idnits 2.17.1 draft-hildebrand-xmpp-dnssec-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 7, 2011) is 4798 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'TODO' is mentioned on line 172, but not defined ** Obsolete normative reference: RFC 4366 (Obsoleted by RFC 5246, RFC 6066) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Hildebrand 3 Internet-Draft Cisco Systems, Inc. 4 Intended status: Standards Track March 7, 2011 5 Expires: September 8, 2011 7 DNSSEC for XMPP SRV Records 8 draft-hildebrand-xmpp-dnssec-00.txt 10 Abstract 12 This document proposes that DNS SRV records that can be trusted via 13 DNSSEC signatures may be used to generate a list of acceptable names 14 to check on server certificates offered by TLS. 16 Status of this Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on September 8, 2011. 33 Copyright Notice 35 Copyright (c) 2011 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 This document may contain material from IETF Documents or IETF 49 Contributions published or made publicly available before November 50 10, 2008. The person(s) controlling the copyright in some of this 51 material may not have granted the IETF Trust the right to allow 52 modifications of such material outside the IETF Standards Process. 53 Without obtaining an adequate license from the person(s) controlling 54 the copyright in such materials, this document may not be modified 55 outside the IETF Standards Process, and derivative works of it may 56 not be created outside the IETF Standards Process, except to format 57 it for publication as an RFC or to translate it into languages other 58 than English. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 2. Conventions Used In This Document . . . . . . . . . . . . . . . 3 64 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 4. Dialback considerations . . . . . . . . . . . . . . . . . . . . 4 66 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 68 7. Normative References . . . . . . . . . . . . . . . . . . . . . 4 69 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 5 70 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 5 72 1. Introduction 74 XMPP uses SRV records for clients and servers to find servers for a 75 given domain. Today, since the SRV record cannot be trusted, the 76 server has to offer a TLS certificate that matches the original 77 domain name, rather than one for the hostname in the SRV record. 78 Deployment of delegated hosts would be much easier if the host could 79 offer a certificate with the host name, rather than having to offer a 80 certificate with the original domain name. 82 This document proposes that the server may offer a cert with any of 83 the names generated from looking up trusted DNS entries. 85 Note: this document is only intended as a placeholder; it will be 86 dramatically expanded later. As well it is likely that this approach 87 is useful for protocols other than XMPP. 89 2. Conventions Used In This Document 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 93 document are to be interpreted as described in [RFC2119]. 95 3. Overview 97 The following steps are followed by a provider hosting "example.com" 98 on the server "host1.example.net": 100 1. The owner of "example.com" serves an SRV record for "_xmpp- 101 server._tcp.example.com" and "_xmpp-client._tcp.example.com", for 102 example "0 1 5269 host1.example.net." might be used for each. 103 2. The owner of "example.com" MUST ensure that "example.com" is 104 signed using DNSSEC [RFC4035], and that the SRV record is also 105 signed using DNSSEC. 106 3. The hosting provider at "host1.example.net" generates a [RFC5280] 107 PKIX certificate and has it signed by a widely-trusted 108 Certificate Authority. 109 4. The hosting provider offers the generated certificate to anyone 110 who connects and wants to talk to "example.com". 112 The following steps are followed by an initiating entity connecting 113 to "example.com": 115 1. The initiator starts with an empty name list L. 117 2. The initiator adds the original domain name ("example.com" here) 118 to L 119 3. The initiator does the normal SRV lookup, asking its resolver for 120 DNSEC trust information. 121 4. For each hostname, CNAME, A or AAAA record that the initiator 122 finds which is fully trustable according to DNSSEC, that name or 123 IP address is added to L. 124 5. The initiator connects to the server as specified in XMPP 125 [I-D.ietf-xmpp-3920bis], specifying "example.com" in the stream 126 to attribute. Other protocols might use SNI [RFC4366] to 127 indicate the desired host name. 128 6. The initiator MUST check each name in L against the certificate 129 offered by the responder, using the rules specified in section 130 13.7.2 of [I-D.ietf-xmpp-3920bis] (or the equivalent rules for 131 the target protocol). 133 4. Dialback considerations 135 TODO: how to share connections 137 TODO: interactions with dialback piggybacking 139 5. IANA Considerations 141 [TODO] 143 6. Security Considerations 145 Much more to follow here. 147 7. Normative References 149 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 150 Requirement Levels", BCP 14, RFC 2119, March 1997. 152 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 153 Rose, "Protocol Modifications for the DNS Security 154 Extensions", RFC 4035, March 2005. 156 [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., 157 and T. Wright, "Transport Layer Security (TLS) 158 Extensions", RFC 4366, April 2006. 160 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 161 Housley, R., and W. Polk, "Internet X.509 Public Key 162 Infrastructure Certificate and Certificate Revocation List 163 (CRL) Profile", RFC 5280, May 2008. 165 [I-D.ietf-xmpp-3920bis] 166 Saint-Andre, P., "Extensible Messaging and Presence 167 Protocol (XMPP): Core", draft-ietf-xmpp-3920bis-22 (work 168 in progress), December 2010. 170 Appendix A. Acknowledgments 172 [TODO] 174 Author's Address 176 Joe Hildebrand 177 Cisco Systems, Inc. 178 1899 Wyknoop Street, Suite 600 179 Denver, CO 80202 180 USA 182 Email: jhildebr@cisco.com