DANE V. Dukhovni
Internet-Draft Unaffiliated
Intended status: Standards Track W.H. W. Hardaker
Expires: May 28, August 13, 2014 Parsons
November 24, 2013
February 9, 2014
SMTP security via opportunistic DANE TLS
draft-ietf-dane-smtp-with-dane-04
draft-ietf-dane-smtp-with-dane-05
Abstract
This memo describes a downgrade-resistant protocol for opportunistic TLS SMTP transport
security between Mail Transfer Agents (MTAs) based on the DANE DNS-Based
Authentication of Named Entities (DANE) TLSA DNS record. The Adoption of
this protocol is downgrade resistant
when the SMTP client supports DANE TLSA and the server domain
publishes TLSA records for its MX hosts. This enables an incremental transition of the Internet email
backbone (MTA to MTA SMTP traffic)
to TLS one using encrypted and authenticated delivery. Transport Layer
Security (TLS).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 28, August 13, 2014.
Copyright Notice
Copyright (c) 2013 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Background Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 3
1.2. SMTP Channel Security Background . . . . . . . . . . . . . . . . . . 3 . . . . . 4
1.3. Terminology SMTP channel security . . . . . . . . . . . . . . . . . . 5
1.3.1. STARTTLS downgrade attack . . . . . . . . . . . . . . 5
1.3.2. Insecure server name without DNSSEC . . . . . . . . . 6
1.3.3. Sender policy does not scale . . . . . . . . . . . . 7
1.3.4. Too many certificate authorities . . . . . . . . . . 7
2. Hardening (pre-DANE) Opportunistic TLS . . . . . . . . . . . 8
2.1. DNS errors, bogus and indeterminate responses . . . . . . 5
2.1. 8
2.2. TLS discovery . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1. Non-MX destinations 11
2.2.1. MX resolution . . . . . . . . . . . . . . . . . 6
2.1.2. MX resolution . . . 13
2.2.2. Non-MX destinations . . . . . . . . . . . . . . . . . 7
2.1.3. 14
2.2.3. TLSA record lookup . . . . . . . . . . . . . . . . . 9
2.2. 16
2.3. DANE authentication . . . . . . . . . . . . . . . . . . . 11
2.2.1. 17
2.3.1. TLSA certificate usages . . . . . . . . . . . . . . . 11
2.2.2. 18
2.3.2. Certificate matching . . . . . . . . . . . . . . . . 12
2.2.3. 20
2.3.3. Digest algorithm agility . . . . . . . . . . . . . . 14 23
3. Opportunistic Mandatory TLS for Submission Security . . . . . . . . . . . . . . 16
4. Mandatory TLS Security . . . . . 25
4. Operational Considerations . . . . . . . . . . . . . . 17
5. Acknowledgements . . . 25
4.1. Client Operational Considerations . . . . . . . . . . . . 25
4.2. Publisher Operational Considerations . . . . . . . . . . 18
6. 25
5. Security Considerations . . . . . . . . . . . . . . . . . . . 18 26
6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 26
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27
8.1. Normative References . . . . . . . . . . . . . . . . . . 27
8.2. Informative References . . . . . . . . . . 19 . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 29
1. Introduction
Lacking verified DNS and "Server Name Indication" (SNI), there has
historically been no scalable way
This memo specifies a new connection security model for Message
Transfer Agents (MTAs). This model is motivated by key features of
inter-domain SMTP delivery, in particular the fact that the
destination server operators to deploy
certificates is selected indirectly via DNS Mail Exchange (MX)
records and that with MTA to MTA SMTP the use of TLS is generally
opportunistic.
We note that the SMTP protocol is also used between Message User
Agents (MUAs) and Message Submission Agents (MSAs). In [RFC6186] a client-trusted subject name. It's only
protocol is specified that enables an MUA to dynamically locate the
MSA based on the user's email address. SMTP connection security
requirements for MUAs implementing [RFC6186] are largely analogous to
connection security requirements for MTAs, and this specification
could be applied largely verbatim with DNS MX records replaced by
corresponding DNS Service (SRV) records.
However, until MUAs begin to adopt the
deployment dynamic configuration
mechanisms of [RFC6186] they are adequately served by more
traditional static TLS security policies. This document will not
discuss the MUA use case further, leaving specification of DNSSEC and DANE that authenticated TLS
for MUAs to future documents that focus specifically on SMTP security
between MUAs and MSAs. The rest of this memo will focus on securing
MTA to MTA SMTP connections.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119].
The following terms or concepts are used through the document:
secure, bogus, insecure, indeterminate: DNSSEC validation results,
as defined in Section 4.3 of [RFC4035].
Validating Security-Aware Stub Resolver and Non-Validating
Security-Aware Stub Resolver:
Capabilities of the stub resolver in use as defined in [RFC4033];
note that this specification requires the use of a Security-Aware
Stub Resolver; Security-Oblivious stub-resolvers MUST NOT be used.
opportunistic DANE TLS: Best-effort use of TLS, resistant to
downgrade attacks for destinations with DNSSEC-validated TLSA
records. When opportunistic DANE TLS is determined to be
unavailable, clients should fall back to opportunistic TLS below.
Opportunistic DANE TLS requires support for DNSSEC, DANE and
STARTTLS on the client side and STARTTLS plus a DNSSEC published
TLSA record on the server side.
(pre-DANE) opportunistic TLS: Best-effort use of TLS that is
generally vulnerable to DNS forgery and STARTTLS downgrade
attacks. When a TLS-encrypted communication channel is not
available, message transmission takes place in the clear. MX
becomes possible between parties
record indirection generally precludes authentication even when
TLS is available.
MX hostname: The RRDATA of an MX record consists of a 16 bit
preference followed by a Mail Exchange domain name (see [RFC1035],
Section 3.3.9). We will use the term "MX hostname" to refer to
the latter, that have is, the DNS domain name found after the
preference value in an MX record. Thus an "MX hostname" is
specifically a reference to a DNS domain name, rather than any
host that bears that name.
SMTP server: An SMTP server whose name appears in an MX record for a
particular domain. Used to refer specifically to the host and
SMTP service itself, not already established its DNS name.
delayed delivery: Email delivery is a multi-hop store & forward
process. When an
identity convention out-of-band.
1.1. MTA is unable forward a message that may become
deliverable later, the message is queued and delivery is retried
periodically. Some MTAs may be configured with a fallback next-
hop destination that handles messages that the MTA would otherwise
queue and retry. In these cases, messages that would otherwise
have to be delayed, may be sent to the fallback next-hop
destination instead. The fallback destination may itself be
subject to opportunistic or mandatory DANE TLS as though it were
the original message destination.
original next hop destination: The logical destination for mail
delivery. By default this is the domain portion of the recipient
address, but MTAs may be configured to forward mail for some or
all recipients via designated relays. The original next hop
destination is, respectively, either the recipient domain or the
associated configured relay.
MTA: Message Transfer Agent ([RFC5598], Section 4.3.2).
MSA: Message Submission Agent ([RFC5598], Section 4.3.1).
MUA: Message User Agent ([RFC5598], Section 4.2.1).
RR: A DNS Resource Record
RRset: A set of DNS Resource Records for a particular class, domain
and record type.
1.2. Background
The Domain Name System Security Extensions (DNSSEC) add adds data origin
authentication and
authentication, data integrity and data non-existence proofs to the
Domain Name System. System (DNS). DNSSEC is defined in [RFC4033], [RFC4034]
and [RFC4035].
As described in the introduction of [RFC6698], TLS authentication via
the existing public Certificate Authority (CA) Public Key
Infrastructure (PKI) PKI suffers from an
over-abundance of trusted certificate authorities capable of issuing
certificates for any domain of their choice. DNS-Based Authentication of Named Entities
(DANE) DANE leverages the
DNSSEC infrastructure to publish trusted public keys and certificates
for use with TLS the Transport Layer Security (TLS) [RFC5246] protocol
via a new TLSA "TLSA" DNS record type. With
DANE, the public CA PKI can be augmented or replaced by DNSSEC
validated TLSA records. each domain can only
vouch for the keys of its directly delegated sub-domains.
The Transport Layer Security (TLS [RFC5246]) TLS protocol enables secure TCP communication. In the context of
this memo, channel security is assumed to be provided by TLS. Used
without authentication, TLS
protects provides only privacy protection against eavesdropping.
eavesdropping attacks. With authentication, TLS also
protects provides data
integrity protection to guard against man-in-the-middle (MITM)
attacks.
1.2.
1.3. SMTP Channel channel security
With HTTPS, Transport Layer Security
The Simple Mail Transfer Protocol (SMTP) ([RFC5321]) is multi-hop
store & forward, while (TLS) employs X.509 certificates
issued by one of the many Certificate Authorities (CAs) bundled with
popular web browsers to allow users to authenticate their "secure"
websites. Before we specify a new DANE TLS security model for SMTP,
we will explain why a new security model is hop-by-hop. The number of
hops from needed. In the sender's Mail User Agent process,
we will explain why the familiar HTTPS security model is is
inadequate to protect inter-domain SMTP traffic.
The subsections below outline four key problems with applying
traditional PKI to SMTP that are addressed by this specification.
Since SMTP channel security policy is not explicitly specified in
either the recipient mailbox address or the MX record, a new signaling
mechanism is
rarely less than 2 and required to indicate when channel security is often higher. Some hops may possible
and should be TLS
protected, some may not. used. The same publication of TLSA records allows server
operators to securely signal to SMTP TCP endpoint can serve both clients that TLS is available
and non-TLS clients, with TLS negotiated should be used. DANE TLSA makes it possible to simultaneously
discover which destination domains support secure delivery via TLS
and how to verify the authenticity of the associated SMTP services
providing a path forward to ubiquitous SMTP channel security.
1.3.1. STARTTLS
command ([RFC3207]). DNS MX records abstract the next-hop transport
end-point. downgrade attack
The Simple Mail Transfer Protocol (SMTP) [RFC5321] is a single-hop
protocol in a multi-hop store & forward email delivery process. SMTP
envelope recipient addresses are not transport addresses and are
security agnostic.
security-agnostic. Unlike HTTP, the Hypertext Transfer Protocol (HTTP) and
its corresponding secured version, HTTPS, there is no URI scheme for
email addresses to designate whether communication with the SMTP
server should be contacted
with conducted via a cleartext or without security.
A Mail Transport Agent (MTA) may need a TLS-encrypted
channel. Indeed no such URI scheme could work well with SMTP since
TLS encryption of SMTP protects email traffic on a hop-by-hop basis
while email addresses could only express end-to-end policy.
With no mechanism available to forward signal transport security policy, SMTP
relays employ a message best-effort "opportunistic" security model for TLS.
A single SMTP server TCP listening endpoint can serve both TLS and
non-TLS clients; the use of TLS is negotiated via the SMTP STARTTLS
command ([RFC3207]). The server signals TLS support to the client
over a
particular email recipient <user@example.com>. To deliver cleartext SMTP connection, and if the
message, client also supports
TLS, it may negotiate a TLS encrypted channel to use for email
transmission. The server's indication of TLS support can be easily
suppressed by a man in the MTA needs middle attacker. Thus pre-DANE SMTP TLS
security can be subverted by simply downgrading a connection to retrieve
cleartext. No TLS security feature, such as the MX hosts use of example.com from
DNS, and then deliver PKIX, can
prevent this. The attacker can simply bypass TLS.
1.3.2. Insecure server name without DNSSEC
With SMTP, DNS Mail Exchange (MX) records abstract the message next-hop
transport endpoint and allow administrators to one specify a set of them. Absent
target servers to which SMTP traffic should be directed for a given
domain.
A PKIX TLS client is vulnerable to man in the middle (MITM) attacks
unless it verifies that the server's certificate binds its public key
to its name. However, with SMTP server names are obtained indirectly
via MX records. Without DNSSEC, the MX lookup is vulnerable to man-in-the-middle MITM and
DNS cache poisoning attacks. An active attacker Active attackers can forge DNS replies
with fake MX records, and can direct traffic redirect email to a server servers with names of his
their choice. Therefore, secure verification of MX host SMTP TLS
certificates is not possible without DNSSEC. A man in the middle can also suppress the
MX host's STARTTLS EHLO response, convincing the client that
communication over TLS is unavailable.
One might try to harden STARTTLS the use of TLS with SMTP against DNS attacks
by requiring each MX host SMTP server to posess an X.509 possess a trusted certificate for
the envelope recipient domain that is obtained from rather than the message envelope and is
not subject to DNS reply forgery. MX hostname.
Unfortunately, this is impractical, as email for many domains is
handled by third parties,
which parties that are not in a position to obtain
certificates for all the domains they serve. Deployment of SNI the
Server Name Indication (SNI) extension to TLS (see [RFC6066]
Section 3.1) 3) is no panacea, since SNI key management is operationally
challenging except when the email service provider is also the
domain's registrar and its certificate issuer; this is rarely the
case for email.
Since the recipient domain name cannot be used as the SMTP server
authentication identity, and neither can the MX hostname without
DNSSEC, large scale large-scale deployment of authenticated TLS for SMTP requires
secure DNS. At this time, DNSSEC
that the DNS be secure.
Since SMTP security depends critically on DNSSEC, it is not yet widely deployed and MTA important to MTA traffic between Internet connected organizations rarely uses
TLS at all, or simply uses TLS opportunistically without
authentication
point out that consequently SMTP with DANE is the most conservative
possible trust model. It trusts only what must be trusted and protects against no
more. Adding any other trusted actors to the mix can only passive eavesdropping
attacks.
The exceptions are cases in which reduce
SMTP security. A sender may choose to harden DNSSEC for selected
high value receiving domains, by configuring explicit trust anchors
for those domains instead of relying on the sending MTA chain of trust from the
root domain. In such a case there is statically not an "additional" trusted
authority, rather the root trust anchor is replaced with a more
specific trust anchor for each of the domains in question. Detailed
discussion of DNSSEC security practices is out of scope for this
document.
1.3.3. Sender policy does not scale
Sending systems are in some cases explicitly configured to use TLS
for mail sent to specific specifically selected peer domains
and is domains. This requires
MTAs to be configured with appropriate subject names (or or certificate
content digests) digests to expect in the presented MX host certificates certificates.
Because of those domains.
Such the heavy administrative burden, such statically
configured SMTP secure channels are used rarely,
generally rarely (generally only
between domains that make bilateral arrangements with their business partners.
partners). Internet email, on the other hand, requires regularly
contacting many new domains for which security configurations can not cannot be
established in advance.
Note, the above does not apply to mail submission [RFC6409], where a
mail user agent is pre-configured to send all email to a fixed Mail
Submission Agent (MSA). Submission servers usually offer TLS and the
Mail User Agent (MUA) can be statically configured to require TLS
with its chosen MSA.
The situation changes when submission servers
are configured dynamically via SRV records (see [RFC6186] Section 6).
Applications to submission via SRV records will be discussed later in
this memo.
With little opportunity to use TLS authentication, MX hosts that
support STARTTLS often use self-signed or private CA issued X.509
certificates. Sending systems are rarely configured with a
comprehensive list of trusted CAs and do not check CRLs or implement
OCSP. In essence, they don't and can't rely on the existing public
CA PKI. This is not a result of complacency on the part SMTP server
administrators and MTA developers. Nor is it just a consequence of
the relative maturity of the SMTP infrastructure at the time that TLS
was introduced. Rather, the abstraction of the SMTP transport endpoint via DNS MX records,
often across organization boundaries, limits the use of public CA PKI
with SMTP to a small set of sender-
configured sender-configured peer domains.
This does not mean, however, With
little opportunity to use TLS authentication, sending MTAs are rarely
configured with a comprehensive list of trusted CAs. SMTP services
that the Internet email backbone cannot
benefit from TLS. The fact support STARTTLS often use X.509 certificates that transport security is not explicitly
specified in either the recipient address are self-
signed or the MX record means that
new protocols can furnish out-of-band information to SMTP, making issued by a private CA.
1.3.4. Too many certificate authorities
Even if it were generally possible to simultaneously discover both which peer domains support determine a secure delivery via TLS and how server name,
the SMTP client would still need to verify the authenticity of the
associated MX hosts. The first such mechanism that can work an
Internet scale the server's
certificate chain is DANE TLSA, but use of DANE TLSA with MTA issued by a trusted certificate authority (a
trust anchor). MTAs are not interactive applications where a human
operator can make a decision (wisely or otherwise) to MTA
SMTP must be cognizant of selectively
disable TLS security policy when certificate chain verification
fails. With no user to "click OK", the lack MTAs list of any realistic role for the
existing public CA PKI.
1.3. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are trust
anchors would need to be interpreted as described comprehensive in [RFC2119]. order to avoid bouncing
mail sites to sites employing an unknown certificate authority.
On the other hand, each trusted CA can issue certificates for any
domain. If even one of the configured CAs is compromised or operated
by an adversary, it can subvert TLS security for all destinations.
Any set of CAs is simultaneously both overly inclusive and not
inclusive enough.
2. Hardening (pre-DANE) Opportunistic TLS
This memo describes
Neither email addresses nor MX hostnames (or submission SRV records)
signal a requirement for either secure or cleartext transport.
Therefore, SMTP transport security is of necessity generally
opportunistic (barring manually configured exceptions).
This specification uses the presence of DANE TLSA records to securely
signal TLS support and to publish the means by which SMTP over clients can
successfully authenticate legitimate SMTP servers. This becomes
"opportunistic DANE TLS" and is resistant to downgrade and MITM
attacks, and enables an incremental transition of the email backbone
to authenticated TLS security, where delivery, with increased global protection as
adoption increases.
With opportunistic DANE TLS, traffic from DANE TLSA aware SMTP clients to domains
that implement publish "usable" DANE TLSA records in accordance with this memo
is secure. authenticated and encrypted. Traffic from non-compliant clients
or to
other domains continues that do not publish TLSA records will continue to be
sent in the same manner as before
(either before, via manually configured security,
(pre-DANE) opportunistic TLS or just cleartext SMTP.
2.1. DNS errors, bogus and indeterminate responses
An SMTP client that implements opportunistic DANE TLS per this
specification depends critically on the integrity of DNSSEC lookups,
as discussed in Section 1.3. This section lists the DNS resolver
requirements needed to avoid downgrade attacks when using
opportunistic DANE TLS.
A DNS lookup may signal an error or return a definitive answer. A
security-aware resolver must be used for this specification.
Security-aware resolvers will indicate the security or unauthenticated status of a DNS
RRset with one of four possible values defined in Section 4.3 of
[RFC4035]: "secure", "insecure", "bogus" and often
unencrypted). It "indeterminate". In
[RFC4035] the meaning of the "indeterminate" security status is:
An RRset for which the resolver is hoped that, over time, more not able to determine whether
the RRset should be signed, as the resolver is not able to obtain
the necessary DNSSEC RRs. This can occur when the security-aware
resolver is not able to contact security-aware name servers for
the relevant zones.
Note, the "indeterminate" security status has a conflicting
definition in section 5 of [RFC4033].
There is no trust anchor that would indicate that a specific
portion of the tree is secure.
SMTP clients following this specification SHOULD NOT distinguish
between "insecure" and "indeterminate" in the [RFC4033] sense. Both
"insecure" and RFC4033 "indeterminate" are handled identically: in
either case unvalidated data for the query domain is all that is and
can be available, and authentication using the data is impossible.
In what follows, when we say "insecure", we include also DNS results
for domains that lie in a portion of the DNS tree for which there is
no applicable trust anchor. With the DNS root zone signed, we expect
that validating resolvers used by Internet-facing MTAs will be
configured with trust anchor data for the root zone. Therefore,
RFC4033-style "indeterminate" domains should be rare in practice.
From here on, when we say "indeterminate", it is exclusively in the
sense of [RFC4035].
As noted in section 4.3 of [RFC4035], a security-aware DNS resolver
MUST be able to determine whether a given non-error DNS response is
"secure", "insecure", "bogus" or "indeterminate". It is expected
that most security-aware stub resolvers will
implement DNSSEC not signal an
"indeterminate" security status the RFC4035-sense to the application,
and publish DANE TLSA will signal a "bogus" or error result instead. If a resolver
does signal an RFC4035 "indeterminate" security status, this MUST be
treated by the SMTP client as though a "bogus" or error result had
been returned.
An MTA making use of a non-validating security-aware stub resolver
MAY use the stub resolver's ability, if available, to signal DNSSEC
validation status based on information the stub resolver has learned
from an upstream validating recursive resolver. In accordance with
section 4.9.3 of [RFC4035]:
... a security-aware stub resolver MUST NOT place any reliance on
signature validation allegedly performed on its behalf, except
when the security-aware stub resolver obtained the data in question
from a trusted security-aware recursive name server via a secure
channel.
To avoid much repetition in the text below, we will pause to explain
the handling of "bogus" or "indeterminate" DNSSEC query responses.
These are not necessarily the result of a malicious actor; they can,
for example, occur when network packets are corrupted or lost in
transit. Therefore, "bogus" or "indeterminate" replies are equated
in this memo with lookup failure.
There is an important non-failure condition we need to highlight in
addition to the obvious case of the DNS client obtaining a non-empty
"secure" or "insecure" RRset of the requested type. Namely, it is
not an error when either "secure" or "insecure" non-existence is
determined for the requested data. When a DNSSEC response with a
validation status that is either "secure" or "insecure" reports
either no records of the requested type or non-existence of the query
domain, the response is not a DNS error condition. The DNS client
has not been left without an answer; it has learned that records of
the requested type do not exist.
Security-aware stub resolvers will, of course, also signal DNS lookup
errors in other cases, for their MX hosts.
This example when processing a "ServFail"
RCODE, which will enable not have an incremental transition associated DNSSEC status. All lookup
errors are treated the same way by this specification, regardless of
whether they are from a "bogus" or "indeterminate" DNSSEC status or
from a more generic DNS error: the email backbone information that was requested can
not be obtained by the security-aware resolver at this time. A
lookup error is thus a failure to
authenticated TLS obtain the relevant RRset if it
exists, or to determine that no such RRset exists when it does not.
In contrast to a "bogus" or an "indeterminate" response, an
"insecure" DNSSEC response is not an error, rather it indicates that
the target DNS zone is either securely opted out of DNSSEC validation
or is not connected with the DNSSEC trust anchors being used.
Insecure results will leave the SMTP client with degraded channel
security, but do not stand in the way of message delivery.
Since email addresses See
section Section 2.2 for further details.
When a stub resolver receives a response containing a CNAME alias, it
will generally restart the query at the target of the alias, and
should do so recursively up to some configured or implementation-
dependent recursion limit. If at any stage of recursive CNAME
expansion a query fails, the stub resolver's lookup of the original
requested records will result in a failure status being returned. If
at any stage of recursive expansion the response is "insecure", then
it and all subsequent results (in particular, the final result) MUST
be considered "insecure" regardless of whether the other responses
received were deemed "secure". If at any stage of recursive
expansion the validation status is "bogus" or "indeterminate" or
associated with another DNS lookup error, the resolution of the
requested records MUST be considered to have failed.
When a DNS lookup failure (error or "bogus" or "indeterminate" as
defined above) prevents an SMTP client from determining which SMTP
server or servers it should connect to, message delivery MUST be
delayed. This naturally includes, for example, the case when a
"bogus" or "indeterminate" response is encountered during MX
resolution. When multiple MX hostnames (or submission SRV records)
neither signal nor deny support are obtained from a
successful MX lookup, but a later DNS lookup failure prevents network
address resolution for TLS by the receiving domain, it a given MX hostname, delivery may proceed via
any remaining MX hosts.
When a particular SMTP server is possible selected as the delivery
destination, a set of DNS lookups must be performed to use DANE discover any
related TLSA records. If any DNS queries used to locate TLSA records
fail (be it due to securely signal TLS support "bogus" or "indeterminate" records, timeouts,
malformed replies, ServFails, etc.), then the SMTP client MUST treat
that server as unreachable and simultaneously to provide MUST NOT deliver the means message via that
server. If no servers are reachable, delivery is delayed.
In what follows, we will only describe what happens when all relevant
DNS queries succeed. If any DNS failure occurs, the SMTP client MUST
behave as described in this section, by which skipping the problem SMTP
server, or the problem destination. Queries for candidate TLSA
records are explicitly part of "all relevant DNS queries" and SMTP
clients can
successfully authenticate legitimate MUST NOT continue to connect to an SMTP servers.
2.1. server or destination
whose TLSA record lookup fails.
2.2. TLS discovery
As noted previously (Section 1.2), (in Section 1.3.1), opportunistic TLS with SMTP
servers that advertise TLS support via STARTTLS is subject to a man
in the middle an MITM
downgrade attack. Some Also some SMTP servers erroneously
advertise STARTTLS in default configurations that are not, in fact, TLS capable,
capable erroneously advertise STARTTLS by default and clients need to
be prepared to retry plaintext cleartext delivery after STARTTLS fails. This memo specifies a downgrade
resistant mechanism that allows a server to advertise TLS support
based on DANE TLSA records. In
contrast, DNSSEC validated TLSA records are
unlikely to MUST NOT be accidentally published for
servers that do not in fact support TLS, and thus clients TLS. Clients can safely interpret their
presence as a commitment by the server operator to implement TLS and
STARTTLS.
SMTP is
This memo defines four actions to be taken after the search for a store & forward protocol. An MTA that
TLSA record returns secure usable results, secure unusable results,
insecure or no results or an error signal. The term "usable" in this
context is not in the final
destination sense of Section 4.1 of [RFC6698]. Specifically,
if the DNS lookup for a message recipient forwards the message TLSA record returns:
A secure TLSA RRset with at least one hop
closer usable record: A connection to
the recipient's mailbox. To do so, it must determine the
appropriate next-hop destination, MTA MUST be made using authenticated and locate one or more associated
SMTP servers. When DNSSEC validated TLSA records are available for a
given next-hop SMTP server, encrypted TLS, using
the techniques discussed in the rest of this document. Failure to
establish an authenticated TLS connection MUST result in falling
back to that the next SMTP server will be
downgrade resistant. If or delayed delivery.
A Secure non-empty TLSA RRset where all the records in question are "usable"
([RFC6698], Section 4.1) to authenticate the server, the unusable: A
connection
will also be authenticated and thus immune to eavesdropping or
tampering (unless DNSSEC itself is compromised).
Typically, the next-hop destination will MTA MUST be the domain part of the
recipient address, which made via TLS, but authentication is then subject
not required. Failure to MX resolution. The next-
hop destination may also be configured by the MTA administrator establish an encrypted TLS connection
MUST result in falling back to be
a next-hop destination host (explicitly exempt from MX resolution), the next SMTP server or a next-hop destination domain (subject delayed
delivery.
An insecure TLSA RRset or DNSSEC validated proof-of-non-existent TLSA
records:
A connection to MX resolution) which
takes the place of the domain part of the recipient address.
The protocol in this memo is "opportunistic"; it should MTA SHOULD be used
whenever possible but communication should continue made using (pre-DANE)
opportunistic TLS, this includes using cleartext delivery when it is the
remote SMTP server does not
available. Absent "secure" (DNSSEC validated) TLSA records, mail
delivery should fall back appear to pre-DANE opportunistic support TLS. The MTA may
optionally retry in cleartext when a TLS handshake fails.
Any lookup error: Lookup errors, including "bogus" and
"indeterminate", as explained in Section 2.1 MUST result in
falling back to the next SMTP server or delayed delivery.
An SMTP client MAY be configured to require DANE verified delivery
for some
or all destinations, in which case mail delivery destinations. We will be deferred call such a configuration "mandatory
DANE TLS". With mandatory DANE TLS, delivery proceeds only when
"secure" TLSA records are absent.
Below we explain how used to determine for a given next-hop destination establish an encrypted and
authenticated TLS channel with the associated SMTP servers, server.
An operational error on the TLSA base domain sending or receiving side that cannot be
corrected in a timely manner may, at times, lead to consistent
failure to deliver time-sensitive email. The sending MTA
administrator may have to choose between letting email queue until
the error is resolved and TLSA records.
2.1.1. Non-MX destinations
As mentioned above, disabling opportunistic or mandatory DANE
TLS for one or more destinations. The choice to disable DANE TLS
security should not be made lightly. Every reasonable effort should
be made to determine that problems with mail delivery are the next-hop destination domain result
of an operational error, and not an attack. A fallback strategy may in some cases
be exempt from MX lookups. In addition, MX lookups for to configure explicit out-of-band TLS security settings if
supported by the next-hop sending MTA.
A note about DNAME aliases: a query for a domain may yield no results. In either case, name whose ancestor
domain is a DNAME alias returns the destination server DNAME RR for such the ancestor domain,
along with a CNAME that maps the query domain is determined by looking up to the corresponding A or
AAAA records.
When "bogus" records are encountered either during
sub-domain of the target domain of the DNAME alias. Therefore,
whenever we speak of CNAME expansion,
or when retrieving aliases, we implicitly allow for the associated TLSA RRset,
possibility that the alias in question is the result of an ancestor
domain DNAME record. Consequently, no explicit support for DNAME
records is needed in SMTP client MUST
proceed as if software, it is sufficient to process the
resulting CNAME aliases. DNAME records only require special
processing in the validating stub-resolver library that checks the
integrity of the combined DNAME + CNAME reply. When DNSSEC
validation is handled by a local caching resolver, rather than the
MTA itself, even that part of the DNAME support logic is outside the
MTA.
When the original next-hop domain were unreachable. destination is an address literal, rather
than a DNS domain, DANE TLS does not apply. Delivery should
either be deferred or may be attempted via proceeds using
any fallback next-hop relevant security policy configured by the SMTP client MTA administrator. Fallback
Similarly, when an MX RRset incorrectly lists an network address in
lieu of an MX hostname, if the MTA chooses to connect to the network
address DANE TLSA does not apply for such a connection.
In the subsections that follow we explain how to locate the SMTP
servers and the associated TLSA records for a given next-hop
destinations may
destination domain. We also employ opportunistic explain which name or names are to be
used in identity checks of the SMTP server certificate.
2.2.1. MX resolution
In this section we consider next-hop domains that are subject to MX
resolution and have MX records. The TLSA records and the associated
base domain are derived separately for each MX hostname that is used
to attempt message delivery. Clearly, if DANE TLS. Proceeding TLS security is to
apply to message delivery via any of the SMTP servers, the MX records
must be obtained securely via a DNSSEC validated MX lookup.
MX records MUST be sorted by preference; an MX hostname with a worse
(numerically higher) MX preference that has TLSA records MUST NOT
preempt an MX hostname with a better (numerically lower) preference
that has no TLSA records. In other words, prevention of delivery
loops by obeying MX preferences MUST take precedence over channel
security considerations. Even with two equal preference MX records,
an MTA is not obligated to choose the original next-hop despite "bogus" DNS responses would destroy
protection against downgrade attacks.
Following MX hostname that offers more
security. Domains that want secure inbound mail delivery need to
ensure that all their SMTP servers and MX records are configured
accordingly.
In the language of [RFC5321] Section 5.1, if the A or AAAA original next-hop
domain is the "initial name". If the MX lookup of the initial name yields
results in a CNAME, we replace it with CNAME alias, the resulting name as
if it were MTA replaces the initial name with the
resulting name and perform performs a new lookup again using with the new name. This replacement is performed recursively, although MTAs
typically support only limited recursion in CNAME expansion. We
consider expansion, so this replacement
is performed repeatedly until the following cases:
Non-CNAME: The next-hop destination ultimate non-CNAME domain is not a CNAME alias.
The lookup key for found.
If the DNSSEC validated TLSA records is obtained
by prepending service labels ("_<port-number>._tcp") MX RRset (or any CNAME leading to the
initial next-hop destination domain. If associated "secure" TLSA
records are found it) is "insecure" (see
Section 2.1.3) 2.1), DANE TLS does not apply, and delivery proceeds via pre-
DANE opportunistic TLS. Otherwise (assuming no DNS errors or "bogus"
/"indeterminate" responses), the TLSA base domain MX RRset is "secure", and the
next-hop domain. If SMTP
client MUST treat each MX hostname as a separate non-MX destination
for opportunistic DANE TLS as described in Section 2.2.2. When, for
a given MX hostname, no secure TLSA records are found,
opportunistic or only "insecure"
TLSA records are found, DANE TLS TLSA is not applicable with the SMTP
server in question and mail delivery proceeds to that host as with pre-DANE pre-
DANE opportunistic TLS.
Insecure CNAME: The next-hop destination domain is a CNAME alias,
but at least one of To avoid downgrade attacks, any errors
during TLSA lookups MUST, as explained in Section 2.1, cause the CNAME RRs leading SMTP
server in question to be treated as unreachable.
2.2.2. Non-MX destinations
This section describes the ultimate target
of this alias (during recursive CNAME expansion) is "insecure".
We treat this case just like algorithm used to locate the non-CNAME case above.
Secure CNAME, no TLSA: The TLSA records
and associated TLSA base domain for an input domain not subject to MX
resolution. Such domains include:
o Each MX hostname used in a message delivery attempt for an
original next-hop destination domain is a CNAME
alias, and all the CNAME RRs leading subject to the ultimate target of
this alias (during recursive CNAME expansion) are "secure" (DNSSEC
validated), but no "secure" TLSA RRs MX resolution.
Note, MTAs are found after prefixing the
service labels not obligated to the CNAME-expanded next-hop domain. support CNAME expansion of MX
hostnames.
o Any administrator configured relay hostname, not subject to MX
resolution. This case
is also treated just like frequently involves configuration set by the non-CNAME case.
Secure CNAME, TLSA: The MTA
administrator to handle some or all mail.
o A next-hop destination domain is a CNAME
alias, all the CNAME RRs leading to the ultimate target of this
alias (during recursive CNAME expansion) are "secure", and in
addition "secure" TLSA RRs are found after prefixing the service
labels subject to the CNAME-expanded next-hop domain. MX resolution that has no
MX records. In this case the
CNAME-expanded next-hop domain is taken as the TLSA base domain.
The original next-hop domain is (see Section 2.2.2) used only as
an alternative domain's name in certificate peername verification if
applicable.
In summary, if it is possible to securely obtain the full, CNAME-
expanded, DNSSEC-validated address records for implicitly also the non-MX next-hop
domain then
hostname of its sole SMTP server.
Note that name is the preferred DNS queries with type TLSA base domain. If are mishandled by load balancing
nameservers that is
not possible, then the original next-hop domain is used as serve the TLSA
base domain. When MX hostnames of some large email
providers. The DNS zones served by these nameservers are not signed
and contain no "secure" TLSA records, but queries for TLSA records fail,
rather than returning the non-existence of the requested TLSA
records.
To avoid problems delivering mail to domains whose SMTP servers are found at either
served by the
CNAME expanded or original next-hop domain, then opportunistic DANE
TLS does not apply problem nameservers the SMTP client MUST perform any A
and/or AAAA queries for mail delivery to the non-MX destination in
question.
2.1.2. MX resolution
In this section we consider next-hop domains that are subject before attempting to MX
resolution and have MX locate
the associated TLSA records. When DANE TLS This lookup is applicable, needed in any case to
determine whether the
TLSA base destination domain will be associated with the MX host selected for
message delivery. Therefore, is reachable and the MX host names must be determined
securely by performing a DNSSEC validated MX lookup to obtain
validation status of each stage of the
list chain of associated MX hosts. CNAME queries
required to reach the final result.
If no address records are found, the MX RRset is "insecure", DANE
TLSA does not apply and mail delivery proceeds with pre-DANE
opportunistic TLS (subject to its various MITM attacks and unecrypted
transmission when STARTTLS destination is not supported by the destination).
When "bogus" DNSSEC unreachable. If
address records are encountered during CNAME expansion of found, but the next-hop domain or when processing DNSSEC validation status of the actual MX RRset, delivery
MUST either be deferred, or MAY be attempted via any fallback next-
hop (which
first query response is "insecure" (there may also employ opportunistic DANE TLS) configured by be additional queries
if the initial response is a CNAME alias), the SMTP client administrator. Proceeding with SHOULD NOT
proceed to search for any associated TLSA records. With the original next-hop
despite "bogus" DNS responses would destroy protection against
downgrade attacks. When "bogus" DNSSEC records are encountered with
CNAME expansion or problem
domains, TLSA RRset queries will lead to DNS lookup for a particular MX host,
delivery MUST proceed as if MX host in question were unreachable.
MX records MUST errors and cause
messages to be sorted by preference; an MX host with a better
preference consistently delayed and no ultimately returned to the
sender. We don't expect to find any "secure" TLSA records MUST NOT be preempted by a host associated
with a
worse MX preference but with TLSA records. In other words, avoiding
delivery loops by following MX preferences must take place even if it
means insecure delivery.
In accordance base domain that lies in an unsigned DNS zone.
Therefore, skipping TLSA lookups in this case will also reduce
latency with Section 5.1 of [RFC5321], if no detrimental impact on security.
If the MX A and/or AAAA lookup of the
initial name "initial name" yields a CNAME, we
replace the initial name it with the resulting name as if it were the initial name and
perform a new lookup with again using the new name. MTAs
typically support recursion in CNAME expansion, so this This replacement is
performed repeatedly until the ultimate non-CNAME domain is found
(or recursively.
We consider the limit on following cases for handling a DNS response for an A
or AAAA DNS lookup:
Not found: When the number of CNAMEs to examine is reached). If at
any stage DNS queries for A and/or AAAA records yield
neither a list of addresses nor a CNAME (or CNAME expansion the DNS result is "bogus", MX resolution
fails with a temporary error. In that case, mail delivery MUST
either be deferred, or attempted via any alternative delivery channel
configured by the MTA administrator. We consider not
supported) the following
cases: destination is unreachable.
Non-CNAME: The next-hop destination domain answer is not a CNAME alias,
that is, it resolves directly to a set of DNSSEC validated
("secure") MX hosts. With each MX host, if MX host CNAME
expansion is supported by the MTA, and the full CNAME expansion of alias. If the MX host name address RRset
is "secure", then the CNAME expanded MX host name
is the TLSA base domain provided secure TLSA records lookups are found
there after prefixing service labels ("_<port-number>._tcp").
Otherwise, performed as described in
Section 2.2.3 with the initial MX host name is the TLSA base domain
provided secure TLSA records are found there after prefixing
service labels. With the MX hostname (or its CNAME expansion) as the candidate TLSA base domain, the original next-hop domain SHOULD be used
only in certificate name checks.
domain. If no "secure" TLSA RRs records are found, and no "bogus" records encountered, DANE TLSA TLS is not
applicable with the MX host in question and mail delivery proceeds as with pre-DANE opportunistic TLS.
TLS (which, being best-effort, degrades to cleartext delivery when
STARTTLS is not available or the TLS handshake fails).
Insecure CNAME: The next-hop destination input domain is a CNAME alias, and
resolves via a chain of "secure" but the ultimate
network address RRset is "insecure" (see Section 2.1). If the
initial CNAME records to a final domain
with "secure" MX records. The TLSA base domain for each MX host
in response is also "insecure", DANE TLS does not
apply. Otherwise, this case is treated just like the same as in the "Non-CNAME" non-CNAME
case above, but now
both where a search is performed for a TLSA record with the initial
original input domain and its CNAME-expansion are candidate
names in certificate name checks. If as the CNAME chain contains
"insecure" elements, DANE candidate TLSA does not apply to the next-hop
domain, base domain.
Secure CNAME: The input domain is a CNAME alias, and delivery proceeds via pre-DANE opportunistic TLS.
Note: CNAMEs are not legal in the exchange field of MX records, thus
MTAs are not obligated to perform MX exchange CNAME expansion. If an
MTA does not perform CNAME expansion, there ultimate
network address RRset is potential risk, that "secure" (see Section 2.1). Two
candidate TLSA base domains are tried: the MTA may fail to notice that fully CNAME-expanded
initial name and, failing that, then the initial name itself.
In summary, if it is one of possible to securely obtain the MX hosts full, CNAME-
expanded, DNSSEC-validated address records for the
destination and input domain, then
that it must skip MX name is the preferred TLSA base domain. Otherwise, the
unexpanded input-MX domain is the candidate TLSA base domain. When
no "secure" TLSA records with equal are found at either the CNAME-expanded or worse
(numerically higher precedence). If an MTA
unexpanded domain, then DANE TLS does allow CNAMEs to be
used not apply for mail delivery via
the input domain in MX records, it SHOULD process them recursively question. And, as described
above to determine always, errors, bogus or
indeterminate results for any query in the most appropriate TLSA RRset base domain.
2.1.3. process MUST result in
delaying or abandoning delivery.
2.2.3. TLSA record lookup
Each candidate TLSA base domain obtained above (for (the original or fully CNAME-expanded
name of a non-MX destination, destination or
for a particular MX host hostname of an MX destination), when
destination) is in turn prefixed with
appropriate service labels leads to associated "secure" TLSA RRs
(possibly via a chain of "secure" CNAME RRs). If, for example, the
base form
"_<port>._tcp". The resulting domain name is "mail.example.com", the TLSA RRset is obtained via used to issue a DNSSEC
query of with the form:
_25._tcp.mail.example.com. IN query type set to TLSA ?
Typically, ([RFC6698] Section 7.1).
For SMTP, the destination TCP port is typically 25, but this may be
different with custom routes specified by the MTA administrator or when an MUA
connects to a submission server on port 587. administrator. The
SMTP client MUST use the appropriate "_<port-number>" number in the "_<port>" prefix
in place of "_25" when "_25". If, for example, the port number candidate base domain is
"mail.example.com", and the SMTP connection is not equal to 25. port 25, the TLSA
RRset is obtained via a DNSSEC query of the form:
_25._tcp.mail.example.com. IN TLSA ?
The query response may be a
CNAME (or a DNAME + CNAME combination), CNAME, or the actual TLSA RRset. If the
record
response is a CNAME or DNAME, CNAME, the SMTP client (through the use of its
security-aware stub resolver) restarts the TLSA query at the target
domain, following CNAMEs as appropriate.
CNAMEs encountered during appropriate and keeping track of whether
the entire chain is "secure". If any "insecure" records are
encountered, or the TLSA record lookups can records don't exist, the next candidate TLSA
base is tried instead.
If the ultimate response is a "secure" TLSA RRset, then the candidate
TLSA base domain will be used the actual TLSA base domain and the TLSA
RRset will constitute the TLSA records for the destination. If none
of the candidate TLSA base domains yield "secure" TLSA records then
delivery should proceed via pre-DANE opportunistic TLS.
TLSA record publishers may leverage CNAMEs to share reference a single
authoritative TLSA RRset specifying a common certificate authority or
a common leaf end entity certificate for to be used with multiple TLS
services. Such CNAME expansion does not change the SMTP client's
notion of the TLSA base
domain, thus domain; thus, when _25._tcp.mail.example.com
is a CNAME CNAME, the base domain remains mail.example.com and is still the
name used in peer certificate name checks.
Note, shared end entity certificate associations expose the
publishing domain to substitution attacks, where an MITM attacker can
reroute traffic to a different server that shares the same end entity
certificate. Such shared end entity records should be avoided unless
the servers in question are interchangeable.
For example: example, given the DNSSEC validated records below:
example.com. IN MX 0 mail.example.com.
example.com. IN MX 0 mail2.example.com.
_25._tcp.mail.example.com. IN CNAME 2.1.1._dane.example.com. tlsa211._dane.example.com.
_25._tcp.mail2.example.com. IN CNAME 2.1.1._dane.example.com.
2.1.1._dane.example.com. tlsa211._dane.example.com.
tlsa211._dane.example.com. IN TLSA 2 1 1 e3b0c44298fc1c14
9afbf4c8996fb924
27ae41e4649b934c
a495991b7852b855
Here, e3b0c44298fc1c14....
The SMTP servers mail.example.com and mail2.example.com will be
expected to have certificates issued under a common trust-anchor, trust anchor, but
each MX host's hostname's TLSA base domain remains its hostname and MUST match unchanged despite the
above CNAME records. Each SMTP server's certificate subject name (or
one of the subject alternative name) in its certificate. names) is expected to match either the
corresponding MX hostname or else "example.com".
If, after during TLSA resolution (including possible CNAME indirection, indirection), at
least one "secure" TLSA record is found (even if not usable because
it is unsupported by the implementation or support is
administratively disabled) disabled), then the next-hop corresponding host has
committed signaled
its commitment to TLS support. implement TLS. The SMTP client SHOULD NOT deliver
mail via such a next-hop the corresponding host unless a TLS session is negotiated
via STARTTLS. This avoids man in the middle is required to avoid MITM STARTTLS downgrade
attacks.
As noted previously (Section 2.1.1, (in Section Section 2.1.2), 2.2.2), when no "secure" TLSA
records are found at a the fully CNAME-expanded name (due to an insecure
response or a lack of TLSA records verified by DNSSEC's proof-of-non-
existence), name, the original
unexpanded name MUST be tried instead. This supports
clients customers of
hosting providers where the provider's zone is not DNSSEC
validated, cannot be validated with
DNSSEC, but the client customer has shared appropriate key material with the
hosting provider to enable TLS via SNI.
SMTP clients may deploy opportunistic Intermediate names that
arise during CNAME expansion that are neither the original, nor the
final name, are never candidate TLSA base domains, even if "secure".
2.3. DANE TLS incrementally by
enabling it only for selected sites, or may occasionally need authentication
This section describes which TLSA records are applicable to
disable SMTP
opportunistic DANE TLS for peers that fail and how to interoperate
due apply such records to misconfiguration or software defects on either end. Unless
local policy specifies that authenticate
the SMTP server. With opportunistic DANE TLS, both the TLS support
implied by the presence of DANE TLSA records and the verification
parameters necessary to authenticate the TLS peer are obtained
together, therefore authentication via this protocol is not expected to
be used
for a particular destination, less prone to connection failure caused by incompatible
configuration of the client MUST NOT deliver mail via a
server whose and server.
2.3.1. TLSA certificate chain fails to match at least one usages
The DANE TLSA
record when usable specification [RFC6698] defines multiple TLSA records are available.
SMTP clients employing opportunistic DANE TLS and RR types
via combinations of 3 numeric parameters. The numeric values of
these parameters were later given symbolic names in
[I-D.ietf-dane-registry-acronyms]. The rest of the TLSA record
publishers for SMTP servers need to follow is
the guidance outlined in
[I-D.ietf-dane-ops]'s "Certificate Name Check Conventions", "Service
Provider "certificate association data field", which specifies the full or
digest value of a certificate or public key. The parameters are:
The TLSA Certificate Usage field: Section 2.1.1 of [RFC6698]
specifies 4 values: PKIX-TA(0), PKIX-EE(1), DANE-TA(2), and DANE-
EE(3). There is an additional private-use value: PrivCert(255).
All other values are reserved for use by future specifications.
The selector field: Section 2.1.2 of [RFC6698] specifies 2 values:
Cert(0), SPKI(1). There is an additional private-use value:
PrivSel(255). All other values are reserved for use by future
specifications.
The matching type field: Section 2.1.3 of [RFC6698] specifies 3
values: Full(0), SHA2-256(1), SHA2-512(2). There is an additional
private-use value: PrivMatch(255). All other values are reserved
for use by future specifications.
We may think of TLSA Publisher Synchronization" Certificate Usage values 0 through 3 as a
combination of two one-bit flags. The low bit chooses between trust
anchor (TA) and "TLSA Base Domain end entity (EE) certificates. The high bit chooses
between public PKI issued and CNAMEs" sections.
2.2. DANE authentication
2.2.1. domain-issued certificates.
The selector field specifies whether the TLSA RR matches the whole
certificate: Cert(0), or just its subjectPublicKeyInfo: SPKI(1). The
subjectPublicKeyInfo is an ASN.1 DER encoding of the certificate's
algorithm id, any parameters and the public key data.
The matching type field specifies how the TLSA RR Certificate
Association Data field is to be compared with the certificate usages or
public key. A value of Full(0) means an exact match: the full DER
encoding of the certificate or public key is given in the TLSA Publishers should follow RR. A
value of SHA2-256(1) means that the association data matches the
SHA2-256 digest of the certificate or public key, and likewise
SHA2-512(2) means a SHA2-512 digest is used.
The certificate usage element of a TLSA publication size guidance
found record plays a critical role
in [I-D.ietf-dane-ops] about "DANE DNS Record Size Guidelines".
2.2.1.1. determining how the corresponding certificate association data
field is used to authenticate server's certificate chain. The next
two subsections explain the process for certificate usages DANE-EE(3)
and DANE-TA(2). The third subsection briefly explains why
certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable with
opportunistic DANE TLS.
2.3.1.1. Certificate usage 3 DANE-EE(3)
Since opportunistic DANE TLS will be used by non-interactive MTAs,
with no user to "press OK" when authentication fails, reliability of
peer authentication is paramount. TLSA records published for SMTP
servers SHOULD be "3 1 1" records to support opportunistic SMTP over
TLS with DANE. This record specifies the SHA-256 digest of the
server's public key. Since all DANE implementations are required to
support SHA-256, this record works for all clients and need not
change across certificate renewals with the same key.
Authentication via certificate usage "3" DANE-EE(3) TLSA records involves
simply checking that the server's leaf certificate matches the TLSA
record. Other than extracting the relevant certificate elements for
comparison, no other use is made of the certificate content.
Authentication via certificate usage "3" DANE-EE(3) TLSA records involves
no certificate authority signature checks. It also involves no
server name checks, and thus does not impose any new requirements on
the names contained in the server certificate (SNI is not required
when the TLSA record matches the server's default certificate).
Two TLSA records will need to MUST be published before updating a server's public
key, one matching the currently deployed key and the other matching
the new key scheduled to replace it. Once sufficient time has
elapsed for all DNS caches to time out expire the previous TLSA RRset,
which contains only the old key, RRset and
related signature RRsets, the server may be reconfigured to use the
new private key and associated public key certificate. The
amount of time a server should wait before using a new key that is
referenced by new TLSA records should be at least twice the TTL of
the previously published TLSA records. Once the
server is using a the new key, the obsolete TLSA RR that matches the retired key
can be removed from DNS, leaving only the RR that matches the new
key.
2.2.1.2.
TLSA records published for SMTP servers SHOULD, in most cases, be
"DANE-EE(3) DANE(SPKI) SHA2-256(1)" records. Since all DANE
implementations are required to support SHA2-256, this record works
for all clients and need not change across certificate renewals with
the same key.
2.3.1.2. Certificate usage 2 DANE-TA(2)
Some domains may prefer to reduce avoid the operational complexity of
publishing unique TLSA RRs for each TLS service. If the domain
employs a common issuing certificate authority Certificate Authority to create certificates
for multiple TLS services, it may be simpler to publish the issuing
authority's public key
authority as a trust-anchor trust anchor (TA) for the certificate chains of all
relevant services. The TLSA RRs query domain (TLSA base domain with port
and protocol prefix labels) for each service issued by the same TA
may then be CNAMEs set to a CNAME alias that points to a common TLSA RRset
that matches the TA. In this case,
SMTP servers that rely on certificate usage DANE-TA(2) TLSA records
for TLS authentication MUST include the TA certificate as part of the
certificate chain presented in the TLS handshake server certificate
message even when it is a self-signed root certificate. At this
time, many SMTP servers are not configured with a comprehensive list
of each service SHOULD include trust anchors, nor are they expected to at any point in the
future. Some MTAs will ignore all locally trusted certificates when
processing usage DANE-TA(2) TLSA records. Thus even when the TA certificate, as SMTP
clients cannot generally
happens to be expected a public Certificate Authority known to have domain-issued trust-
anchor certificates the SMTP
client, authentication is likely to fail unless the TA is included in their trusted
the TLS server certificate store. message.
TLSA Publishers should publish either "2 1 1" or "2 0 1" "DANE-TA(2) SPKI(1) Full(0)" or
"DANE-TA(2) Cert(0) SHA2-256(1)" TLSA parameters,
which specify the SHA-256 digest of the trust-anchor public key or
certificate respectively. parameters. As with leaf
certificate rollover discussed in Section 2.2.1.1, 2.3.1.1, two such TLSA RRs
need to be published to facilitate TA certificate rollover.
The usability of "2 1 1" or "2 0 1" TLSA RRs with SMTP is not
assured. If server operators employing these RRs universally ensure
that the corresponding TA certificate is included in the SMTP
server's TLS handshake certificate chain, clients can safely enable
support for these RRs. If sufficiently many server administrators
negligently omit the TA certificate from the server's TLS certificate
chain, SMTP clients will be hesitant to support usage "2" TLSA RRs,
since mail delivery will not work to many destination domains if they
do. Server operators are encouraged to implement these RRs, if they
are operationally a better fit for their organization, provided they
do so with care. It is critical to not forget to include trust-
anchor certificates in server trust chains. SMTP client
implementations SHOULD support these TLSA RRs, unless, despite the
above warning, a non-trivial fraction of server operators fail to
publish certificate chains that include the required TA certificate.
2.2.1.3.
2.3.1.3. Certificate usages 0 PKIX-TA(0) and 1 PKIX-EE(1)
SMTP servers SHOULD NOT publish TLSA RRs with certificate usage "0"
"PKIX-TA(0)" or "1". "PKIX-EE(1)". SMTP clients cannot be expected to be
configured with a suitably complete set of trusted public CAs. Even
with a full set of public CAs, SMTP clients cannot (without relying
on DNSSEC for secure MX records) records and DANE for STARTTLS support
signalling) perform [RFC6125] server identity verification. verification or prevent
STARTTLS downgrade attacks. The use of trusted public CAs offers no
added security since an attacker capable of compromising DNSSEC is
free to replace any PKIX-TA(0) or PKIX-EE(1) TLSA records with
records bearing any convenient non-PKIX certificate usage.
SMTP client treatment of TLSA RRs with certificate usages "0" "PKIX-
TA(0)" or "1" "PKIX-EE(1)" is undefined. For example, clients MAY (will
likely) treat such TLSA records as unusable.
2.2.2.
2.3.2. Certificate matching
When at least one usable "secure" TLSA record is found, the SMTP
client SHOULD use TLSA records to authenticate the next-hop host,
mail SMTP server.
Messages SHOULD not NOT be delivered via this next-hop host the SMTP server if
authentication fails, otherwise the SMTP client is vulnerable to TLS man in the
middle MITM
attacks.
To match a server via a TLSA record with certificate usage "2", DANE-
TA(2), the client MUST perform name checks to ensure that it has
reached the correct server. In all cases the SMTP client MUST accept
the TLSA base domain as a valid DNS name in the server certificate.
MX:
TLSA records for MX hostnames: If the TLSA base domain was obtained
indirectly via an MX lookup
(it is the (including any CNAME-expanded name of
an MX exchange that may be securely CNAME
expanded), hostname), then the initial query name original next-hop domain used in the MX
lookup
SHOULD MUST be accepted in the peer certificate. The CNAME-expanded
initial query name SHOULD CNAME-
expanded original next-hop domain MUST also be accepted if
different from the initial query name.
Non-MX:
TLSA records for Non-MX hostnames: If no MX records were found not used
(e.g., if none exist) and the TLSA base domain is the
CNAME-expanded initial query name, CNAME-
expanded original next-hop domain, then the initial query name
SHOULD original next-hop
domain MUST also be accepted.
Accepting certificates with the original next-hop domain in addition
to the
next-hop MX host hostname allows a domain with multiple MX hosts hostnames to
field a single certificate bearing the email a single domain name (i.e., the
email domain) across all the MX
hosts, this is SMTP servers. This also compatible aids inter-
operability with pre-DANE SMTP clients that are configured to look
for the email domain name in server certificates. For example, with
"secure" DNS records as below:
exchange.example.org. IN CNAME mail.example.org.
mail.example.org. IN CNAME example.com.
example.com. IN MX 10 mx10.example.com.
example.com. IN MX 15 mx15.example.com.
example.com. IN MX 20 mx20.example.com.
;
mx10.example.com. IN A 192.0.2.10
_25._tcp.mx10.example.com. IN TLSA 2 0 1 ...
;
mx15.example.com. IN CNAME mxbackup.example.com.
mxbackup.example.com. IN A 192.0.2.15
; _25._tcp.mxbackup.example.com. IN TLSA ? (NXDOMAIN)
_25._tcp.mx15.example.com. IN TLSA 2 0 1 ...
;
mx20.example.com. IN CNAME mxbackup.example.net.
mxbackup.example.net. IN A 198.51.100.20
_25._tcp.mxbackup.example.net. IN TLSA 2 0 1 ...
Certificate name checks for delivery of mail to exchange.example.org
via any of the associated SMTP servers MUST accept at least the names
"exchange.example.org" and "example.com", which are respectively the
original and fully expanded next-hop domain. When the SMTP server is
mx10.example.com, name checks MUST accept the TLSA base domain
"mx10.example.com". If, despite the fact that MX hostnames are
required to not be aliases, the MTA supports delivery via
"mx15.example.com" or "mx20.example.com" then name checks MUST accept
the respective TLSA base domains "mx15.example.com" and
"mxbackup.example.net".
The SMTP client MUST NOT perform certificate usage name checks with
certificate usage "3", DANE-EE(3), since with usage "3" DANE-EE(3) the server
is authenticated directly by matching the TLSA RRset to its
certificate or public key without resort resorting to any issuing authority.
The certificate content is ignored except in so far as it is used to match the certificate or
public key (ASN.1 object DER encoding or its digest) with the TLSA RRset.
To ensure that the server sends the right certificate chain, the SMTP
client MUST send the TLS SNI extension containing the TLSA base
domain. This precludes the use of SSLv2-compatible the backward compatible SSL 2.0
compatible SSL HELLO by the SMTP client. The minimum SSL/TLS client
HELLO version for SMTP clients performing DANE authentication is SSLv3. SSL
3.0, but a client that offers SSL 3.0 MUST also offer at least TLS
1.0 and MUST include the SNI extension. Servers that don't make use
of SNI MAY negotiate SSL 3.0 if offered by the client.
Each SMTP server MUST present a certificate chain (see [RFC2246] [RFC5246]
Section 7.4.2) that matches at least one of the TLSA records. The
server MAY rely on SNI to determine which certificate chain to
present to the client. Clients that don't send SNI information may
not see the expected certificate chain.
If the server's TLSA RRset includes records with a matching type
indicating a digest record (i.e., a value other than "0"), the
SHA-256 digest of any object Full(0)), a TLSA
record with a SHA2-256(1) matching type SHOULD be provided along with
any other digest published, since some SMTP clients may support only SHA-256. Unless
SHA-256 proves vulnerable to a "second preimage" attack, it should be
the only digest algorithm used in TLSA records.
SHA2-256(1).
If the server's TLSA records match the server's default certificate
chain, the server need not support SNI. The In either case, the server
need not include the SNI extension in its TLS HELLO, HELLO as simply
returning a matching certificate chain is sufficient. Servers MUST
NOT enforce the use of SNI by clients, if as the client may be using
unauthenticated opportunistic TLS and may not expect any particular
certificate from the server. If the client sends no SNI extension,
or sends an SNI extension for an unsupported domain domain, the server MUST
simply use send its default certificate chain. The client may be using unauthenticated
opportunistic TLS and may reason for not expect any particular certificate from
enforcing strict matching of the server. requested SNI hostname is that DANE
TLS clients are typically willing to accept multiple server names,
but can only send one name in the SNI extension. The server's
default certificate may match a different name acceptable to the
client, e.g., the original next-hop domain.
An SMTP client employing pre-DANE opportunistic TLS MAY include some
anonymous TLS ciphersuites cipher suites in its SSL
HELO. MX hosts that receive email from the Internet MUST
interoperate with opportunistic TLS SMTP clients. If they advertise
support for STARTTLS HELLO in their addition to at least
one non-anonymous cipher suite (since servers often do support any of
the anonymous ones). Therefore, an SMTP EHLO response, they server MUST either select
some suitable non-anonymous cipher suite offered by the client, or if
it selects an anonymous cipher suite, it MUST NOT fail to complete
the TLS handshake merely because the SMTP client offered
some ciphersuites an anonymous cipher suite was chosen.
Note that do not provide for server authentication.
While while SMTP server operators are under no obligation to implement or
enable anonymous ciphers, cipher suites, no security is gained by sending
certificates
clients are willing to ignore. clients that will ignore them. Indeed support for
anonymous
ciphersuites cipher suites in the server makes audit trails more useful when the
chosen ciphersuite is logged, as this will in many cases
informative. Log entries that record which connections that employed an
anonymous cipher suite record the fact that the clients did not care
to authenticate the server. For example, the
Postfix SMTP server enables anonymous TLS ciphersuites by default,
and the Postfix SMTP client offers these at its highest preference
when server authentication is not applicable.
With opportunistic DANE TLS, both the TLS support implied by the
presence of DANE TLSA records and the verification parameters
necessary to authenticate the TLS peer are obtained together,
therefore authentication via this protocol is expected to be less
prone to connection failure caused by incompatible configuration of
the client and server.
2.2.3.
2.3.3. Digest algorithm agility
While [RFC6698] specifies multiple digest algorithms, it does not
explicitly
specify a protocol by which the SMTP client and TLSA record publisher
can agree on the strongest shared algorithm. Such a protocol would
allow the client and server to avoid exposure to any deprecated
weaker algorithms that are published for campatibilty compatibilty with less
capable clients, but should if possible be ignored. ignored when possible. We specify
such a protocol below.
Suppose that a DANE TLS client authenticating a TLS server considers
digest algorithm X BETTER stronger than digest algorithm Y. WORSE.
Suppose further that that a server's TLSA RRset contains some records with X
BETTER as the digest algorithm. Suppose Finally, suppose that for every raw
public key or certificate object that is included in the server's
TLSA RRset in digest form, whenever that object appears with digest Y (with
algorithm WORSE with some usage and selector) selector it also appears with digest X (with
algorithm BETTER with the same usage and selector). selector. In that case our
client can safely ignore TLSA records with the weaker digest Y, algorithm
WORSE, because it suffices to check the records with the stronger
algorithm X.
We take the simplest appraoch and mandate that all published TLSA
RRsets conform to the above assumptions. Then clients can
unconditionally ignore all but the (equal) strongest digest records
with a given usage and selector. The ordering of digest algorithms
by strength is entirely up to the client. Only the future will tell
which algoritms might be weakened by new attacks and when.
Therefore, server BETTER.
Server operators MUST ensure that for any given usage and selector, ALL objects with certificate association data with that
usage and selector that are published with
each object (certificate or public key), for which a digest matching type are
association exists in the TLSA RRset, is published with the SAME SET
of digests (non-zero matching types). digest algorithms as all other objects that published with that
usage and selector. In other words, for each usage and selector, the
records with non-zero matching types will be correspond to on a cross-product cross-
product of a set of underlying objects and a fixed set of digests digest
algorithms that apply uniformly to all the objects.
Records
To achieve digest algorithm agility, all published TLSA RRsets for
use with opportunistic DANE TLS for SMTP MUST conform to the above
requirements. Then, for each combination of usage and selector, SMTP
clients can simply ignore all digest records except those that employ
the strongest digest algorithm. The ordering of digest algorithms by
strength is not specified in advance, it is entirely up to the SMTP
client. SMTP client implementations SHOULD make the digest algorithm
preference order configurable. Only the future will tell which
algorithms might be weakened by new attacks and when.
Note, TLSA records with a matching type of "0", Full(0), that publish the
full object value of a certificate or public key object, play no role in
digest algorithm agility. They neither preempt trump the processing of
records that employ digests, nor are they ignored in the presence of
any records with a digest records. (i.e. non-zero) matching type.
SMTP clients SHOULD use digest algorithm agility when processing the
DANE TLSA records of an SMTP server. Algorithm agility is to be
applied after first discarding any unusable or malformed records
(unsupported digest algorithm, or incorrect digest length). Thus,
for each usage and selector, the client SHOULD only process only any
usable records with a matching type of "0" Full(0) and any the usable records
whose digest algorithm is believed to be the strongest among usable
records with the same given usage and selector.
The main impact of this requirement is on key rotation, when the TLSA
RRset is pre-populated with digests of new certificates or public
keys, before these replace or augment their predecessors. Were the
newly introduced RRs to include previously unused digest algorithms,
clients that employ this protocol could potentially ignore all the
digests corresponding to the currently deployed certificates current keys or certificates, causing
connectivity issues until the new keys or certificates are deployed.
Similarly, publishing new records with fewer digests could cause
problems for clients using cached TLSA RRsets that list both the old
and new objects once the new keys are deployed.
Server
To avoid problems, server operators SHOULD follow apply the following rules.
strategy:
o When adding or
removing changing the set of objects from published via the TLSA RRset
(e.g. during key rotation), DO NOT change the set of digests used, digest
algorithms used; change just the list of objects.
o When changing the set of digests used, digest algorithms, change only the set of
digests,
algorithms, and generate a new RRset in which all the current
objects are re-published with the new set of digests.
The client-side of this "digest algorithm agility" protocol is
enabled by default in the first DANE for SMTP implementation. For
key rotation to work non-disruptively server operators MUST ensure
that their TLSA records conform with the above specification.
3. Opportunistic TLS for Submission
Prior to [RFC6409], the SMTP submission protocol was a poster-child
for PKIX TLS. The MUA typically connects to one or more submission
servers explicitly configured by the user. There is no indirection
via insecure MX records, and unlike web browsers, there is no need to
authenticate a large set of TLS servers. Once TLS is enabled for the
desired submission server or servers, provided the server certificate
is correctly maintained, the MUA is able to reliably use TLS to
authenticate the submission server.
[RFC6186] aims to simplify the configuration of the MUA submission
service by dynamically deriving the submission service from the
user's email address. This is done via SRV records, but at the cost digest algorithms.
After either of introducing the same TLS security problems faced by MTA to MTA
SMTP. Prompting the user when the SRV record domain is different
from the email domain is not a robust solution.
The protocol defined in this memo can also be used to secure
submission service discovery. If the email domain is DNSSEC signed,
the SRV records are "secure" and the SRV host publishes secure TLSA
records for submission, then the MUA can safely auto-configure to
authenticate the submission server via DANE. When DANE TLSA records these two changes are not available, the client SHOULD fall back to legacy behavior
(this may involve prompting the user to accept the resulting server
and perhaps "pin" its certificate).
Specifically, MUAs that dynamically determine the submission server
via SRV records SHOULD support DNSSEC and DANE TLSA records. They
SHOULD use TLSA records to authenticate the server. The processing
of usage 2 and 3 TLSA associations by an MUA is made, the same as by an MTA
with SRV records replaced by corresponding MX records.
Just as with MX service on port 25, SMTP submission servers SHOULD
NOT publish usage 0 or 1 TLSA associations, and MUAs that support
DANE new TLSA are not expected to trust a full list of public CAs.
Server certificate subjectAltNames should include at least the server
name. When the server administrator is able to obtain a certificate
for the email domain, the server certificate RRset should also include the
email domain name. MUAs that are not able to support DNSSEC may then
be able to authenticate left in place long enough that the server domain. If it is practical to
field additional certificates for hosted domains, SNI may older TLSA RRset can be used by
the server to select the appropriate domain's certificate.
4. flushed
from caches before making another change.
3. Mandatory TLS Security
An MTA implementing this protocol may require a stronger security
assurance when sending email to selected destinations to which the destinations. The sending
organization sends may need to send sensitive email and and/or may have
regulatory obligations to protect its content. This protocol is not
in conflict with such a requirement, and in fact it can often simplify
authenticated delivery to such destinations.
Specifically, with domains that publish DANE TLSA records for their
MX hosts hostnames, a sending MTA can be configured to use the receiving
domains's DANE TLSA records to authenticate the corresponding MX
hosts, thereby obviating the complex manual provisioning process. In
anticipation of, or in response to, a failure SMTP
server. Authentication via DANE TLSA records is easier to obtain manage, as
changes in the receiver's expected
TLSA records, the sending system's administrator may choose from a
selection of fallback options, if supported by certificate properties are made on
the sending MTA:
o Defer mail if receiver end and don't require manually communicated
configuration changes. With mandatory DANE TLS, when no usable TLSA
records are found. This found, message delivery is delayed. Thus, mail is useful only
sent when the destination an authenticated TLS channel is known established to publish TLSA records, and lack of
TLSA records is most likely a transient misconfiguration.
o Authenticate the peer via remote
SMTP server.
Administrators of mail servers that employ mandatory DANE TLS, need
to carefully monitor their mail logs and queues. If a manually configured partner domain
unwittingly misconfigures their TLSA records, disables DNSSEC, or
misconfigures SMTP server certificate
digest. This may be obtained, for example, after a problem is
detected and confirmed to chains, mail will be valid delayed.
4. Operational Considerations
4.1. Client Operational Considerations
SMTP clients may deploy opportunistic DANE TLS incrementally by some out-of-band mechanism.
o Authenticate the peer via the existing public CA PKI, if the peer
server has usable CA issued certificates. In many cases the
sending MTA will need custom certificate name matching rules to
match the destination's gateways. And the sending server must
explicitly configure policy
enabling it only for the destination selected sites, or may occasionally need to always require
disable opportunistic DANE TLS for peers that fail to prevent MITM attacks.
o Send via unauthenticated mandatory TLS. This is useful if the
requirement is merely to always encrypt transmissions interoperate
due to protect
against only eavesdropping, and the possibility of MITM attacks is
less of a concern than timely email delivery.
It should be noted that barring administrator intervention, email
SHOULD be deferred when DNSSEC lookups fail, (as distinct from
"secure" non-existence of TLSA records, misconfiguration or secure evidence software defects on either end. Unless
local policy specifies that the
domain opportunistic DANE TLS is no longer signed). In addition not to configuring fallback
strategies be used
for a particular destination, client MUST NOT deliver mail via a
server whose certificate chain fails to match at least one TLSA
record when usable TLSA records are unexpectedly absent, administrators
may, available.
4.2. Publisher Operational Considerations
SMTP servers that publish certificate usage DANE-TA(2) associations
MUST include the TA certificate in hopefully rare cases, need to disable DNSSEC lookups for a
destination to work around their TLS server certificate
chain, even when that TA certificate is a DNSSEC outage.
5. Acknowledgements
The authors would like to extend great thanks to Tony Finch, who
started self-signed root
certificate.
TLSA Publishers must follow the original version of a DANE SMTP document. His work is
greatly appreciated and has been incorporated into this document.
The authors would like to additionally thank Phil Pennock for his
comments and advice on this document.
Acknowledgments from Viktor: Thanks to Tony Finch who finally prodded
me into participating digest agility guidelines in DANE working group discussions. Thanks to
Paul Hoffman who motivated me to produce this memo
Section 2.3.3 and provided
feedback on early drafts. Thanks also to Wietse Venema who created
Postfix, must make sure that all objects published in digest
form for a particular usage and patiently guided selector are published with the Postfix DANE implementation to
production quality.
6. same
set of digest algorithms.
TLSA Publishers should follow the TLSA publication size guidance
found in [I-D.ietf-dane-ops] about "DANE DNS Record Size Guidelines".
5. Security Considerations
This protocol leverages DANE TLSA records to implement MITM resistant
opportunistic channel security for SMTP. For destination domains
that sign their MX records and publish signed TLSA records for their
MX hosts, hostnames, this protocol allows sending MTAs (and perhaps dynamically
configured MUAs) to securely discover
both the availability of TLS and how to authenticate the destination.
This protocol does not aim to secure all SMTP traffic, as that is not
practical until DNSSEC and DANE adoption are universal. The
incremental deployment provided by following this specification is a
best possible path for securing SMTP. This protocol coexists and
interoperates with the existing insecure Internet email backbone.
The protocol does not preclude existing non-opportunistic SMTP TLS
security arrangements, which can continue to be used as before via
manual configuration and with negotiated out-of-band key and TLS
configuration exchanges.
Opportunistic SMTP TLS depends critically on DNSSEC for downgrade
resistance and secure resolution of the destination name. If DNSSEC
is compromised, it is not possible to fall back on the public CA PKI
to prevent MITM attacks. A successful breach of DNSSEC enables the
attacker to publish TLSA usage 3 certificate associations, and
thereby bypass any security benefit the legitimate domain owner might
hope to gain by publishing usage 0 or 1 TLSA RRs. Given the lack of
public CA PKI support in existing MTA deployments, deprecating avoiding
certificate usages 0 and 1 simplifies implementation and deployment
with no adverse security consequences.
Implementations must strictly follow the portions of this
specification that indicate when it is appropriate to initiate a non-
authenticated connection or cleartext connection to a SMTP server.
Specifically, in order to prevent downgrade attacks on this specifications improves
interoperability without degrading security. protocol,
implementation must not initiate a connection when this specification
indicates a particular SMTP server must be considered unreachable.
6. IANA considerations
This specification requires no support from IANA.
7. Acknowledgements
The authors would like to extend great thanks to Tony Finch, who
started the original version of a DANE SMTP document. His work is
greatly appreciated and has been incorporated into this document.
The authors would like to additionally thank Phil Pennock for his
comments and advice on this document.
Acknowledgments from Viktor: Thanks to Paul Hoffman who motivated me
to begin work on this memo and provided feedback on early drafts.
Thanks to Patrick Koetter, Perry Metzger and Nico Williams for
valuable review comments. Thanks also to Wietse Venema who created
Postfix, and whose advice and feedback were essential to the
development of the Postfix DANE implementation.
8. References
8.1. Normative References
[I-D.ietf-dane-ops]
Dukhovni, V. and W. Hardaker, "DANE TLSA implementation
and operational guidance", draft-ietf-dane-ops-00 (work in
progress), October 2013.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999.
[RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over
Transport Layer Security", RFC 3207, February 2002.
[RFC3546] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
and T. Wright, "Transport Layer Security (TLS)
Extensions", RFC 3546, June 2003.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
October 2008.
[RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions:
Extension Definitions", RFC 6066, January 2011.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011.
[RFC6186] Daboo, C., "Use of SRV Records for Locating Email
Submission/Access Services", RFC 6186, March 2011.
[RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail",
STD 72, RFC 6409, November 2011.
[RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the
DNS", RFC 6672, June 2012.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", RFC 6698, August 2012.
8.2. Informative References
[I-D.ietf-dane-registry-acronyms]
Gudmundsson, O., "Adding acronyms to simplify DANE
conversations", draft-ietf-dane-registry-acronyms-01 (work
in progress), October 2013.
[I-D.ietf-dane-smtp]
Finch, T., "Secure SMTP using DNS-Based Authentication of
Named Entities (DANE) TLSA records.", draft-ietf-dane-
smtp-01 (work in progress), February 2013.
[I-D.ietf-dane-srv]
Finch, T., "Using DNS-Based Authentication of Named
Entities (DANE) TLSA records with SRV and MX records.",
draft-ietf-dane-srv-02 (work in progress), February 2013.
[RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July
2009.
[RFC6394] Barnes, R., "Use Cases and Requirements for DNS-Based
Authentication of Named Entities (DANE)", RFC 6394,
October 2011.
[RFC6895] Eastlake, D., "Domain Name System (DNS) IANA
Considerations", BCP 42, RFC 6895, April 2013.
Authors' Addresses
Viktor Dukhovni
Unaffiliated
Email: ietf-dane@dukhovni.org
Wes Hardaker
Parsons
P.O. Box 382
Davis, CA 95617
US
Email: ietf@hardakers.net