significantly, the
174 keys associated with a domain name can only be signed by a key
175 associated with the parent of that domain name; for example, the keys
176 for "example.com" can only be signed by the keys for "com", and the
177 keys for "com" can only be signed by the DNS root. This prevents an
178 untrustworthy signer from compromising anyone's keys except those in
179 their own subdomains. Like TLS, DNSSEC relies on public keys that
180 come built into the DNSSEC client software, but these keys come only
181 from a single root domain rather than from a multiplicity of CAs.
182
183 DNS-Based Authentication of Named Entities (DANE) offers the option
184 to use the DNSSEC infrastructure to store and sign keys and
185 certificates that are used by TLS. DANE is envisioned as a
186 preferable basis for binding public keys to DNS names, because the
187 entities that vouch for the binding of public key data to DNS names
188 are the same entities responsible for managing the DNS names in
189 question. While the resulting system still has residual security
190 vulnerabilities, it restricts the scope of assertions that can be
191 made by any entity, consistent with the naming scope imposed by the
192 DNS hierarchy. As a result, DANE embodies the security "principle of
193 least privilege" that is lacking in the current public CA model.
194
195 1.2. Securing the Association of a Domain Name with a Server's
196 Certificate
197
198 A TLS client begins a connection by exchanging messages with a TLS
199 server. For many application protocols, it looks up the server's
200 name using the DNS to get an Internet Protocol (IP) address
201 associated with the name. It then begins a connection to a
202 particular port at that address, and sends an initial message there.
203 However, the client does not yet know whether an adversary is
204 intercepting and/or altering its communication before it reaches the
205 TLS server. It does not even know whether the real TLS server
206 associated with that domain name has ever received its initial
207 messages.
208
209 The first response from the server in TLS may contain a certificate.
210 In order for the TLS client to authenticate that it is talking to the
211 expected TLS server, the client must validate that this certificate
212 is associated with the domain name used by the client to get to the
213 server. Currently, the client must extract the domain name from the
214
215
216
217 Hoffman & Schlyter Standards Track [Page 4]
218 RFC 6698 DNS-Based Authentication for TLS August 2012
219
220
221 certificate and must successfully validate the certificate, including
222 chaining to a trust anchor.
223
224 There is a different way to authenticate the association of the
225 server's certificate with the intended domain name without trusting
226 an external CA. Given that the DNS administrator for a domain name
227 is authorized to give identifying information about the zone, it
228 makes sense to allow that administrator to also make an authoritative
229 binding between the domain name and a certificate that might be used
230 by a host at that domain name. The easiest way to do this is to use
231 the DNS, securing the binding with DNSSEC.
232
233 There are many use cases for such functionality. [RFC6394] lists the
234 ones to which the DNS RRtype in this document apply. [RFC6394] also
235 lists many requirements, most of which this document is believed to
236 meet. Section 5 covers the applicability of this document to the use
237 cases in detail. The protocol in this document can generally be
238 referred to as the "DANE TLSA" protocol. ("TLSA" does not stand for
239 anything; it is just the name of the RRtype.)
240
241 This document applies to both TLS [RFC5246] and Datagram TLS (DTLS)
242 [RFC6347]. In order to make the document more readable, it mostly
243 only talks about "TLS", but in all cases, it means "TLS or DTLS".
244 Although the references in this paragraph are to TLS and DTLS
245 version 1.2, the DANE TLSA protocol can also be used with earlier
246 versions of TLS and DTLS.
247
248 This document only relates to securely associating certificates for
249 TLS and DTLS with host names; retrieving certificates from DNS for
250 other protocols is handled in other documents. For example, keys for
251 IPsec are covered in [RFC4025], and keys for Secure SHell (SSH) are
252 covered in [RFC4255].
253
254 1.3. Method for Securing Certificate Associations
255
256 A certificate association is formed from a piece of information
257 identifying a certificate and the domain name where the server
258 application runs. The combination of a trust anchor and a domain
259 name can also be a certificate association.
260
261 A DNS query can return multiple certificate associations, such as in
262 the case of a server that is changing from one certificate to another
263 (described in more detail in Appendix A.4).
264
265 This document only applies to PKIX [RFC5280] certificates, not
266 certificates of other formats.
267
268
269
270
271
272 Hoffman & Schlyter Standards Track [Page 5]
273 RFC 6698 DNS-Based Authentication for TLS August 2012
274
275
276 This document defines a secure method to associate the certificate
277 that is obtained from the TLS server with a domain name using DNS;
278 the DNS information needs to be protected by DNSSEC. Because the
279 certificate association was retrieved based on a DNS query, the
280 domain name in the query is by definition associated with the
281 certificate. Note that this document does not cover how to associate
282 certificates with domain names for application protocols that depend
283 on SRV, NAPTR, and similar DNS resource records. It is expected that
284 future documents will cover methods for making those associations,
285 and those documents may or may not need to update this one.
286
287 DNSSEC, which is defined in [RFC4033], [RFC4034], and [RFC4035], uses
288 cryptographic keys and digital signatures to provide authentication
289 of DNS data. Information that is retrieved from the DNS and that is
290 validated using DNSSEC is thereby proved to be the authoritative
291 data. The DNSSEC signature needs to be validated on all responses
292 that use DNSSEC in order to assure the proof of origin of the data.
293
294 This document does not specify how DNSSEC validation occurs because
295 there are many different proposals for how a client might get
296 validated DNSSEC results, such as from a DNSSEC-aware resolver that
297 is coded in the application, from a trusted DNSSEC resolver on the
298 machine on which the application is running, or from a trusted DNSSEC
299 resolver with which the application is communicating over an
300 authenticated and integrity-protected channel or network. This is
301 described in more detail in Section 7 of [RFC4033].
302
303 This document only relates to getting the DNS information for the
304 certificate association securely using DNSSEC; other secure DNS
305 mechanisms are out of scope.
306
307 1.4. Terminology
308
309 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
310 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
311 document are to be interpreted as described in RFC 2119 [RFC2119].
312
313 This document also makes use of standard PKIX, DNSSEC, TLS, and DNS
314 terminology. See [RFC5280], [RFC4033], [RFC5246], and STD 13
315 [RFC1034] [RFC1035], respectively, for these terms. In addition,
316 terms related to TLS-protected application services and DNS names are
317 taken from [RFC6125].
318
319
320
321
322
323
324
325
326
327 Hoffman & Schlyter Standards Track [Page 6]
328 RFC 6698 DNS-Based Authentication for TLS August 2012
329
330
331 2. The TLSA Resource Record
332
333 The TLSA DNS resource record (RR) is used to associate a TLS server
334 certificate or public key with the domain name where the record is
335 found, thus forming a "TLSA certificate association". The semantics
336 of how the TLSA RR is interpreted are given later in this document.
337
338 The type value for the TLSA RR type is defined in Section 7.1.
339
340 The TLSA RR is class independent.
341
342 The TLSA RR has no special Time to Live (TTL) requirements.
343
344 2.1. TLSA RDATA Wire Format
345
346 The RDATA for a TLSA RR consists of a one-octet certificate usage
347 field, a one-octet selector field, a one-octet matching type field,
348 and the certificate association data field.
349
350 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
351 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
352 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
353 | Cert. Usage | Selector | Matching Type | /
354 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /
355 / /
356 / Certificate Association Data /
357 / /
358 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
359
The introduction to RFC7671 says:
[RFC6698] defines three TLSA record fields: the first with four possible values, the second with two, and the third with three. These yield 24 distinct combinations of TLSA record types. This document recommends a smaller set of best-practice combinations of these fields to simplify protocol design, implementation, and deployment.
Section 12 of RFC7671 gives an extensive list of what it updates:
12. Summary of Updates to RFC 6698
o Section 3 updates [RFC6698] to specify a requirement for clients
to support at least TLS 1.0 and to support SNI.
o Section 4 explains that application support for all four
certificate usages is NOT RECOMMENDED. The recommended design is
to support just DANE-EE(3) and DANE-TA(2).
o Section 5.1 updates [RFC6698] to specify that peer identity
matching and validity period enforcement are based solely on the
TLSA RRset properties. It also specifies DANE authentication of
raw public keys [RFC7250] via TLSA records with certificate usage
DANE-EE(3) and selector SPKI(1).
o Section 5.2 updates [RFC6698] to require that servers publishing
digest TLSA records with a usage of DANE-TA(2) MUST include the
TA certificate in their TLS server certificate message. This
extends to the case of "2 1 0" TLSA records that publish a full
public key.
o Section 5.4 observes that with usage PKIX-TA(0), clients may need
to process extended trust chains beyond the first trusted issuer
when that issuer is not self-signed.
o Section 7 recommends that DANE application protocols specify that,
when possible, securely CNAME-expanded names be used to derive the
TLSA base domain.
o Section 8 specifies a strategy for managing TLSA records that
interoperates with DANE clients regardless of what subset of the
possible TLSA record types (combinations of TLSA parameters) is
supported by the client.
o Section 9 specifies a digest algorithm agility protocol.
o Section 10.1 recommends against the use of Full(0) TLSA records,
as digest records are generally much more compact.
360 2.1.1. The Certificate Usage Field
361
362 A one-octet value, called "certificate usage", specifies the provided
363 association that will be used to match the certificate presented in
364 the TLS handshake. This value is defined in a new IANA registry (see
365 Section 7.2) in order to make it easier to add additional certificate
366 usages in the future. The certificate usages defined in this
367 document are:
368
369 0 -- Certificate usage 0 is used to specify a CA certificate, or
370 the public key of such a certificate, that MUST be found in any of
371 the PKIX certification paths for the end entity certificate given
372 by the server in TLS. This certificate usage is sometimes
373 referred to as "CA constraint" because it limits which CA can be
374 used to issue certificates for a given service on a host. The
375 presented certificate MUST pass PKIX certification path
376 validation, and a CA certificate that matches the TLSA record MUST
377 be included as part of a valid certification path. Because this
378 certificate usage allows both trust anchors and CA certificates,
379
380
381
382 Hoffman & Schlyter Standards Track [Page 7]
383 RFC 6698 DNS-Based Authentication for TLS August 2012
384
385
386 the certificate might or might not have the basicConstraints
387 extension present.
388
389 1 -- Certificate usage 1 is used to specify an end entity
390 certificate, or the public key of such a certificate, that MUST be
391 matched with the end entity certificate given by the server in
392 TLS. This certificate usage is sometimes referred to as "service
393 certificate constraint" because it limits which end entity
394 certificate can be used by a given service on a host. The target
395 certificate MUST pass PKIX certification path validation and MUST
396 match the TLSA record.
397
398 2 -- Certificate usage 2 is used to specify a certificate, or the
399 public key of such a certificate, that MUST be used as the trust
400 anchor when validating the end entity certificate given by the
401 server in TLS. This certificate usage is sometimes referred to as
402 "trust anchor assertion" and allows a domain name administrator to
403 specify a new trust anchor -- for example, if the domain issues
404 its own certificates under its own CA that is not expected to be
405 in the end users' collection of trust anchors. The target
406 certificate MUST pass PKIX certification path validation, with any
407 certificate matching the TLSA record considered to be a trust
408 anchor for this certification path validation.
409
410 3 -- Certificate usage 3 is used to specify a certificate, or the
411 public key of such a certificate, that MUST match the end entity
412 certificate given by the server in TLS. This certificate usage is
413 sometimes referred to as "domain-issued certificate" because it
414 allows for a domain name administrator to issue certificates for a
415 domain without involving a third-party CA. The target certificate
416 MUST match the TLSA record. The difference between certificate
417 usage 1 and certificate usage 3 is that certificate usage 1
418 requires that the certificate pass PKIX validation, but PKIX
419 validation is not tested for certificate usage 3.
420
421 The certificate usages defined in this document explicitly only apply
422 to PKIX-formatted certificates in DER encoding [X.690]. If TLS
423 allows other formats later, or if extensions to this RRtype are made
424 that accept other formats for certificates, those certificates will
425 need their own certificate usage values.
426
2 -- Certificate usage 2 is used to specify a certificate, or the
public key of such a certificate, that MUST be used as the trust
anchor when validating the end entity certificate given by the
server in TLS. This certificate usage is sometimes referred to as
"trust anchor assertion" and allows a domain name administrator to
specify a new trust anchor -- for example, if the domain issues
its own certificates under its own CA that is not expected to be
in the end users' collection of trust anchors. The target
certificate MUST pass PKIX certification path validation, with any
certificate matching the TLSA record considered to be a trust
anchor for this certification path validation.
2 -- Certificate usage 2 is used to specify a certificate, or the
public key of such a certificate, that MUST be used as the trust
anchor when validating the end entity certificate given by the
server in TLS. This certificate usage is sometimes referred to as
"trust anchor assertion" and allows a domain name administrator to
specify a new trust anchor -- for example, if the domain issues
its own certificates under its own CA that is not expected to be
in the end users' collection of trust anchors. The target
certificate MUST pass PKIX certification path validation, with any
certificate matching the TLSA record considered to be a trust
anchor for this certification path validation. Since clients cannot
be presumed to have their own copy of the trust-anchor certificate,
when the TLSA association specifies a certificate digest, the TLS
server MUST be configured to provide the trust-anchor certificate in
its "certificate_list" TLS handshake message.
As per discussion on the DANE WG list, this was overtaken by events and so is rejected. This is critical for interoperability between clients and servers. A client that commits to verify TLSA RR certificate associations will fail if it can't obtain the required certificates. With usage "2" there is no presumption that these are available to the client. If servers are not obligated to provide them the protocol will consistently fail. With non-interactive protocols where there is no user to "click OK", such as SMTP, there is no good work-around and both client and server owners suffer. --VERIFIER NOTES-- As per discussion on the DANE WG list, this was overtaken by events and so is rejected.
Section 2.1 of RFC7218 adds menumonics for the Certificate Usage field.
427 2.1.2. The Selector Field
428
429 A one-octet value, called "selector", specifies which part of the TLS
430 certificate presented by the server will be matched against the
431 association data. This value is defined in a new IANA registry (see
432 Section 7.3). The selectors defined in this document are:
433
434
435
436
437 Hoffman & Schlyter Standards Track [Page 8]
438 RFC 6698 DNS-Based Authentication for TLS August 2012
439
440
441 0 -- Full certificate: the Certificate binary structure as defined
442 in [RFC5280]
443
444 1 -- SubjectPublicKeyInfo: DER-encoded binary structure as defined
445 in [RFC5280]
446
447 (Note that the use of "selector" in this document is completely
448 unrelated to the use of "selector" in DomainKeys Identified Mail
449 (DKIM) [RFC6376].)
450
Section 2.2 of RFC7218 adds menumonics for the Selector field.
451 2.1.3. The Matching Type Field
452
453 A one-octet value, called "matching type", specifies how the
454 certificate association is presented. This value is defined in a new
455 IANA registry (see Section 7.4). The types defined in this document
456 are:
457
458 0 -- Exact match on selected content
459
460 1 -- SHA-256 hash of selected content [RFC6234]
461
462 2 -- SHA-512 hash of selected content [RFC6234]
463
464 If the TLSA record's matching type is a hash, having the record use
465 the same hash algorithm that was used in the signature in the
466 certificate (if possible) will assist clients that support a small
467 number of hash algorithms.
468
469 2.1.4. The Certificate Association Data Field
470
471 This field specifies the "certificate association data" to be
472 matched. These bytes are either raw data (that is, the full
473 certificate or its SubjectPublicKeyInfo, depending on the selector)
474 for matching type 0, or the hash of the raw data for matching types 1
475 and 2. The data refers to the certificate in the association, not to
476 the TLS ASN.1 Certificate object.
477
478 2.2. TLSA RR Presentation Format
479
480 The presentation format of the RDATA portion (as defined in
481 [RFC1035]) is as follows:
482
483 o The certificate usage field MUST be represented as an 8-bit
484 unsigned integer.
485
486 o The selector field MUST be represented as an 8-bit unsigned
487 integer.
488
489
490
491
492 Hoffman & Schlyter Standards Track [Page 9]
493 RFC 6698 DNS-Based Authentication for TLS August 2012
494
495
496 o The matching type field MUST be represented as an 8-bit unsigned
497 integer.
498
499 o The certificate association data field MUST be represented as a
500 string of hexadecimal characters. Whitespace is allowed within
501 the string of hexadecimal characters, as described in [RFC1035].
502
503 2.3. TLSA RR Examples
504
505 In the following examples, the domain name is formed using the rules
506 in Section 3.
507
508 An example of a hashed (SHA-256) association of a PKIX CA
509 certificate:
510
511 _443._tcp.www.example.com. IN TLSA (
512 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9
513 7983a1d16e8a410e4561cb106618e971 )
514
515 An example of a hashed (SHA-512) subject public key association of a
516 PKIX end entity certificate:
517
518 _443._tcp.www.example.com. IN TLSA (
519 1 1 2 92003ba34942dc74152e2f2c408d29ec
520 a5a520e7f2e06bb944f4dca346baf63c
521 1b177615d466f6c4b71c216a50292bd5
522 8c9ebdd2f74e38fe51ffd48c43326cbc )
523
524 An example of a full certificate association of a PKIX end entity
525 certificate:
526
527 _443._tcp.www.example.com. IN TLSA (
528 3 0 0 30820307308201efa003020102020... )
529
530 3. Domain Names for TLSA Certificate Associations
531
532 Unless there is a protocol-specific specification that is different
533 than this one, TLSA resource records are stored at a prefixed DNS
534 domain name. The prefix is prepared in the following manner:
535
536 1. The decimal representation of the port number on which a TLS-
537 based service is assumed to exist is prepended with an underscore
538 character ("_") to become the left-most label in the prepared
539 domain name. This number has no leading zeros.
540
541
542
543
544
545
546
547 Hoffman & Schlyter Standards Track [Page 10]
548 RFC 6698 DNS-Based Authentication for TLS August 2012
549
550
551 2. The protocol name of the transport on which a TLS-based service
552 is assumed to exist is prepended with an underscore character
553 ("_") to become the second left-most label in the prepared domain
554 name. The transport names defined for this protocol are "tcp",
555 "udp", and "sctp".
556
557 3. The base domain name is appended to the result of step 2 to
558 complete the prepared domain name. The base domain name is the
559 fully qualified DNS domain name [RFC1035] of the TLS server, with
560 the additional restriction that every label MUST meet the rules
561 of [RFC0952]. The latter restriction means that, if the query is
562 for an internationalized domain name, it MUST use the A-label
563 form as defined in [RFC5890].
564
565 For example, to request a TLSA resource record for an HTTP server
566 running TLS on port 443 at "www.example.com",
567 "_443._tcp.www.example.com" is used in the request. To request a
568 TLSA resource record for an SMTP server running the STARTTLS protocol
569 on port 25 at "mail.example.com", "_25._tcp.mail.example.com" is
570 used.
571
572 4. Use of TLSA Records in TLS
573
574 Section 2.1 of this document defines the mandatory matching rules for
575 the data from the TLSA certificate associations and the certificates
576 received from the TLS server.
577
578 The TLS session that is to be set up MUST be for the specific port
579 number and transport name that was given in the TLSA query.
580
581 Some specifications for applications that run over TLS, such as
582 [RFC2818] for HTTP, require that the server's certificate have a
583 domain name that matches the host name expected by the client. Some
584 specifications, such as [RFC6125], detail how to match the identity
585 given in a PKIX certificate with those expected by the user.
586
587 If a TLSA record has certificate usage 2, the corresponding TLS
588 server SHOULD send the certificate that is referenced just like it
589 currently sends intermediate certificates.
590
591 4.1. Usable Certificate Associations
592
593 An implementation of this protocol makes a DNS query for TLSA
594 records, validates these records using DNSSEC, and uses the resulting
595 TLSA records and validation status to modify its responses to the TLS
596 server.
597
598
599
600
601
602 Hoffman & Schlyter Standards Track [Page 11]
603 RFC 6698 DNS-Based Authentication for TLS August 2012
604
605
606 Determining whether a TLSA RRSet can be used MUST be based on the
607 DNSSEC validation state (as defined in [RFC4033]).
608
609 o A TLSA RRSet whose DNSSEC validation state is secure MUST be used
610 as a certificate association for TLS unless a local policy would
611 prohibit the use of the specific certificate association in the
612 secure TLSA RRSet.
613
614 o If the DNSSEC validation state on the response to the request for
615 the TLSA RRSet is bogus, this MUST cause TLS not to be started or,
616 if the TLS negotiation is already in progress, MUST cause the
617 connection to be aborted.
618
619 o A TLSA RRSet whose DNSSEC validation state is indeterminate or
620 insecure cannot be used for TLS and MUST be considered unusable.
621
622 Clients that validate the DNSSEC signatures themselves MUST use
623 standard DNSSEC validation procedures. Clients that rely on another
624 entity to perform the DNSSEC signature validation MUST use a secure
625 mechanism between themselves and the validator. Examples of secure
626 transports to other hosts include TSIG [RFC2845], SIG(0) [RFC2931],
627 and IPsec [RFC6071]. Note that it is not sufficient to use secure
628 transport to a DNS resolver that does not do DNSSEC signature
629 validation. See Section 8.3 for more security considerations related
630 to external validators.
631
632 If a certificate association contains a certificate usage, selector,
633 or matching type that is not understood by the TLS client, that
634 certificate association MUST be considered unusable. If the
635 comparison data for a certificate is malformed, the certificate
636 association MUST be considered unusable.
637
638 If a certificate association contains a matching type or certificate
639 association data that uses a cryptographic algorithm that is
640 considered too weak for the TLS client's policy, the certificate
641 association MUST be considered unusable.
642
643 If an application receives zero usable certificate associations from
644 a DNS request or from its cache, it processes TLS in the normal
645 fashion without any input from the TLSA records. If an application
646 receives one or more usable certificate associations, it attempts to
647 match each certificate association with the TLS server's end entity
648 certificate until a successful match is found. During the TLS
649 handshake, if none of the certificate associations matches the
650 certificate given by the TLS server, the TLS client MUST abort the
651 handshake.
652
653
654
655
656
657 Hoffman & Schlyter Standards Track [Page 12]
658 RFC 6698 DNS-Based Authentication for TLS August 2012
659
660
661 An attacker who is able to divert a user to a server under his
662 control is also likely to be able to block DNS requests from the user
663 or DNS responses being sent to the user. Thus, in order to achieve
664 any security benefit from certificate usage 0 or 1, an application
665 that sends a request for TLSA records needs to get either a valid
666 signed response containing TLSA records or verification that the
667 domain is insecure or indeterminate. If a request for a TLSA record
668 does not meet one of those two criteria but the application continues
669 with the TLS handshake anyway, the application has gotten no benefit
670 from TLSA and SHOULD NOT make any internal or external indication
671 that TLSA was applied. If an application has a configuration setting
672 that has turned on TLSA use, or has any indication that TLSA is in
673 use (regardless of whether or not this is configurable), that
674 application either MUST NOT start a TLS connection or it MUST abort a
675 TLS handshake if both of the two criteria above are not met.
676
677 The application can perform the TLSA lookup before initiating the TLS
678 handshake, or do it during the TLS handshake: the choice is up to the
679 client.
680
681 5. TLSA and DANE Use Cases and Requirements
682
683 The different types of certificate associations defined in TLSA are
684 matched with various sections of [RFC6394]. The use cases from
685 Section 3 of [RFC6394] are covered in this document as follows:
686
687 3.1 CA Constraints -- Implemented using certificate usage 0.
688
689 3.2 Certificate Constraints -- Implemented using certificate usage 1.
690
691 3.3 Trust Anchor Assertion and Domain-Issued Certificates --
692 Implemented using certificate usages 2 and 3, respectively.
693
694 The requirements from Section 4 of [RFC6394] are covered in this
695 document as follows:
696
697 Multiple Ports -- The TLSA records for different application services
698 running on a single host can be distinguished through the service
699 name and port number prefixed to the host name (see Section 3).
700
701 No Downgrade -- Section 4 specifies the conditions under which a
702 client can process and act upon TLSA records. Specifically, if
703 the DNSSEC status for the TLSA resource record set is determined
704 to be bogus, the TLS connection (if started) will fail.
705
706 Encapsulation -- Encapsulation is covered in the TLSA response
707 semantics.
708
709
710
711
712 Hoffman & Schlyter Standards Track [Page 13]
713 RFC 6698 DNS-Based Authentication for TLS August 2012
714
715
716 Predictability -- The appendices of this specification provide
717 operational considerations and implementation guidance in order to
718 enable application developers to form a consistent interpretation
719 of the recommended client behavior.
720
721 Opportunistic Security -- If a client conformant to this
722 specification can reliably determine the presence of a TLSA
723 record, it will attempt to use this information. Conversely, if a
724 client can reliably determine the absence of any TLSA record, it
725 will fall back to processing TLS in the normal fashion. This is
726 discussed in Section 4.
727
728 Combination -- Multiple TLSA records can be published for a given
729 host name, thus enabling the client to construct multiple TLSA
730 certificate associations that reflect different assertions. No
731 support is provided to combine two TLSA certificate associations
732 in a single operation.
733
734 Roll-over -- TLSA records are processed in the normal manner within
735 the scope of the DNS protocol, including the TTL expiration of the
736 records. This ensures that clients will not latch onto assertions
737 made by expired TLSA records, and will be able to transition from
738 using one public key or certificate usage to another.
739
740 Simple Key Management -- The SubjectPublicKeyInfo selector in the
741 TLSA record provides a mode that enables a domain holder to only
742 have to maintain a single long-lived public/private key pair
743 without the need to manage certificates. Appendix A outlines the
744 usefulness and the potential downsides to using this mode.
745
746 Minimal Dependencies -- This specification relies on DNSSEC to
747 protect the origin authenticity and integrity of the TLSA resource
748 record set. Additionally, if DNSSEC validation is not performed
749 on the system that wishes to use TLSA certificate bindings, this
750 specification requires that the "last mile" be over a secure
751 transport. There are no other deployment dependencies for this
752 approach.
753
754 Minimal Options -- The operating modes map precisely to the DANE use
755 cases and requirements. DNSSEC use is mandatory in that this
756 specification encourages applications to use only those TLSA
757 records that are shown to be validated.
758
759 Wildcards -- Wildcards are covered in a limited manner in the TLSA
760 request syntax; see Appendix A.
761
762 Redirection -- Redirection is covered in the TLSA request syntax; see
763 Appendix A.
764
765
766
767 Hoffman & Schlyter Standards Track [Page 14]
768 RFC 6698 DNS-Based Authentication for TLS August 2012
769
770
771 6. Mandatory-to-Implement Features
772
773 TLS clients conforming to this specification MUST be able to
774 correctly interpret TLSA records with certificate usages 0, 1, 2,
775 and 3. TLS clients conforming to this specification MUST be able to
776 compare a certificate association with a certificate from the TLS
777 handshake using selector types 0 and 1, and matching type 0 (no hash
778 used) and matching type 1 (SHA-256), and SHOULD be able to make such
779 comparisons with matching type 2 (SHA-512).
780
Section 2.3 of RFC7218 adds menumonics for the Matching Type field.
781 7. IANA Considerations
782
783 IANA has made the assignments in this section.
784
785 In the following sections, "RFC Required" was chosen for TLSA
786 certificate usages and "Specification Required" for selectors and
787 matching types because of the amount of detail that is likely to be
788 needed for implementers to correctly implement new certificate usages
789 as compared to new selectors and matching types.
790
The IANA registry is at https://www.iana.org/assignments/dane-parameters/dane-parameters.xhtml
791 7.1. TLSA RRtype
792
793 This document uses a new DNS RR type, TLSA, whose value (52) was
794 allocated by IANA from the Resource Record (RR) TYPEs subregistry of
795 the Domain Name System (DNS) Parameters registry.
796
Section 2.1 of RFC7218 adds menumonics for the Certificate Usage field.
797 7.2. TLSA Certificate Usages
798
799 This document creates a new registry, "TLSA Certificate Usages". The
800 registry policy is "RFC Required". The initial entries in the
801 registry are:
802
803 Value Short description Reference
804 ----------------------------------------------------------
805 0 CA constraint RFC 6698
806 1 Service certificate constraint RFC 6698
807 2 Trust anchor assertion RFC 6698
808 3 Domain-issued certificate RFC 6698
809 4-254 Unassigned
810 255 Private use
811
812 Applications to the registry can request specific values that have
813 yet to be assigned.
814
815
816
817
818
819
820
821
822 Hoffman & Schlyter Standards Track [Page 15]
823 RFC 6698 DNS-Based Authentication for TLS August 2012
824
825
Section 2.2 of RFC7218 adds menumonics for the Selector field.
826 7.3. TLSA Selectors
827
828 This document creates a new registry, "TLSA Selectors". The registry
829 policy is "Specification Required". The initial entries in the
830 registry are:
831
832 Value Short description Reference
833 ----------------------------------------------------------
834 0 Full certificate RFC 6698
835 1 SubjectPublicKeyInfo RFC 6698
836 2-254 Unassigned
837 255 Private use
838
839 Applications to the registry can request specific values that have
840 yet to be assigned.
841
842 7.4. TLSA Matching Types
843
844 This document creates a new registry, "TLSA Matching Types". The
845 registry policy is "Specification Required". The initial entries in
846 the registry are:
847
848 Value Short description Reference
849 ----------------------------------------------------------
850 0 No hash used RFC 6698
851 1 SHA-256 RFC 6234
852 2 SHA-512 RFC 6234
853 3-254 Unassigned
854 255 Private use
855
856 Applications to the registry can request specific values that have
857 yet to be assigned.
858
859 8. Security Considerations
860
861 The security of the DNS RRtype described in this document relies on
862 the security of DNSSEC to verify that the TLSA record has not been
863 altered.
864
865 A rogue DNS administrator who changes the A, AAAA, and/or TLSA
866 records for a domain name can cause the client to go to an
867 unauthorized server that will appear authorized, unless the client
868 performs PKIX certification path validation and rejects the
869 certificate. That administrator could probably get a certificate
870 issued by some CA anyway, so this is not an additional threat.
871
872
873
874
875
876
877 Hoffman & Schlyter Standards Track [Page 16]
878 RFC 6698 DNS-Based Authentication for TLS August 2012
879
880
881 If the authentication mechanism for adding or changing TLSA data in a
882 zone is weaker than the authentication mechanism for changing the A
883 and/or AAAA records, a man-in-the-middle who can redirect traffic to
884 his site may be able to impersonate the attacked host in TLS if he
885 can use the weaker authentication mechanism. A better design for
886 authenticating DNS would be to have the same level of authentication
887 used for all DNS additions and changes for a particular domain name.
888
889 Secure Socket Layer (SSL) proxies can sometimes act as a man-in-the-
890 middle for TLS clients. In these scenarios, the clients add a new
891 trust anchor whose private key is kept on the SSL proxy; the proxy
892 intercepts TLS requests, creates a new TLS session with the intended
893 host, and sets up a TLS session with the client using a certificate
894 that chains to the trust anchor installed in the client by the proxy.
895 In such environments, using TLSA records will prevent the SSL proxy
896 from functioning as expected because the TLS client will get a
897 certificate association from the DNS that will not match the
898 certificate that the SSL proxy uses with the client. The client,
899 seeing the proxy's new certificate for the supposed destination, will
900 not set up a TLS session.
901
902 Client treatment of any information included in the trust anchor is a
903 matter of local policy. This specification does not mandate that
904 such information be inspected or validated by the server's domain
905 name administrator.
906
907 If a server's certificate is revoked, or if an intermediate CA in a
908 chain between the server and a trust anchor has its certificate
909 revoked, a TLSA record with a certificate usage of 2 that matches the
910 revoked certificate would in essence override the revocation because
911 the client would treat that revoked certificate as a trust anchor and
912 thus not check its revocation status. Because of this, domain
913 administrators need to be responsible for being sure that the keys or
914 certificates used in TLSA records with a certificate usage of 2 are
915 in fact able to be used as reliable trust anchors.
916
917 Certificates that are delivered in TLSA with certificate usage 2
918 fundamentally change the way the TLS server's end entity certificate
919 is evaluated. For example, the server's certificate might chain to
920 an existing CA through an intermediate CA that has certain policy
921 restrictions, and the certificate would not pass those restrictions
922 and thus normally be rejected. That intermediate CA could issue
923 itself a new certificate without the policy restrictions and tell its
924 customers to use that certificate with certificate usage 2. This in
925 essence allows an intermediate CA to become a trust anchor for
926 certificates that the end user might have expected to chain to an
927 existing trust anchor.
928
929
930
931
932 Hoffman & Schlyter Standards Track [Page 17]
933 RFC 6698 DNS-Based Authentication for TLS August 2012
934
935
936 If an administrator wishes to stop using a TLSA record, the
937 administrator can simply remove it from the DNS. Normal clients will
938 stop using the TLSA record after the TTL has expired. Replay attacks
939 against the TLSA record are not possible after the expiration date on
940 the RRsig of the TLSA record that was removed.
941
942 Generators of TLSA records should be aware that the client's full
943 trust of a certificate association retrieved from a TLSA record may
944 be a matter of local policy. While such trust is limited to the
945 specific domain name, protocol, and port for which the TLSA query was
946 made, local policy may decline to accept the certificate (for reasons
947 such as weak cryptography), as is also the case with PKIX trust
948 anchors.
949
Section 2.3 of RFC7218 adds menumonics for the Matching Type field.
950 8.1. Comparing DANE to Public CAs
951
952 As stated above, the security of the DNS RRtype described in this
953 document relies on the security of DNSSEC to verify that the TLSA
954 record has not been altered. This section describes where the
955 security of public CAs and the security of TLSA are similar and
956 different. This section applies equally to other security-related
957 DNS RRtypes such as keys for IPsec and SSH.
958
959 DNSSEC forms certificates (the binding of an identity to a key) by
960 combining a DNSKEY, DS, or DLV resource record with an associated
961 RRSIG record. These records then form a signing chain extending from
962 the client's trust anchors to the RR of interest.
963
964 Although the DNSSEC protocol does not enforce it, DNSKEYs are often
965 marked with a SEP flag indicating whether the key is a Zone Signing
966 Key (ZSK) or a Key Signing Key (KSK). ZSKs protect records in the
967 zone (including DS and DLV records), and KSKs protect ZSK DNSKEY
968 records. This allows KSKs to be stored offline.
969
970 The TLSA RRtype allows keys from the DNSSEC PKI hierarchy to
971 authenticate keys wrapped in PKIX certificates for a particular host
972 name, protocol, and port.
973
974 With the exception of the DLV RRtype, all of these certificates
975 constrain the keys they identify to names that are within the zone
976 signing the certificate. In order for a domain's DLV resource
977 records to be honored, the domain must be configured as a DLV domain,
978 and the domain's DNSKEYs must be configured as trust anchors or be
979 authentic [RFC5074].
980
981
982
983
984
985
986
987 Hoffman & Schlyter Standards Track [Page 18]
988 RFC 6698 DNS-Based Authentication for TLS August 2012
989
990
991 8.1.1. Risk of Key Compromise
992
993 The risk that a given certificate that has a valid signing chain is
994 fake is related to the number of keys that can contribute to the
995 validation of the certificate, the quality of protection each private
996 key receives, the value of each key to an attacker, and the value of
997 falsifying the certificate.
998
999 DNSSEC allows any set of domains to be configured as trust anchors
1000 and/or DLVs, but most clients are likely to use the root zone as
1001 their only trust anchor. Also, because a given DNSKEY can only sign
1002 resource records for that zone, the number of private keys capable of
1003 compromising a given TLSA resource record is limited to the number of
1004 zones between the TLSA resource record and the nearest trust anchor,
1005 plus any configured DLV domains. Typically, this will be six keys,
1006 half of which will be KSKs.
1007
1008 PKIX only describes how to validate a certificate based on a client-
1009 chosen set of trust anchors, but says nothing about how many trust
1010 anchors to use or how they should be constrained. As currently
1011 deployed, most PKIX clients use a large number of trust anchors
1012 provided with the client or operating system software. These trust
1013 anchors are selected carefully, but with a desire for broad
1014 interoperability. The trust anchors and CA certificates for public
1015 CAs rarely have name constraints applied.
1016
1017 A combination of technical protections, process controls, and
1018 personnel experience contribute to the quality of security that keys
1019 receive.
1020
1021 o The security surrounding DNSSEC DNSKEYs varies significantly. The
1022 KSK/ZSK split allows the KSK to be stored offline and protected
1023 more carefully than the ZSK, but not all domains do so. The
1024 security applied to a zone's DNSKEYs should be proportional to the
1025 value of the domain, but that is difficult to estimate. For
1026 example, the root DNSKEY has protections and controls comparable
1027 to or exceeding those of public CAs. On the other end of the
1028 spectrum, small domains might provide no more protection to their
1029 keys than they do to their other data.
1030
1031 o The security surrounding public CAs also varies. However, due to
1032 financial incentives and standards imposed by clients for
1033 acceptance into their trust anchor stores, CAs generally employ
1034 security experts and protect their keys carefully, though highly
1035 public compromises have occurred.
1036
1037
1038
1039
1040
1041
1042 Hoffman & Schlyter Standards Track [Page 19]
1043 RFC 6698 DNS-Based Authentication for TLS August 2012
1044
1045
1046 8.1.2. Impact of Key Compromise
1047
1048 The impact of a key compromise differs significantly between the two
1049 models.
1050
1051 o DNSKEYs are inherently limited in what they can sign, so a
1052 compromise of the DNSKEY for "example.com" provides no avenue of
1053 attack against "example.org". Even the impact of a compromise of
1054 .com's DNSKEY, while considerable, would be limited to .com
1055 domains. Only the compromise of the root DNSKEY would have the
1056 equivalent impact of an unconstrained public CA.
1057
1058 o Public CAs are not typically constrained in what names they can
1059 sign, and therefore a compromise of even one CA allows the
1060 attacker to generate a certificate for any name in the DNS. A
1061 domain holder can get a certificate from any willing CA, or even
1062 multiple CAs simultaneously, making it impossible for a client to
1063 determine whether the certificate it is validating is legitimate
1064 or fraudulent.
1065
1066 Because a TLSA certificate association is constrained to its
1067 associated name, protocol, and port, the PKIX certificate is
1068 similarly constrained, even if its public CAs signing the certificate
1069 (if any) are not.
1070
1071 8.1.3. Detection of Key Compromise
1072
1073 If a key is compromised, rapid and reliable detection is important in
1074 order to limit the impact of the compromise. In this regard, neither
1075 model prevents an attacker from near-invisibly attacking their
1076 victim, provided that the necessary keys are compromised.
1077
1078 If a public CA is compromised, only the victim will see the
1079 fraudulent certificate, as there is typically no publicly accessible
1080 directory of all the certificates issued by a CA that can be
1081 inspected. DNS resource records are typically published publicly.
1082 However, the attacker could also allow the uncompromised records to
1083 be published to the Internet as usual but provide a compromised DNS
1084 view to the victim to achieve the same effect.
1085
1086 8.1.4. Spoofing Hostnames
1087
1088 Some CAs implement technical controls to ensure that certificates are
1089 not issued to domains with names similar to domains that are popular
1090 and prone to attack. Of course, an attacker can attempt to
1091 circumvent this restriction by finding a CA willing to issue the
1092 certificate anyway. However, by using DNSSEC and TLSA, the attacker
1093 can circumvent this check completely.
1094
1095
1096
1097 Hoffman & Schlyter Standards Track [Page 20]
1098 RFC 6698 DNS-Based Authentication for TLS August 2012
1099
1100
1101 8.2. DNS Caching
1102
1103 Implementations of this protocol rely heavily on the DNS, and are
1104 thus prone to security attacks based on the deliberate
1105 mis-association of TLSA records and DNS names. Implementations need
1106 to be cautious in assuming the continuing validity of an association
1107 between a TLSA record and a DNS name.
1108
1109 In particular, implementations SHOULD rely on their DNS resolver for
1110 confirmation of an association between a TLSA record and a DNS name,
1111 rather than caching the result of previous domain name lookups. Many
1112 platforms already can cache domain name lookups locally when
1113 appropriate, and they SHOULD be configured to do so. It is proper
1114 for these lookups to be cached, however, only when the TTL (Time To
1115 Live) information reported by the DNS makes it likely that the cached
1116 information will remain useful.
1117
1118 If implementations cache the results of domain name lookups in order
1119 to achieve a performance improvement, they MUST observe the TTL
1120 information reported by DNS. Implementations that fail to follow
1121 this rule could be spoofed or have access denied when a previously
1122 accessed server's TLSA record changes, such as during a certificate
1123 rollover.
1124
1125 8.3. External DNSSEC Validators
1126
1127 Due to a lack of DNSSEC support in the most commonly deployed stub
1128 resolvers today, some ISPs have begun checking DNSSEC in the
1129 recursive resolvers they provide to their customers, setting the
1130 Authentic Data (AD) flag as appropriate. DNSSEC-aware clients could
1131 use that data, ignoring the fact that the DNSSEC data has been
1132 validated externally. Because there is typically no authentication
1133 of the recursive resolver or integrity protection of the data and AD
1134 flag between the client and the recursive resolver, this can be
1135 trivially spoofed by an attacker.
1136
1137 However, even with secure communications between a host and the
1138 external validating resolver, there is a risk that the external
1139 validator could become compromised. Nothing prevents a compromised
1140 external DNSSEC validator from claiming that all the records it
1141 provides are secure, even if the data is falsified, unless the client
1142 checks the DNSSEC data itself (rendering the external validator
1143 unnecessary).
1144
1145 For this reason, DNSSEC validation is best performed on-host, even
1146 when a secure path to an external validator is available.
1147
1148
1149
1150
1151
1152 Hoffman & Schlyter Standards Track [Page 21]
1153 RFC 6698 DNS-Based Authentication for TLS August 2012
1154
1155
1156 9. Acknowledgements
1157
1158 Many of the ideas in this document have been discussed over many
1159 years. More recently, the ideas have been discussed by the authors
1160 and others in a more focused fashion. In particular, some of the
1161 ideas and words here originated with Paul Vixie, Dan Kaminsky, Jeff
1162 Hodges, Phillip Hallam-Baker, Simon Josefsson, Warren Kumari, Adam
1163 Langley, Ben Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit,
1164 Ondrej Sury, Richard Barnes, Jim Schaad, Stephen Farrell, Suresh
1165 Krishnaswamy, Peter Palfrader, Pieter Lexis, Wouter Wijngaards, John
1166 Gilmore, and Murray Kucherawy.
1167
1168 This document has also been greatly helped by many active
1169 participants of the DANE Working Group.
1170
1171 10. References
1172
1173 10.1. Normative References
1174
1175 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
1176 STD 13, RFC 1034, November 1987.
1177
1178 [RFC1035] Mockapetris, P., "Domain names - implementation and
1179 specification", STD 13, RFC 1035, November 1987.
1180
1181 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1182 Requirement Levels", BCP 14, RFC 2119, March 1997.
1183
1184 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1185 Rose, "DNS Security Introduction and Requirements",
1186 RFC 4033, March 2005.
1187
1188 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1189 Rose, "Resource Records for the DNS Security Extensions",
1190 RFC 4034, March 2005.
1191
1192 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1193 Rose, "Protocol Modifications for the DNS Security
1194 Extensions", RFC 4035, March 2005.
1195
1196 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
1197 (TLS) Protocol Version 1.2", RFC 5246, August 2008.
1198
1199 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
1200 Housley, R., and W. Polk, "Internet X.509 Public Key
1201 Infrastructure Certificate and Certificate Revocation List
1202 (CRL) Profile", RFC 5280, May 2008.
1203
1204
1205
1206
1207 Hoffman & Schlyter Standards Track [Page 22]
1208 RFC 6698 DNS-Based Authentication for TLS August 2012
1209
1210
1211 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
1212 Verification of Domain-Based Application Service Identity
1213 within Internet Public Key Infrastructure Using X.509
1214 (PKIX) Certificates in the Context of Transport Layer
1215 Security (TLS)", RFC 6125, March 2011.
1216
1217 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
1218 Security Version 1.2", RFC 6347, January 2012.
1219
1220 10.2. Informative References
1221
1222 [RFC0952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet
1223 host table specification", RFC 952, October 1985.
1224
1225 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
1226 specifying the location of services (DNS SRV)", RFC 2782,
1227 February 2000.
1228
1229 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
1230
1231 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
1232 Wellington, "Secret Key Transaction Authentication for DNS
1233 (TSIG)", RFC 2845, May 2000.
1234
1235 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
1236 ( SIG(0)s)", RFC 2931, September 2000.
1237
1238 [RFC4025] Richardson, M., "A Method for Storing IPsec Keying
1239 Material in DNS", RFC 4025, March 2005.
1240
1241 [RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely
1242 Publish Secure Shell (SSH) Key Fingerprints", RFC 4255,
1243 January 2006.
1244
1245 [RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
1246 RFC 4641, September 2006.
1247
1248 [RFC5074] Weiler, S., "DNSSEC Lookaside Validation (DLV)", RFC 5074,
1249 November 2007.
1250
1251 [RFC5890] Klensin, J., "Internationalized Domain Names for
1252 Applications (IDNA): Definitions and Document Framework",
1253 RFC 5890, August 2010.
1254
1255 [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS)
1256 Extensions: Extension Definitions", RFC 6066,
1257 January 2011.
1258
1259
1260
1261
1262 Hoffman & Schlyter Standards Track [Page 23]
1263 RFC 6698 DNS-Based Authentication for TLS August 2012
1264
1265
1266 [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and
1267 Internet Key Exchange (IKE) Document Roadmap", RFC 6071,
1268 February 2011.
1269
1270 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
1271 (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.
1272
1273 [RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
1274 "DomainKeys Identified Mail (DKIM) Signatures", RFC 6376,
1275 September 2011.
1276
1277 [RFC6394] Barnes, R., "Use Cases and Requirements for DNS-Based
1278 Authentication of Named Entities (DANE)", RFC 6394,
1279 October 2011.
1280
1281 [X.690] "Recommendation ITU-T X.690 (2002) | ISO/IEC 8825-1:2002,
1282 Information technology - ASN.1 encoding rules:
1283 Specification of Basic Encoding Rules (BER), Canonical
1284 Encoding Rules (CER) and Distinguished Encoding Rules
1285 (DER)", July 2002.
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317 Hoffman & Schlyter Standards Track [Page 24]
1318 RFC 6698 DNS-Based Authentication for TLS August 2012
1319
1320
1321 Appendix A. Operational Considerations for Deploying TLSA Records
1322
1323 A.1. Creating TLSA Records
1324
1325 When creating TLSA records, care must be taken to avoid
1326 misconfigurations. Section 4 of this document states that a TLSA
1327 RRSet whose validation state is secure MUST be used. This means that
1328 the existence of such a RRSet effectively disables other forms of
1329 name and path validation. A misconfigured TLSA RRSet will
1330 effectively disable access to the TLS server for all conforming
1331 clients, and this document does not provide any means of making a
1332 gradual transition to using TLSA.
1333
1334 When creating TLSA records with certificate usage 0 (CA certificate)
1335 or usage 2 (trust anchor), one needs to understand the implications
1336 when choosing between selector type 0 (Full certificate) and 1
1337 (SubjectPublicKeyInfo). A careful choice is required because
1338 different methods for building trust chains are used by different TLS
1339 clients. The following outlines the cases that one ought to be aware
1340 of and discusses the implications of the choice of selector type.
1341
1342 Certificate usage 2 is not affected by the different types of chain
1343 building when the end entity certificate is the same as the trust
1344 anchor certificate.
1345
1346 A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains
1347
1348 TLS clients can implement their own chain-building code rather than
1349 rely on the chain presented by the TLS server. This means that,
1350 except for the end entity certificate, any certificate presented in
1351 the suggested chain might or might not be present in the final chain
1352 built by the client.
1353
1354 Certificates that the client can use to replace certificates from the
1355 original chain include:
1356
1357 o Client's trust anchors
1358
1359 o Certificates cached locally
1360
1361 o Certificates retrieved from a URI listed in an Authority
1362 Information Access X.509v3 extension
1363
1364 CAs frequently reissue certificates with different validity periods,
1365 signature algorithms (such as a different hash algorithm in the
1366 signature algorithm), CA key pairs (such as for a cross-certificate),
1367
1368
1369
1370
1371
1372 Hoffman & Schlyter Standards Track [Page 25]
1373 RFC 6698 DNS-Based Authentication for TLS August 2012
1374
1375
1376 or PKIX extensions where the public key and subject remain the same.
1377 These reissued certificates are the certificates that the TLS client
1378 can use in place of an original certificate.
1379
1380 Clients are known to exchange or remove certificates that could cause
1381 TLSA certificate associations that rely on the full certificate to
1382 fail. For example:
1383
1384 o The client considers the signature algorithm of a certificate to
1385 no longer be sufficiently secure.
1386
1387 o The client might not have an associated root certificate in its
1388 trust store and instead uses a cross-certificate with an identical
1389 subject and public key.
1390
1391 A.1.2. Choosing a Selector Type
1392
1393 In this section, "false-negative failure" means that a client will
1394 not accept the TLSA certificate association for a certificate
1395 designated by the DNS administrator. Also, "false-positive
1396 acceptance" means that the client accepts a TLSA association for a
1397 certificate that is not designated by the DNS administrator.
1398
1399 A.1.2.1. Selector Type 0 (Full Certificate)
1400
1401 The "Full certificate" selector provides the most precise
1402 specification of a TLSA certificate association, capturing all
1403 fields of the PKIX certificate. For a DNS administrator, the best
1404 course to avoid false-negative failures in the client when using this
1405 selector is:
1406
1407 1. If a CA issued a replacement certificate, don't associate to CA
1408 certificates that have a signature algorithm with a hash that is
1409 considered weak by local policy.
1410
1411 2. Determine how common client applications process the TLSA
1412 certificate association using a fresh client installation -- that
1413 is, with the local certificate cache empty.
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427 Hoffman & Schlyter Standards Track [Page 26]
1428 RFC 6698 DNS-Based Authentication for TLS August 2012
1429
1430
1431 A.1.2.2. Selector Type 1 (SubjectPublicKeyInfo)
1432
1433 A SubjectPublicKeyInfo selector gives greater flexibility in avoiding
1434 some false-negative failures caused by trust-chain-building
1435 algorithms used in clients.
1436
1437 One specific use case ought to be noted: creating a TLSA certificate
1438 association to CA certificate I1 that directly signed end entity
1439 certificate S1 of the server. The case can be illustrated by the
1440 following graph:
1441
1442 +----+ +----+
1443 | I1 | | I2 |
1444 +----+ +----+
1445 | |
1446 v v
1447 +----+ +----+
1448 | S1 | | S1 |
1449 +----+ +----+
1450 Certificate chain sent by A different validation path
1451 server in TLS handshake built by the TLS client
1452
1453 I2 is a reissued version of CA certificate I1 (that is, it has a
1454 different hash in its signature algorithm).
1455
1456 In the above scenario, both certificates I1 and I2 that sign S1 need
1457 to have identical SubjectPublicKeyInfo fields because the key used to
1458 sign S1 is fixed. An association to SubjectPublicKeyInfo (selector
1459 type 1) will always succeed in such a case, but an association with a
1460 full certificate (selector type 0) might not work due to a false-
1461 negative failure.
1462
1463 The attack surface is a bit broader compared to the "Full
1464 certificate" selector: the DNS administrator might unintentionally
1465 specify an association that would lead to false-positive acceptance.
1466
1467 o The administrator must know or trust that the CA does not engage
1468 in bad practices, such as not sharing the key of I1 for unrelated
1469 CA certificates (which would lead to trust-chain redirection). If
1470 possible, the administrator ought to review all CA certificates
1471 that have the same SubjectPublicKeyInfo field.
1472
1473 o The administrator ought to understand whether some PKIX extension
1474 may adversely affect security of the association. If possible,
1475 administrators ought to review all CA certificates that share the
1476 SubjectPublicKeyInfo.
1477
1478
1479
1480
1481
1482 Hoffman & Schlyter Standards Track [Page 27]
1483 RFC 6698 DNS-Based Authentication for TLS August 2012
1484
1485
1486 o The administrator ought to understand that any CA could, in the
1487 future, issue a certificate that contains the same
1488 SubjectPublicKeyInfo. Therefore, new chains can crop up in the
1489 future without any warning.
1490
1491 Using the SubjectPublicKeyInfo selector for association with a
1492 certificate in a chain above I1 needs to be decided on a case-by-case
1493 basis: there are too many possibilities based on the issuing CA's
1494 practices. Unless the full implications of such an association are
1495 understood by the administrator, using selector type 0 is a better
1496 option from a security perspective.
1497
1498 A.2. Provisioning TLSA Records in DNS
1499
1500 A.2.1. Provisioning TLSA Records with Aliases
1501
1502 The TLSA resource record is not special in the DNS; it acts exactly
1503 like any other RRtype where the queried name has one or more labels
1504 prefixed to the base name, such as the SRV RRtype [RFC2782]. This
1505 affects the way that the TLSA resource record is used when aliasing
1506 in the DNS.
1507
1508 Note that the IETF sometimes adds new types of aliasing in the DNS.
1509 If that happens in the future, those aliases might affect TLSA
1510 records, hopefully in a good way.
1511
1512 A.2.1.1. Provisioning TLSA Records with CNAME Records
1513
1514 Using CNAME to alias in DNS only aliases from the exact name given,
1515 not any zones below the given name. For example, assume that a zone
1516 file has only the following:
1517
1518 sub1.example.com. IN CNAME sub2.example.com.
1519
1520 In this case, a request for the A record at "bottom.sub1.example.com"
1521 would not return any records because the CNAME given only aliases the
1522 name given. Assume, instead, the zone file has the following:
1523
1524 sub3.example.com. IN CNAME sub4.example.com.
1525 bottom.sub3.example.com. IN CNAME bottom.sub4.example.com.
1526
1527 In this case, a request for the A record at bottom.sub3.example.com
1528 would in fact return whatever value for the A record exists at
1529 bottom.sub4.example.com.
1530
1531
1532
1533
1534
1535
1536
1537 Hoffman & Schlyter Standards Track [Page 28]
1538 RFC 6698 DNS-Based Authentication for TLS August 2012
1539
1540
1541 Application implementations and full-service resolvers request DNS
1542 records using libraries that automatically follow CNAME (and DNAME)
1543 aliasing. This allows hosts to put TLSA records in their own zones
1544 or to use CNAME to do redirection.
1545
1546 If the owner of the original domain wants a TLSA record for the same,
1547 they simply enter it under the defined prefix:
1548
1549 ; No TLSA record in target domain
1550 ;
1551 sub5.example.com. IN CNAME sub6.example.com.
1552 _443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab...
1553 sub6.example.com. IN A 192.0.2.1
1554 sub6.example.com. IN AAAA 2001:db8::1
1555
1556 If the owner of the original domain wants to have the target domain
1557 host the TLSA record, the original domain uses a CNAME record:
1558
1559 ; TLSA record for original domain has CNAME to target domain
1560 ;
1561 sub5.example.com. IN CNAME sub6.example.com.
1562 _443._tcp.sub5.example.com. IN CNAME _443._tcp.sub6.example.com.
1563 sub6.example.com. IN A 192.0.2.1
1564 sub6.example.com. IN AAAA 2001:db8::1
1565 _443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4...
1566
1567 Note that it is acceptable for both the original domain and the
1568 target domain to have TLSA records, but the two records are
1569 unrelated. Consider the following:
1570
1571 ; TLSA record in both the original and target domain
1572 ;
1573 sub5.example.com. IN CNAME sub6.example.com.
1574 _443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab...
1575 sub6.example.com. IN A 192.0.2.1
1576 sub6.example.com. IN AAAA 2001:db8::1
1577 _443._tcp.sub6.example.com. IN TLSA 1 1 1 ac49d9ba4570ac49...
1578
1579 In this example, someone looking for the TLSA record for
1580 sub5.example.com would always get the record whose value starts with
1581 "308202c5308201ab"; the TLSA record whose value starts with
1582 "ac49d9ba4570ac49" would only be sought by someone who is looking for
1583 the TLSA record for sub6.example.com, and never for sub5.example.com.
1584 Note that deploying different certificates for multiple services
1585 located at a shared TLS listener often requires the use of TLS SNI
1586 (Server Name Indication) [RFC6066].
1587
1588
1589
1590
1591
1592 Hoffman & Schlyter Standards Track [Page 29]
1593 RFC 6698 DNS-Based Authentication for TLS August 2012
1594
1595
1596 Note that these methods use the normal method for DNS aliasing using
1597 CNAME: the DNS client requests the record type that they actually
1598 want.
1599
1600 A.2.1.2. Provisioning TLSA Records with DNAME Records
1601
1602 Using DNAME records allows a zone owner to alias an entire subtree of
1603 names below the name that has the DNAME. This allows the wholesale
1604 aliasing of prefixed records such as those used by TLSA, SRV, and so
1605 on without aliasing the name itself. However, because DNAME can only
1606 be used for subtrees of a base name, it is rarely used to alias
1607 individual hosts that might also be running TLS.
1608
1609 ; TLSA record in target domain, visible in original domain via DNAME
1610 ;
1611 sub5.example.com. IN CNAME sub6.example.com.
1612 _tcp.sub5.example.com. IN DNAME _tcp.sub6.example.com.
1613 sub6.example.com. IN A 192.0.2.1
1614 sub6.example.com. IN AAAA 2001:db8::1
1615 _443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4...
1616
1617 A.2.1.3. Provisioning TLSA Records with Wildcards
1618
1619 Wildcards are generally not terribly useful for RRtypes that require
1620 prefixing because one can only wildcard at a layer below the host
1621 name. For example, if one wants to have the same TLSA record for
1622 every TCP port for www.example.com, the result might be:
1623
1624 *._tcp.www.example.com. IN TLSA 1 1 1 5c1502a6549c423b...
1625
1626 This is possibly useful in some scenarios where the same service is
1627 offered on many ports or the same certificate and/or key is used for
1628 all services on a host. Note that the domain being searched for is
1629 not necessarily related to the domain name found in the certificate,
1630 so a certificate with a wildcard in it is not searched for using a
1631 wildcard in the search request.
1632
1633 A.3. Securing the Last Hop
1634
1635 As described in Section 4, an application processing TLSA records
1636 must know the DNSSEC validity of those records. There are many ways
1637 for the application to determine this securely, and this
1638 specification does not mandate any single method.
1639
1640
1641
1642
1643
1644
1645
1646
1647 Hoffman & Schlyter Standards Track [Page 30]
1648 RFC 6698 DNS-Based Authentication for TLS August 2012
1649
1650
1651 Some common methods for an application to know the DNSSEC validity of
1652 TLSA records include:
1653
1654 o The application can have its own DNS resolver and DNSSEC
1655 validation stack.
1656
1657 o The application can communicate through a trusted channel (such as
1658 requests to the operating system under which the application is
1659 running) to a local DNS resolver that does DNSSEC validation.
1660
1661 o The application can communicate through a secured channel (such as
1662 requests running over TLS, IPsec, TSIG, or SIG(0)) to a non-local
1663 DNS resolver that does DNSSEC validation.
1664
1665 o The application can communicate through a secured channel (such as
1666 requests running over TLS, IPsec, TSIG, or SIG(0)) to a non-local
1667 DNS resolver that does not do DNSSEC validation, but gets
1668 responses through a secured channel from a different DNS resolver
1669 that does DNSSEC validation.
1670
1671 A.4. Handling Certificate Rollover
1672
1673 Certificate rollover is handled in much the same way as for rolling
1674 DNSSEC zone signing keys using the pre-publish key rollover method
1675 [RFC4641]. Suppose example.com has a single TLSA record for a TLS
1676 service on TCP port 990:
1677
1678 _990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015...
1679
1680 To start the rollover process, obtain or generate the new certificate
1681 or SubjectPublicKeyInfo to be used after the rollover and generate
1682 the new TLSA record. Add that record alongside the old one:
1683
1684 _990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015...
1685 _990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30...
1686
1687 After the new records have propagated to the authoritative
1688 nameservers and the TTL of the old record has expired, switch to the
1689 new certificate on the TLS server. Once this has occurred, the old
1690 TLSA record can be removed:
1691
1692 _990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30...
1693
1694 This completes the certificate rollover.
1695
1696
1697
1698
1699
1700
1701
1702 Hoffman & Schlyter Standards Track [Page 31]
1703 RFC 6698 DNS-Based Authentication for TLS August 2012
1704
1705
1706 Appendix B. Pseudocode for Using TLSA
1707
1708 This appendix describes, in pseudocode format, the interactions given
1709 earlier in this specification. If the steps below disagree with the
1710 text earlier in the document, the steps earlier in the document ought
1711 to be considered correct and this text incorrect.
1712
1713 Note that this pseudocode is more strict than the normative text.
1714 For instance, it forces an order on the evaluation of criteria, which
1715 is not mandatory from the normative text.
1716
1717 B.1. Helper Functions
1718
1719 // implement the function for exiting
1720 function Finish (F) = {
1721 if (F == ABORT_TLS) {
1722 abort the TLS handshake or prevent TLS from starting
1723 exit
1724 }
1725
1726 if (F == NO_TLSA) {
1727 fall back to non-TLSA certificate validation
1728 exit
1729 }
1730
1731 if (F == ACCEPT) {
1732 accept the TLS connection
1733 exit
1734 }
1735
1736 // unreachable
1737 }
1738
1739 // implement the selector function
1740 function Select (S, X) = {
1741 // Full certificate
1742 if (S == 0) {
1743 return X in DER encoding
1744 }
1745
1746 // SubjectPublicKeyInfo
1747 if (S == 1) {
1748 return X.SubjectPublicKeyInfo in DER encoding
1749 }
1750
1751 // unreachable
1752 }
1753
1754
1755
1756
1757 Hoffman & Schlyter Standards Track [Page 32]
1758 RFC 6698 DNS-Based Authentication for TLS August 2012
1759
1760
1761 // implement the matching function
1762 function Match (M, X, Y) {
1763 // Exact match on selected content
1764 if (M == 0) {
1765 return (X == Y)
1766 }
1767
1768 // SHA-256 hash of selected content
1769 if (M == 1) {
1770 return (SHA-256(X) == Y)
1771 }
1772
1773 // SHA-512 hash of selected content
1774 if (M == 2) {
1775 return (SHA-512(X) == Y)
1776 }
1777
1778 // unreachable
1779 }
1780
1781 B.2. Main TLSA Pseudocode
1782
1783 TLS connect using [transport] to [name] on [port] and receiving end
1784 entity cert C for the TLS server:
1785
1786 (TLSArecords, ValState) = DNSSECValidatedLookup(
1787 domainname=_[port]._[transport].[name], RRtype=TLSA)
1788
1789 // check for states that would change processing
1790 if (ValState == BOGUS) {
1791 Finish(ABORT_TLS)
1792 }
1793 if ((ValState == INDETERMINATE) or (ValState == INSECURE)) {
1794 Finish(NO_TLSA)
1795 }
1796 // if here, ValState must be SECURE
1797
1798 for each R in TLSArecords {
1799 // unusable records include unknown certUsage, unknown
1800 // selectorType, unknown matchingType, erroneous RDATA, and
1801 // prohibited by local policy
1802 if (R is unusable) {
1803 remove R from TLSArecords
1804 }
1805 }
1806 if (length(TLSArecords) == 0) {
1807 Finish(NO_TLSA)
1808 }
1809
1810
1811
1812 Hoffman & Schlyter Standards Track [Page 33]
1813 RFC 6698 DNS-Based Authentication for TLS August 2012
1814
1815
1816 // A TLS client might have multiple trust anchors that it might use
1817 // when validating the TLS server's end entity (EE) certificate.
1818 // Also, there can be multiple PKIX certification paths for the
1819 // certificates given by the server in TLS. Thus, there are
1820 // possibly many chains that might need to be tested during
1821 // PKIX path validation.
1822
1823 for each R in TLSArecords {
1824
1825 // pass PKIX certificate validation and chain through a CA cert
1826 // that comes from TLSA
1827 if (R.certUsage == 0) {
1828 for each PKIX certification path H {
1829 if (C passes PKIX certification path validation in H) {
1830 for each D in H {
1831 if ((D is a CA certificate) and
1832 Match(R.matchingType, Select(R.selectorType, D),
1833 R.cert)) {
1834 Finish(ACCEPT)
1835 }
1836 }
1837 }
1838 }
1839 }
1840
1841 // pass PKIX certificate validation and match EE cert from TLSA
1842 if (R.certUsage == 1) {
1843 for each PKIX certification path H {
1844 if ((C passes PKIX certificate validation in H) and
1845 Match(R.matchingType, Select(R.selectorType, C),
1846 R.cert)) {
1847 Finish(ACCEPT)
1848 }
1849 }
1850 }
1851
1852 // pass PKIX certification validation using TLSA record as the
1853 // trust anchor
1854 if (R.certUsage == 2) {
1855 // the following assert() is merely a formalization of the
1856 // "trust anchor" condition for a certificate D matching R
1857 assert(Match(R.matchingType, Select(R.selectorType, D), R.cert))
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867 Hoffman & Schlyter Standards Track [Page 34]
1868 RFC 6698 DNS-Based Authentication for TLS August 2012
1869
1870
1871 for each PKIX certification path H that has certificate D
1872 matching R as the trust anchor {
1873 if (C passes PKIX validation in H) {
1874 Finish(ACCEPT);
1875 }
1876 }
1877 }
1878
1879 // match the TLSA record and the TLS certificate
1880 if (R.certUsage == 3) {
1881 if Match(R.matchingType, Select(R.selectorType, C), R.cert)
1882 Finish(ACCEPT)
1883 }
1884 }
1885
1886 }
1887
1888 // if here, then none of the TLSA records ended in "Finish(ACCEPT)"
1889 // so abort TLS
1890 Finish(ABORT_TLS)
1891
1892 Appendix C. Examples
1893
1894 The following are examples of self-signed certificates that have been
1895 generated with various selectors and matching types. They were
1896 generated with one piece of software, and validated by an individual
1897 using other tools.
1898
1899 S = Selector
1900 M = Matching Type
1901
1902 S M Association Data
1903 0 0 30820454308202BC020900AB58D24E77AD2AF6300D06092A86
1904 4886F70D0101050500306C310B3009060355040613024E4C31163014
1905 0603550408130D4E6F6F72642D486F6C6C616E643112301006035504
1906 071309416D7374657264616D310C300A060355040A13034F53333123
1907 30210603550403131A64616E652E6B6965762E70726163746963756D
1908 2E6F73332E6E6C301E170D3132303131363136353730335A170D3232
1909 303131333136353730335A306C310B3009060355040613024E4C3116
1910 30140603550408130D4E6F6F72642D486F6C6C616E64311230100603
1911 5504071309416D7374657264616D310C300A060355040A13034F5333
1912 312330210603550403131A64616E652E6B6965762E70726163746963
1913 756D2E6F73332E6E6C308201A2300D06092A864886F70D0101010500
1914 0382018F003082018A0282018100E62C84A5AFE59F0A2A6B250DEE68
1915 7AC8C5C604F57D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B
1916 6AD5DEA0C8771C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE
1917 281A68230B24B9DA1A98DCBE51195B60E42FD7517C328D983E26A827
1918 C877AB914EE4C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D5
1919
1920
1921
1922 Hoffman & Schlyter Standards Track [Page 35]
1923 RFC 6698 DNS-Based Authentication for TLS August 2012
1924
1925
1926 8C389CC3D6D8C20662E19CF768F32441B7F7D14AEA8966CE7C32A172
1927 2AB38623D008029A9E4702883F8B977A1A1E5292BF8AD72239D40393
1928 37B86A3AC60FA001290452177BF1798609A05A130F033457A5212629
1929 FBDDB8E70E2A9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D
1930 4BD77DFA34035563C126AA2C3328B900E7990AC9787F01DA82F74C3D
1931 4B6674CCECE1FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE775
1932 6213BD3D60831175BE290442B4AFC5AE6F46B769855A067C1097E617
1933 962529E166F22AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A44
1934 9C8D0D31BC683C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2
1935 DDFF6B4CAC050203010001300D06092A864886F70D01010505000382
1936 0181002B2ABE063E9C86AC4A1F7835372091079C8276A9C2C5D1EC57
1937 64DE523FDDABDEAB3FD34E6FE6CBA054580A6785A663595D90132B93
1938 D473929E81FA0887D2FFF78A81C7D014B97778AB6AC9E5E690F6F5A9
1939 E92BB5FBAB71B857AE69B6E18BDCCB0BA6FCD9D4B084A34F3635148C
1940 495D48FE635903B888EC1DEB2610548EDD48D63F86513A4562469831
1941 48C0D5DB82D73A4C350A42BB661D763430FC6C8E5F9D13EA1B76AA52
1942 A4C358E5EA04000F794618303AB6CEEA4E9A8E9C74D73C1B0B7BAF16
1943 DEDE7696B5E2F206F777100F5727E1684D4132F5E692F47AF6756EA8
1944 B421000BE031B5D8F0220E436B51FB154FE9595333C13A2403F9DE08
1945 E5DDC5A22FD6182E339593E26374450220BC14F3E40FF33F084526B0
1946 9C34250702E8A352B332CCCB0F9DE2CF2B338823B92AFC61C0B6B8AB
1947 DB5AF718ED8DDA97C298E46B82A01B14814868CFA4F2C36268BFFF4A
1948 591F42658BF75918902D3E426DFE1D5FF0FC6A212071F6DA8BD833FE
1949 2E560D87775E8EE9333C05B6FB8EB56589D910DB5EA903
1950
1951 0 1 EFDDF0D915C7BDC5782C0881E1B2A95AD099FBDD06D7B1F779
1952 82D9364338D955
1953
1954 0 2 81EE7F6C0ECC6B09B7785A9418F54432DE630DD54DC6EE9E3C
1955 49DE547708D236D4C413C3E97E44F969E635958AA410495844127C04
1956 883503E5B024CF7A8F6A94
1957
1958 1 0 308201A2300D06092A864886F70D01010105000382018F0030
1959 82018A0282018100E62C84A5AFE59F0A2A6B250DEE687AC8C5C604F5
1960 7D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B6AD5DEA0C877
1961 1C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE281A68230B24
1962 B9DA1A98DCBE51195B60E42FD7517C328D983E26A827C877AB914EE4
1963 C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D58C389CC3D6D8
1964 C20662E19CF768F32441B7F7D14AEA8966CE7C32A1722AB38623D008
1965 029A9E4702883F8B977A1A1E5292BF8AD72239D4039337B86A3AC60F
1966 A001290452177BF1798609A05A130F033457A5212629FBDDB8E70E2A
1967 9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D4BD77DFA3403
1968 5563C126AA2C3328B900E7990AC9787F01DA82F74C3D4B6674CCECE1
1969 FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE7756213BD3D6083
1970 1175BE290442B4AFC5AE6F46B769855A067C1097E617962529E166F2
1971 2AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A449C8D0D31BC68
1972 3C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2DDFF6B4CAC05
1973 0203010001
1974
1975
1976
1977 Hoffman & Schlyter Standards Track [Page 36]
1978 RFC 6698 DNS-Based Authentication for TLS August 2012
1979
1980
1981 1 1 8755CDAA8FE24EF16CC0F2C918063185E433FAAF1415664911
1982 D9E30A924138C4
1983
1984 1 2 D43165B4CDF8F8660AECCCC5344D9D9AE45FFD7E6AAB7AB9EE
1985 C169B58E11F227ED90C17330CC17B5CCEF0390066008C720CEC6AAE5
1986 33A934B3A2D7E232C94AB4
1987
1988 Authors' Addresses
1989
1990 Paul Hoffman
1991 VPN Consortium
1992
1993 EMail: paul.hoffman@vpnc.org
1994
1995
1996 Jakob Schlyter
1997 Kirei AB
1998
1999 EMail: jakob@kirei.se
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032 Hoffman & Schlyter Standards Track [Page 37]
2033