< draft-ietf-dane-smtp-with-dane-07.txt   draft-ietf-dane-smtp-with-dane-08.txt >
DANE V. Dukhovni DANE V. Dukhovni
Internet-Draft Unaffiliated Internet-Draft Two Sigma
Intended status: Standards Track W. Hardaker Intended status: Standards Track W. Hardaker
Expires: August 18, 2014 Parsons Expires: October 25, 2014 Parsons
February 14, 2014 April 23, 2014
SMTP security via opportunistic DANE TLS SMTP security via opportunistic DANE TLS
draft-ietf-dane-smtp-with-dane-07 draft-ietf-dane-smtp-with-dane-08
Abstract Abstract
This memo describes a downgrade-resistant protocol for SMTP transport This memo describes a downgrade-resistant protocol for SMTP transport
security between Mail Transfer Agents (MTAs) based on the DNS-Based security between Mail Transfer Agents (MTAs) based on the DNS-Based
Authentication of Named Entities (DANE) TLSA DNS record. Adoption of Authentication of Named Entities (DANE) TLSA DNS record. Adoption of
this protocol enables an incremental transition of the Internet email this protocol enables an incremental transition of the Internet email
backbone to one using encrypted and authenticated Transport Layer backbone to one using encrypted and authenticated Transport Layer
Security (TLS). Security (TLS).
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2014. This Internet-Draft will expire on October 25, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 16 skipping to change at page 2, line 16
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Background . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Background . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. SMTP channel security . . . . . . . . . . . . . . . . . . 5 1.3. SMTP channel security . . . . . . . . . . . . . . . . . . 5
1.3.1. STARTTLS downgrade attack . . . . . . . . . . . . . . 5 1.3.1. STARTTLS downgrade attack . . . . . . . . . . . . . . 5
1.3.2. Insecure server name without DNSSEC . . . . . . . . . 6 1.3.2. Insecure server name without DNSSEC . . . . . . . . . 6
1.3.3. Sender policy does not scale . . . . . . . . . . . . 7 1.3.3. Sender policy does not scale . . . . . . . . . . . . 7
1.3.4. Too many certificate authorities . . . . . . . . . . 7 1.3.4. Too many certification authorities . . . . . . . . . 7
2. Hardening (pre-DANE) Opportunistic TLS . . . . . . . . . . . 8 2. Opportunistic DANE TLS . . . . . . . . . . . . . . . . . . . 8
2.1. DNS errors, bogus and indeterminate responses . . . . . . 8 2.1. DNS errors, bogus and indeterminate responses . . . . . . 8
2.2. TLS discovery . . . . . . . . . . . . . . . . . . . . . . 11 2.2. TLS discovery . . . . . . . . . . . . . . . . . . . . . . 11
2.2.1. MX resolution . . . . . . . . . . . . . . . . . . . . 13 2.2.1. MX resolution . . . . . . . . . . . . . . . . . . . . 13
2.2.2. Non-MX destinations . . . . . . . . . . . . . . . . . 14 2.2.2. Non-MX destinations . . . . . . . . . . . . . . . . . 14
2.2.3. TLSA record lookup . . . . . . . . . . . . . . . . . 16 2.2.3. TLSA record lookup . . . . . . . . . . . . . . . . . 16
2.3. DANE authentication . . . . . . . . . . . . . . . . . . . 17 2.3. DANE authentication . . . . . . . . . . . . . . . . . . . 17
2.3.1. TLSA certificate usages . . . . . . . . . . . . . . . 18 2.3.1. TLSA certificate usages . . . . . . . . . . . . . . . 18
2.3.2. Certificate matching . . . . . . . . . . . . . . . . 20 2.3.2. Certificate matching . . . . . . . . . . . . . . . . 22
2.3.3. Digest algorithm agility . . . . . . . . . . . . . . 23 2.3.3. Key rotation . . . . . . . . . . . . . . . . . . . . 24
3. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 25 2.3.4. Digest algorithm agility . . . . . . . . . . . . . . 24
4. Operational Considerations . . . . . . . . . . . . . . . . . 25 3. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 26
4.1. Client Operational Considerations . . . . . . . . . . . . 25 4. Note on DANE for Message User Agents . . . . . . . . . . . . 26
4.2. Publisher Operational Considerations . . . . . . . . . . 25 5. Interoperability considerations . . . . . . . . . . . . . . . 27
5. Security Considerations . . . . . . . . . . . . . . . . . . . 26 5.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 27
6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 26 5.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 28
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27 6. Operational Considerations . . . . . . . . . . . . . . . . . 28
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.1. Client Operational Considerations . . . . . . . . . . . . 28
8.1. Normative References . . . . . . . . . . . . . . . . . . 27 6.2. Publisher Operational Considerations . . . . . . . . . . 29
8.2. Informative References . . . . . . . . . . . . . . . . . 28 7. Security Considerations . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 8. IANA considerations . . . . . . . . . . . . . . . . . . . . . 30
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 30
10.1. Normative References . . . . . . . . . . . . . . . . . . 30
10.2. Informative References . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32
1. Introduction 1. Introduction
This memo specifies a new connection security model for Message This memo specifies a new connection security model for Message
Transfer Agents (MTAs). This model is motivated by key features of Transfer Agents (MTAs). This model is motivated by key features of
inter-domain SMTP delivery, in particular the fact that the inter-domain SMTP delivery, in particular the fact that the
destination server is selected indirectly via DNS Mail Exchange (MX) destination server is selected indirectly via DNS Mail Exchange (MX)
records and that with MTA to MTA SMTP the use of TLS is generally records and that with MTA to MTA SMTP the use of TLS is generally
opportunistic. opportunistic.
We note that the SMTP protocol is also used between Message User Problems with existing use of TLS in MTA to MTA SMTP that motivate
Agents (MUAs) and Message Submission Agents (MSAs) [RFC6409]. In this specification are described in Section 1.3. The specification
[RFC6186] a protocol is specified that enables an MUA to dynamically itself follows in Section 2. Then, in Section 3, we discuss
locate the MSA based on the user's email address. SMTP connection application of DANE TLS to destinations for which channel integrity
security requirements for MUAs implementing [RFC6186] are largely and confidentiality are mandatory. In Section 4 we briefly comment
analogous to connection security requirements for MTAs, and this on potential applicability of this specification to Message User
specification could be applied largely verbatim with DNS MX records Agents.
replaced by corresponding DNS Service (SRV) records
[I-D.ietf-dane-srv].
However, until MUAs begin to adopt the dynamic configuration
mechanisms of [RFC6186] they are adequately served by more
traditional static TLS security policies. This document will not
discuss the MUA use case further, leaving specification of DANE TLS
for MUAs to future documents that focus specifically on SMTP security
between MUAs and MSAs. The rest of this memo will focus on securing
MTA to MTA SMTP connections.
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119]. [RFC2119].
The following terms or concepts are used through the document: The following terms or concepts are used through the document:
Man-in-the-middle or MITM attack: Active modification of network
traffic by an adversary able to thereby compromise the
confidentiality or integrity of the data.
secure, bogus, insecure, indeterminate: DNSSEC validation results, secure, bogus, insecure, indeterminate: DNSSEC validation results,
as defined in Section 4.3 of [RFC4035]. as defined in Section 4.3 of [RFC4035].
Validating Security-Aware Stub Resolver and Non-Validating Validating Security-Aware Stub Resolver and Non-Validating
Security-Aware Stub Resolver: Security-Aware Stub Resolver:
Capabilities of the stub resolver in use as defined in [RFC4033]; Capabilities of the stub resolver in use as defined in [RFC4033];
note that this specification requires the use of a Security-Aware note that this specification requires the use of a Security-Aware
Stub Resolver; Security-Oblivious stub-resolvers MUST NOT be used. Stub Resolver; Security-Oblivious stub-resolvers MUST NOT be used.
opportunistic DANE TLS: Best-effort use of TLS, resistant to opportunistic DANE TLS: Best-effort use of TLS, resistant to
skipping to change at page 4, line 5 skipping to change at page 3, line 50
STARTTLS on the client side and STARTTLS plus a DNSSEC published STARTTLS on the client side and STARTTLS plus a DNSSEC published
TLSA record on the server side. TLSA record on the server side.
(pre-DANE) opportunistic TLS: Best-effort use of TLS that is (pre-DANE) opportunistic TLS: Best-effort use of TLS that is
generally vulnerable to DNS forgery and STARTTLS downgrade generally vulnerable to DNS forgery and STARTTLS downgrade
attacks. When a TLS-encrypted communication channel is not attacks. When a TLS-encrypted communication channel is not
available, message transmission takes place in the clear. MX available, message transmission takes place in the clear. MX
record indirection generally precludes authentication even when record indirection generally precludes authentication even when
TLS is available. TLS is available.
reference identifier: (Special case of [RFC6125] definition). One
of the domain names associated by the SMTP client with the
destination SMTP server for performing name checks on the server
certificate. When name checks are applicable, at least one of the
reference identifiers MUST match an [RFC6125] DNS-ID (or if none
are present the [RFC6125] CN-ID) of the server certificate (see
Section 2.3.2.3).
MX hostname: The RRDATA of an MX record consists of a 16 bit MX hostname: The RRDATA of an MX record consists of a 16 bit
preference followed by a Mail Exchange domain name (see [RFC1035], preference followed by a Mail Exchange domain name (see [RFC1035],
Section 3.3.9). We will use the term "MX hostname" to refer to Section 3.3.9). We will use the term "MX hostname" to refer to
the latter, that is, the DNS domain name found after the the latter, that is, the DNS domain name found after the
preference value in an MX record. Thus an "MX hostname" is preference value in an MX record. Thus an "MX hostname" is
specifically a reference to a DNS domain name, rather than any specifically a reference to a DNS domain name, rather than any
host that bears that name. host that bears that name.
SMTP server: An SMTP server whose name appears in an MX record for a
particular domain. Used to refer specifically to the host and
SMTP service itself, not its DNS name.
delayed delivery: Email delivery is a multi-hop store & forward delayed delivery: Email delivery is a multi-hop store & forward
process. When an MTA is unable forward a message that may become process. When an MTA is unable forward a message that may become
deliverable later, the message is queued and delivery is retried deliverable later, the message is queued and delivery is retried
periodically. Some MTAs may be configured with a fallback next- periodically. Some MTAs may be configured with a fallback next-
hop destination that handles messages that the MTA would otherwise hop destination that handles messages that the MTA would otherwise
queue and retry. In these cases, messages that would otherwise queue and retry. In these cases, messages that would otherwise
have to be delayed, may be sent to the fallback next-hop have to be delayed, may be sent to the fallback next-hop
destination instead. The fallback destination may itself be destination instead. The fallback destination may itself be
subject to opportunistic or mandatory DANE TLS as though it were subject to opportunistic or mandatory DANE TLS as though it were
the original message destination. the original message destination.
skipping to change at page 5, line 6 skipping to change at page 5, line 6
and record type. and record type.
1.2. Background 1.2. Background
The Domain Name System Security Extensions (DNSSEC) add data origin The Domain Name System Security Extensions (DNSSEC) add data origin
authentication, data integrity and data non-existence proofs to the authentication, data integrity and data non-existence proofs to the
Domain Name System (DNS). DNSSEC is defined in [RFC4033], [RFC4034] Domain Name System (DNS). DNSSEC is defined in [RFC4033], [RFC4034]
and [RFC4035]. and [RFC4035].
As described in the introduction of [RFC6698], TLS authentication via As described in the introduction of [RFC6698], TLS authentication via
the existing public Certificate Authority (CA) PKI suffers from an the existing public Certification Authority (CA) PKI suffers from an
over-abundance of trusted certificate authorities capable of issuing over-abundance of trusted parties capable of issuing certificates for
certificates for any domain of their choice. DANE leverages the any domain of their choice. DANE leverages the DNSSEC infrastructure
DNSSEC infrastructure to publish trusted public keys and certificates to publish trusted public keys and certificates for use with the
for use with the Transport Layer Security (TLS) [RFC5246] protocol Transport Layer Security (TLS) [RFC5246] protocol via a new "TLSA"
via a new "TLSA" DNS record type. With DNSSEC each domain can only DNS record type. With DNSSEC each domain can only vouch for the keys
vouch for the keys of its directly delegated sub-domains. of its directly delegated sub-domains.
The TLS protocol enables secure TCP communication. In the context of The TLS protocol enables secure TCP communication. In the context of
this memo, channel security is assumed to be provided by TLS. Used this memo, channel security is assumed to be provided by TLS. Used
without authentication, TLS provides only privacy protection against without authentication, TLS provides only privacy protection against
eavesdropping attacks. With authentication, TLS also provides data eavesdropping attacks. With authentication, TLS also provides data
integrity protection to guard against man-in-the-middle (MITM) integrity protection to guard against MITM attacks.
attacks.
1.3. SMTP channel security 1.3. SMTP channel security
With HTTPS, Transport Layer Security (TLS) employs X.509 certificates With HTTPS, Transport Layer Security (TLS) employs X.509 certificates
[RFC5280] issued by one of the many Certificate Authorities (CAs) [RFC5280] issued by one of the many Certificate Authorities (CAs)
bundled with popular web browsers to allow users to authenticate bundled with popular web browsers to allow users to authenticate
their "secure" websites. Before we specify a new DANE TLS security their "secure" websites. Before we specify a new DANE TLS security
model for SMTP, we will explain why a new security model is needed. model for SMTP, we will explain why a new security model is needed.
In the process, we will explain why the familiar HTTPS security model In the process, we will explain why the familiar HTTPS security model
is inadequate to protect inter-domain SMTP traffic. is inadequate to protect inter-domain SMTP traffic.
skipping to change at page 5, line 44 skipping to change at page 6, line 4
either the recipient address or the MX record, a new signaling either the recipient address or the MX record, a new signaling
mechanism is required to indicate when channel security is possible mechanism is required to indicate when channel security is possible
and should be used. The publication of TLSA records allows server and should be used. The publication of TLSA records allows server
operators to securely signal to SMTP clients that TLS is available operators to securely signal to SMTP clients that TLS is available
and should be used. DANE TLSA makes it possible to simultaneously and should be used. DANE TLSA makes it possible to simultaneously
discover which destination domains support secure delivery via TLS discover which destination domains support secure delivery via TLS
and how to verify the authenticity of the associated SMTP services, and how to verify the authenticity of the associated SMTP services,
providing a path forward to ubiquitous SMTP channel security. providing a path forward to ubiquitous SMTP channel security.
1.3.1. STARTTLS downgrade attack 1.3.1. STARTTLS downgrade attack
The Simple Mail Transfer Protocol (SMTP) [RFC5321] is a single-hop The Simple Mail Transfer Protocol (SMTP) [RFC5321] is a single-hop
protocol in a multi-hop store & forward email delivery process. SMTP protocol in a multi-hop store & forward email delivery process. SMTP
envelope recipient addresses are not transport addresses and are envelope recipient addresses are not transport addresses and are
security-agnostic. Unlike the Hypertext Transfer Protocol (HTTP) and security-agnostic. Unlike the Hypertext Transfer Protocol (HTTP) and
its corresponding secured version, HTTPS, there is no URI scheme for its corresponding secured version, HTTPS, where the use of TLS is
email addresses to designate whether communication with the SMTP signalled via the URI scheme, email recipient addresses do not
server should be conducted via a cleartext or a TLS-encrypted directly signal transport security policy. Indeed, no such signaling
channel. Indeed, no such URI scheme could work well with SMTP since could work well with SMTP since TLS encryption of SMTP protects email
TLS encryption of SMTP protects email traffic on a hop-by-hop basis traffic on a hop-by-hop basis while email addresses could only
while email addresses could only express end-to-end policy. express end-to-end policy.
With no mechanism available to signal transport security policy, SMTP With no mechanism available to signal transport security policy, SMTP
relays employ a best-effort "opportunistic" security model for TLS. relays employ a best-effort "opportunistic" security model for TLS.
A single SMTP server TCP listening endpoint can serve both TLS and A single SMTP server TCP listening endpoint can serve both TLS and
non-TLS clients; the use of TLS is negotiated via the SMTP STARTTLS non-TLS clients; the use of TLS is negotiated via the SMTP STARTTLS
command ([RFC3207]). The server signals TLS support to the client command ([RFC3207]). The server signals TLS support to the client
over a cleartext SMTP connection, and, if the client also supports over a cleartext SMTP connection, and, if the client also supports
TLS, it may negotiate a TLS encrypted channel to use for email TLS, it may negotiate a TLS encrypted channel to use for email
transmission. The server's indication of TLS support can be easily transmission. The server's indication of TLS support can be easily
suppressed by a man in the middle attacker. Thus pre-DANE SMTP TLS suppressed by an MITM attacker. Thus pre-DANE SMTP TLS security can
security can be subverted by simply downgrading a connection to be subverted by simply downgrading a connection to cleartext. No TLS
cleartext. No TLS security feature, such as the use of PKIX, can security feature, such as the use of PKIX, can prevent this. The
prevent this. The attacker can simply bypass TLS. attacker can simply disable TLS.
1.3.2. Insecure server name without DNSSEC 1.3.2. Insecure server name without DNSSEC
With SMTP, DNS Mail Exchange (MX) records abstract the next-hop With SMTP, DNS Mail Exchange (MX) records abstract the next-hop
transport endpoint and allow administrators to specify a set of transport endpoint and allow administrators to specify a set of
target servers to which SMTP traffic should be directed for a given target servers to which SMTP traffic should be directed for a given
domain. domain.
A PKIX TLS client is vulnerable to man in the middle (MITM) attacks A PKIX TLS client is vulnerable to MITM attacks unless it verifies
unless it verifies that the server's certificate binds its public key that the server's certificate binds the public key to a name that
to its name. However, with SMTP server names are obtained indirectly matches one of the client's reference identifiers. A natural choice
via MX records. Without DNSSEC, the MX lookup is vulnerable to MITM of reference identifier is the server's domain name. However, with
and DNS cache poisoning attacks. Active attackers can forge DNS SMTP, server names are obtained indirectly via MX records. Without
replies with fake MX records and can redirect email to servers with DNSSEC, the MX lookup is vulnerable to MITM and DNS cache poisoning
names of their choice. Therefore, secure verification of SMTP TLS attacks. Active attackers can forge DNS replies with fake MX records
certificates is not possible without DNSSEC. and can redirect email to servers with names of their choice.
Therefore, secure verification of SMTP TLS certificates matching the
server name is not possible without DNSSEC.
One might try to harden the use of TLS with SMTP against DNS attacks One might try to harden TLS for SMTP against DNS attacks by using the
by requiring each SMTP server to possess a trusted certificate for envelope recipient domain as a reference identifier and requiring
the envelope recipient domain rather than the MX hostname. each SMTP server to possess a trusted certificate for the envelope
Unfortunately, this is impractical, as email for many domains is recipient domain rather than the MX hostname. Unfortunately, this is
handled by third parties that are not in a position to obtain impractical as email for many domains is handled by third parties
certificates for all the domains they serve. Deployment of the that are not in a position to obtain certificates for all the domains
Server Name Indication (SNI) extension to TLS (see [RFC6066] they serve. Deployment of the Server Name Indication (SNI) extension
Section 3) is no panacea, since SNI key management is operationally to TLS (see [RFC6066] Section 3) is no panacea, since SNI key
challenging except when the email service provider is also the management is operationally challenging except when the email service
domain's registrar and its certificate issuer; this is rarely the provider is also the domain's registrar and its certificate issuer;
case for email. this is rarely the case for email.
Since the recipient domain name cannot be used as the SMTP server Since the recipient domain name cannot be used as the SMTP server
authentication identity, and neither can the MX hostname without reference identifier, and neither can the MX hostname without DNSSEC,
DNSSEC, large-scale deployment of authenticated TLS for SMTP requires large-scale deployment of authenticated TLS for SMTP requires that
that the DNS be secure. the DNS be secure.
Since SMTP security depends critically on DNSSEC, it is important to Since SMTP security depends critically on DNSSEC, it is important to
point out that consequently SMTP with DANE is the most conservative point out that consequently SMTP with DANE is the most conservative
possible trust model. It trusts only what must be trusted and no possible trust model. It trusts only what must be trusted and no
more. Adding any other trusted actors to the mix can only reduce more. Adding any other trusted actors to the mix can only reduce
SMTP security. A sender may choose to harden DNSSEC for selected SMTP security. A sender may choose to further harden DNSSEC for
high value receiving domains, by configuring explicit trust anchors selected high-value receiving domains, by configuring explicit trust
for those domains instead of relying on the chain of trust from the anchors for those domains instead of relying on the chain of trust
root domain. In such a case there is not an "additional" trusted from the root domain. Detailed discussion of DNSSEC security
authority, rather the root trust anchor is replaced with a more practices is out of scope for this document.
specific trust anchor for each of the domains in question. Detailed
discussion of DNSSEC security practices is out of scope for this
document.
1.3.3. Sender policy does not scale 1.3.3. Sender policy does not scale
Sending systems are in some cases explicitly configured to use TLS Sending systems are in some cases explicitly configured to use TLS
for mail sent to specifically selected peer domains. This requires for mail sent to selected peer domains. This requires sending MTAs
MTAs to be configured with appropriate subject names or certificate to be configured with appropriate subject names or certificate
content digests to expect in the presented host certificates. content digests to expect in the presented server certificates.
Because of the heavy administrative burden, such statically Because of the heavy administrative burden, such statically
configured SMTP secure channels are used rarely (generally only configured SMTP secure channels are used rarely (generally only
between domains that make bilateral arrangements with their business between domains that make bilateral arrangements with their business
partners). Internet email, on the other hand, requires regularly partners). Internet email, on the other hand, requires regularly
contacting new domains for which security configurations cannot be contacting new domains for which security configurations cannot be
established in advance. established in advance.
The abstraction of the SMTP transport endpoint via DNS MX records, The abstraction of the SMTP transport endpoint via DNS MX records,
often across organization boundaries, limits the use of public CA PKI often across organization boundaries, limits the use of public CA PKI
with SMTP to a small set of sender-configured peer domains. With with SMTP to a small set of sender-configured peer domains. With
little opportunity to use TLS authentication, sending MTAs are rarely little opportunity to use TLS authentication, sending MTAs are rarely
configured with a comprehensive list of trusted CAs. SMTP services configured with a comprehensive list of trusted CAs. SMTP services
that support STARTTLS often use X.509 certificates that are self- that support STARTTLS often deploy X.509 certificates that are self-
signed or issued by a private CA. signed or issued by a private CA.
1.3.4. Too many certificate authorities 1.3.4. Too many certification authorities
Even if it were generally possible to determine a secure server name, Even if it were generally possible to determine a secure server name,
the SMTP client would still need to verify that the server's the SMTP client would still need to verify that the server's
certificate chain is issued by a trusted certificate authority (a certificate chain is issued by a trusted Certification Authority (a
trust anchor). MTAs are not interactive applications where a human trust anchor). MTAs are not interactive applications where a human
operator can make a decision (wisely or otherwise) to selectively operator can make a decision (wisely or otherwise) to selectively
disable TLS security policy when certificate chain verification disable TLS security policy when certificate chain verification
fails. With no user to "click OK", the MTAs list of public CA trust fails. With no user to "click OK", the MTAs list of public CA trust
anchors would need to be comprehensive in order to avoid bouncing anchors would need to be comprehensive in order to avoid bouncing
mail addressed to sites that employ unknown certificate authorities. mail addressed to sites that employ unknown Certification
Authorities.
On the other hand, each trusted CA can issue certificates for any On the other hand, each trusted CA can issue certificates for any
domain. If even one of the configured CAs is compromised or operated domain. If even one of the configured CAs is compromised or operated
by an adversary, it can subvert TLS security for all destinations. by an adversary, it can subvert TLS security for all destinations.
Any set of CAs is simultaneously both overly inclusive and not Any set of CAs is simultaneously both overly inclusive and not
inclusive enough. inclusive enough.
2. Hardening (pre-DANE) Opportunistic TLS 2. Opportunistic DANE TLS
Neither email addresses nor MX hostnames (or submission SRV records) Neither email addresses nor MX hostnames signal a requirement for
signal a requirement for either secure or cleartext transport. either secure or cleartext transport. Therefore, aside from a few
Therefore, SMTP transport security is of necessity generally manually configured exceptions, SMTP transport security is of
opportunistic (barring manually configured exceptions). necessity opportunistic.
This specification uses the presence of DANE TLSA records to securely This specification uses the presence of DANE TLSA records to securely
signal TLS support and to publish the means by which SMTP clients can signal TLS support and to publish the means by which SMTP clients can
successfully authenticate legitimate SMTP servers. This becomes successfully authenticate legitimate SMTP servers. This becomes
"opportunistic DANE TLS" and is resistant to downgrade and MITM "opportunistic DANE TLS" and is resistant to downgrade and MITM
attacks, and enables an incremental transition of the email backbone attacks, and enables an incremental transition of the email backbone
to authenticated TLS delivery, with increased global protection as to authenticated TLS delivery, with increased global protection as
adoption increases. adoption increases.
With opportunistic DANE TLS, traffic from SMTP clients to domains With opportunistic DANE TLS, traffic from SMTP clients to domains
skipping to change at page 8, line 45 skipping to change at page 9, line 12
requirements needed to avoid downgrade attacks when using requirements needed to avoid downgrade attacks when using
opportunistic DANE TLS. opportunistic DANE TLS.
A DNS lookup may signal an error or return a definitive answer. A A DNS lookup may signal an error or return a definitive answer. A
security-aware resolver must be used for this specification. security-aware resolver must be used for this specification.
Security-aware resolvers will indicate the security status of a DNS Security-aware resolvers will indicate the security status of a DNS
RRset with one of four possible values defined in Section 4.3 of RRset with one of four possible values defined in Section 4.3 of
[RFC4035]: "secure", "insecure", "bogus" and "indeterminate". In [RFC4035]: "secure", "insecure", "bogus" and "indeterminate". In
[RFC4035] the meaning of the "indeterminate" security status is: [RFC4035] the meaning of the "indeterminate" security status is:
An RRset for which the resolver is not able to determine whether An RRset for which the resolver is not able to determine whether
the RRset should be signed, as the resolver is not able to obtain the RRset should be signed, as the resolver is not able to obtain
the necessary DNSSEC RRs. This can occur when the security-aware the necessary DNSSEC RRs. This can occur when the security-aware
resolver is not able to contact security-aware name servers for resolver is not able to contact security-aware name servers for
the relevant zones. the relevant zones.
Note, the "indeterminate" security status has a conflicting Note, the "indeterminate" security status has a conflicting
definition in section 5 of [RFC4033]. definition in section 5 of [RFC4033].
There is no trust anchor that would indicate that a specific There is no trust anchor that would indicate that a specific
portion of the tree is secure. portion of the tree is secure.
SMTP clients following this specification SHOULD NOT distinguish SMTP clients following this specification SHOULD NOT distinguish
between "insecure" and "indeterminate" in the [RFC4033] sense. Both between "insecure" and "indeterminate" in the [RFC4033] sense. Both
"insecure" and RFC4033 "indeterminate" are handled identically: in "insecure" and RFC4033 "indeterminate" are handled identically: in
either case unvalidated data for the query domain is all that is and either case unvalidated data for the query domain is all that is and
can be available, and authentication using the data is impossible. can be available, and authentication using the data is impossible.
In what follows, when we say "insecure", we include also DNS results In what follows, when we say "insecure", we include also DNS results
for domains that lie in a portion of the DNS tree for which there is for domains that lie in a portion of the DNS tree for which there is
no applicable trust anchor. With the DNS root zone signed, we expect no applicable trust anchor. With the DNS root zone signed, we expect
that validating resolvers used by Internet-facing MTAs will be that validating resolvers used by Internet-facing MTAs will be
skipping to change at page 9, line 41 skipping to change at page 10, line 5
resolver does signal an RFC4035 "indeterminate" security status, this resolver does signal an RFC4035 "indeterminate" security status, this
MUST be treated by the SMTP client as though a "bogus" or error MUST be treated by the SMTP client as though a "bogus" or error
result had been returned. result had been returned.
An MTA making use of a non-validating security-aware stub resolver An MTA making use of a non-validating security-aware stub resolver
MAY use the stub resolver's ability, if available, to signal DNSSEC MAY use the stub resolver's ability, if available, to signal DNSSEC
validation status based on information the stub resolver has learned validation status based on information the stub resolver has learned
from an upstream validating recursive resolver. In accordance with from an upstream validating recursive resolver. In accordance with
section 4.9.3 of [RFC4035]: section 4.9.3 of [RFC4035]:
... a security-aware stub resolver MUST NOT place any reliance on ... a security-aware stub resolver MUST NOT place any reliance on
signature validation allegedly performed on its behalf, except signature validation allegedly performed on its behalf, except
when the security-aware stub resolver obtained the data in question when the security-aware stub resolver obtained the data in question
from a trusted security-aware recursive name server via a secure from a trusted security-aware recursive name server via a secure
channel. channel.
To avoid much repetition in the text below, we will pause to explain To avoid much repetition in the text below, we will pause to explain
the handling of "bogus" or "indeterminate" DNSSEC query responses. the handling of "bogus" or "indeterminate" DNSSEC query responses.
These are not necessarily the result of a malicious actor; they can, These are not necessarily the result of a malicious actor; they can,
for example, occur when network packets are corrupted or lost in for example, occur when network packets are corrupted or lost in
transit. Therefore, "bogus" or "indeterminate" replies are equated transit. Therefore, "bogus" or "indeterminate" replies are equated
in this memo with lookup failure. in this memo with lookup failure.
There is an important non-failure condition we need to highlight in There is an important non-failure condition we need to highlight in
addition to the obvious case of the DNS client obtaining a non-empty addition to the obvious case of the DNS client obtaining a non-empty
skipping to change at page 12, line 11 skipping to change at page 12, line 24
A Secure non-empty TLSA RRset where all the records are unusable: A A Secure non-empty TLSA RRset where all the records are unusable: A
connection to the MTA MUST be made via TLS, but authentication is connection to the MTA MUST be made via TLS, but authentication is
not required. Failure to establish an encrypted TLS connection not required. Failure to establish an encrypted TLS connection
MUST result in falling back to the next SMTP server or delayed MUST result in falling back to the next SMTP server or delayed
delivery. delivery.
An insecure TLSA RRset or DNSSEC validated proof-of-non-existent TLSA An insecure TLSA RRset or DNSSEC validated proof-of-non-existent TLSA
records: records:
A connection to the MTA SHOULD be made using (pre-DANE) A connection to the MTA SHOULD be made using (pre-DANE)
opportunistic TLS, this includes using cleartext delivery when the opportunistic TLS, this includes using cleartext delivery when the
remote SMTP server does not appear to support TLS. The MTA may remote SMTP server does not appear to support TLS. The MTA MAY
optionally retry in cleartext when a TLS handshake fails. retry in cleartext when delivery via TLS fails either during the
handshake or even during data transfer.
Any lookup error: Lookup errors, including "bogus" and Any lookup error: Lookup errors, including "bogus" and
"indeterminate", as explained in Section 2.1 MUST result in "indeterminate", as explained in Section 2.1 MUST result in
falling back to the next SMTP server or delayed delivery. falling back to the next SMTP server or delayed delivery.
An SMTP client MAY be configured to require DANE verified delivery An SMTP client MAY be configured to require DANE verified delivery
for some destinations. We will call such a configuration "mandatory for some destinations. We will call such a configuration "mandatory
DANE TLS". With mandatory DANE TLS, delivery proceeds only when DANE TLS". With mandatory DANE TLS, delivery proceeds only when
"secure" TLSA records are used to establish an encrypted and "secure" TLSA records are used to establish an encrypted and
authenticated TLS channel with the SMTP server. authenticated TLS channel with the SMTP server.
An operational error on the sending or receiving side that cannot be
corrected in a timely manner may, at times, lead to consistent
failure to deliver time-sensitive email. The sending MTA
administrator may have to choose between letting email queue until
the error is resolved and disabling opportunistic or mandatory DANE
TLS for one or more destinations. The choice to disable DANE TLS
security should not be made lightly. Every reasonable effort should
be made to determine that problems with mail delivery are the result
of an operational error, and not an attack. A fallback strategy may
be to configure explicit out-of-band TLS security settings if
supported by the sending MTA.
A note about DNAME aliases: a query for a domain name whose ancestor A note about DNAME aliases: a query for a domain name whose ancestor
domain is a DNAME alias returns the DNAME RR for the ancestor domain, domain is a DNAME alias returns the DNAME RR for the ancestor domain,
along with a CNAME that maps the query domain to the corresponding along with a CNAME that maps the query domain to the corresponding
sub-domain of the target domain of the DNAME alias [RFC6672]. sub-domain of the target domain of the DNAME alias [RFC6672].
Therefore, whenever we speak of CNAME aliases, we implicitly allow Therefore, whenever we speak of CNAME aliases, we implicitly allow
for the possibility that the alias in question is the result of an for the possibility that the alias in question is the result of an
ancestor domain DNAME record. Consequently, no explicit support for ancestor domain DNAME record. Consequently, no explicit support for
DNAME records is needed in SMTP software, it is sufficient to process DNAME records is needed in SMTP software, it is sufficient to process
the resulting CNAME aliases. DNAME records only require special the resulting CNAME aliases. DNAME records only require special
processing in the validating stub-resolver library that checks the processing in the validating stub-resolver library that checks the
integrity of the combined DNAME + CNAME reply. When DNSSEC integrity of the combined DNAME + CNAME reply. When DNSSEC
validation is handled by a local caching resolver, rather than the validation is handled by a local caching resolver, rather than the
MTA itself, even that part of the DNAME support logic is outside the MTA itself, even that part of the DNAME support logic is outside the
MTA. MTA.
When the original next-hop destination is an address literal, rather When the original next-hop destination is an address literal, rather
than a DNS domain, DANE TLS does not apply. Delivery proceeds using than a DNS domain, DANE TLS does not apply. Delivery proceeds using
any relevant security policy configured by the MTA administrator. any relevant security policy configured by the MTA administrator.
Similarly, when an MX RRset incorrectly lists an network address in Similarly, when an MX RRset incorrectly lists a network address in
lieu of an MX hostname, if the MTA chooses to connect to the network lieu of an MX hostname, if the MTA chooses to connect to the network
address DANE TLSA does not apply for such a connection. address DANE TLSA does not apply for such a connection.
In the subsections that follow we explain how to locate the SMTP In the subsections that follow we explain how to locate the SMTP
servers and the associated TLSA records for a given next-hop servers and the associated TLSA records for a given next-hop
destination domain. We also explain which name or names are to be destination domain. We also explain which name or names are to be
used in identity checks of the SMTP server certificate. used in identity checks of the SMTP server certificate.
2.2.1. MX resolution 2.2.1. MX resolution
skipping to change at page 13, line 31 skipping to change at page 13, line 31
base domain are derived separately for each MX hostname that is used base domain are derived separately for each MX hostname that is used
to attempt message delivery. Clearly, if DANE TLS security is to to attempt message delivery. Clearly, if DANE TLS security is to
apply to message delivery via any of the SMTP servers, the MX records apply to message delivery via any of the SMTP servers, the MX records
must be obtained securely via a DNSSEC validated MX lookup. must be obtained securely via a DNSSEC validated MX lookup.
MX records MUST be sorted by preference; an MX hostname with a worse MX records MUST be sorted by preference; an MX hostname with a worse
(numerically higher) MX preference that has TLSA records MUST NOT (numerically higher) MX preference that has TLSA records MUST NOT
preempt an MX hostname with a better (numerically lower) preference preempt an MX hostname with a better (numerically lower) preference
that has no TLSA records. In other words, prevention of delivery that has no TLSA records. In other words, prevention of delivery
loops by obeying MX preferences MUST take precedence over channel loops by obeying MX preferences MUST take precedence over channel
security considerations. Even with two equal preference MX records, security considerations. Even with two equal-preference MX records,
an MTA is not obligated to choose the MX hostname that offers more an MTA is not obligated to choose the MX hostname that offers more
security. Domains that want secure inbound mail delivery need to security. Domains that want secure inbound mail delivery need to
ensure that all their SMTP servers and MX records are configured ensure that all their SMTP servers and MX records are configured
accordingly. accordingly.
In the language of [RFC5321] Section 5.1, the original next-hop In the language of [RFC5321] Section 5.1, the original next-hop
domain is the "initial name". If the MX lookup of the initial name domain is the "initial name". If the MX lookup of the initial name
results in a CNAME alias, the MTA replaces the initial name with the results in a CNAME alias, the MTA replaces the initial name with the
resulting name and performs a new lookup with the new name. MTAs resulting name and performs a new lookup with the new name. MTAs
typically support recursion in CNAME expansion, so this replacement typically support recursion in CNAME expansion, so this replacement
skipping to change at page 14, line 24 skipping to change at page 14, line 24
o Each MX hostname used in a message delivery attempt for an o Each MX hostname used in a message delivery attempt for an
original next-hop destination domain subject to MX resolution. original next-hop destination domain subject to MX resolution.
Note, MTAs are not obligated to support CNAME expansion of MX Note, MTAs are not obligated to support CNAME expansion of MX
hostnames. hostnames.
o Any administrator configured relay hostname, not subject to MX o Any administrator configured relay hostname, not subject to MX
resolution. This frequently involves configuration set by the MTA resolution. This frequently involves configuration set by the MTA
administrator to handle some or all mail. administrator to handle some or all mail.
o A next-hop destination domain subject to MX resolution that has no o A next-hop destination domain subject to MX resolution that has no
MX records. In this case the domain's name is implicitly also the MX records. In this case the domain's name is implicitly also its
hostname of its sole SMTP server. sole SMTP server name.
Note that DNS queries with type TLSA are mishandled by load balancing Note that DNS queries with type TLSA are mishandled by load balancing
nameservers that serve the MX hostnames of some large email nameservers that serve the MX hostnames of some large email
providers. The DNS zones served by these nameservers are not signed providers. The DNS zones served by these nameservers are not signed
and contain no TLSA records, but queries for TLSA records fail, and contain no TLSA records, but queries for TLSA records fail,
rather than returning the non-existence of the requested TLSA rather than returning the non-existence of the requested TLSA
records. records.
To avoid problems delivering mail to domains whose SMTP servers are To avoid problems delivering mail to domains whose SMTP servers are
served by the problem nameservers the SMTP client MUST perform any A served by the problem nameservers the SMTP client MUST perform any A
and/or AAAA queries for the destination before attempting to locate and/or AAAA queries for the destination before attempting to locate
the associated TLSA records. This lookup is needed in any case to the associated TLSA records. This lookup is needed in any case to
determine whether the destination domain is reachable and the DNSSEC determine whether the destination domain is reachable and the DNSSEC
validation status of each stage of the chain of CNAME queries validation status of the chain of CNAME queries required to reach the
required to reach the final result. ultimate address records.
If no address records are found, the destination is unreachable. If If no address records are found, the destination is unreachable. If
address records are found, but the DNSSEC validation status of the address records are found, but the DNSSEC validation status of the
first query response is "insecure" (there may be additional queries first query response is "insecure" (there may be additional queries
if the initial response is a CNAME alias), the SMTP client SHOULD NOT if the initial response is a CNAME alias), the SMTP client SHOULD NOT
proceed to search for any associated TLSA records. With the problem proceed to search for any associated TLSA records. With the problem
domains, TLSA queries will lead to DNS lookup errors and cause domains, TLSA queries will lead to DNS lookup errors and cause
messages to be consistently delayed and ultimately returned to the messages to be consistently delayed and ultimately returned to the
sender. We don't expect to find any "secure" TLSA records associated sender. We don't expect to find any "secure" TLSA records associated
with a TLSA base domain that lies in an unsigned DNS zone. with a TLSA base domain that lies in an unsigned DNS zone.
skipping to change at page 16, line 22 skipping to change at page 16, line 22
Each candidate TLSA base domain (the original or fully CNAME-expanded Each candidate TLSA base domain (the original or fully CNAME-expanded
name of a non-MX destination or a particular MX hostname of an MX name of a non-MX destination or a particular MX hostname of an MX
destination) is in turn prefixed with service labels of the form destination) is in turn prefixed with service labels of the form
"_<port>._tcp". The resulting domain name is used to issue a DNSSEC "_<port>._tcp". The resulting domain name is used to issue a DNSSEC
query with the query type set to TLSA ([RFC6698] Section 7.1). query with the query type set to TLSA ([RFC6698] Section 7.1).
For SMTP, the destination TCP port is typically 25, but this may be For SMTP, the destination TCP port is typically 25, but this may be
different with custom routes specified by the MTA administrator in different with custom routes specified by the MTA administrator in
which case the SMTP client MUST use the appropriate number in the which case the SMTP client MUST use the appropriate number in the
"_<port>" prefix in place of "_25". If, for example, the candidate "_<port>" prefix in place of "_25". If, for example, the candidate
base domain is "mail.example.com", and the SMTP connection is to port base domain is "mx.example.com", and the SMTP connection is to port
25, the TLSA RRset is obtained via a DNSSEC query of the form: 25, the TLSA RRset is obtained via a DNSSEC query of the form:
_25._tcp.mail.example.com. IN TLSA ? _25._tcp.mx.example.com. IN TLSA ?
The query response may be a CNAME, or the actual TLSA RRset. If the The query response may be a CNAME, or the actual TLSA RRset. If the
response is a CNAME, the SMTP client (through the use of its response is a CNAME, the SMTP client (through the use of its
security-aware stub resolver) restarts the TLSA query at the target security-aware stub resolver) restarts the TLSA query at the target
domain, following CNAMEs as appropriate and keeping track of whether domain, following CNAMEs as appropriate and keeping track of whether
the entire chain is "secure". If any "insecure" records are the entire chain is "secure". If any "insecure" records are
encountered, or the TLSA records don't exist, the next candidate TLSA encountered, or the TLSA records don't exist, the next candidate TLSA
base is tried instead. base is tried instead.
If the ultimate response is a "secure" TLSA RRset, then the candidate If the ultimate response is a "secure" TLSA RRset, then the candidate
TLSA base domain will be the actual TLSA base domain and the TLSA TLSA base domain will be the actual TLSA base domain and the TLSA
RRset will constitute the TLSA records for the destination. If none RRset will constitute the TLSA records for the destination. If none
of the candidate TLSA base domains yield "secure" TLSA records then of the candidate TLSA base domains yield "secure" TLSA records then
delivery should proceed via pre-DANE opportunistic TLS. delivery should proceed via pre-DANE opportunistic TLS.
TLSA record publishers may leverage CNAMEs to reference a single TLSA record publishers may leverage CNAMEs to reference a single
authoritative TLSA RRset specifying a common certificate authority or authoritative TLSA RRset specifying a common Certification Authority
a common end entity certificate to be used with multiple TLS or a common end entity certificate to be used with multiple TLS
services. Such CNAME expansion does not change the SMTP client's services. Such CNAME expansion does not change the SMTP client's
notion of the TLSA base domain; thus, when _25._tcp.mail.example.com notion of the TLSA base domain; thus, when _25._tcp.mx.example.com is
is a CNAME, the base domain remains mail.example.com and is still the a CNAME, the base domain remains mx.example.com and this is still the
name used in peer certificate name checks. reference identifier used together with the next-hop domain in peer
certificate name checks.
Note, shared end entity certificate associations expose the Note, shared end entity certificate associations expose the
publishing domain to substitution attacks, where an MITM attacker can publishing domain to substitution attacks, where an MITM attacker can
reroute traffic to a different server that shares the same end entity reroute traffic to a different server that shares the same end entity
certificate. Such shared end entity records should be avoided unless certificate. Such shared end entity records SHOULD be avoided unless
the servers in question are interchangeable. the servers in question are functionally equivalent (an active
attacker gains nothing by diverting client traffic from one such
server to another).
For example, given the DNSSEC validated records below: For example, given the DNSSEC validated records below:
example.com. IN MX 0 mail.example.com. example.com. IN MX 0 mx1.example.com.
example.com. IN MX 0 mail2.example.com. example.com. IN MX 0 mx2.example.com.
_25._tcp.mail.example.com. IN CNAME tlsa211._dane.example.com. _25._tcp.mx1.example.com. IN CNAME tlsa211._dane.example.com.
_25._tcp.mail2.example.com. IN CNAME tlsa211._dane.example.com. _25._tcp.mx2.example.com. IN CNAME tlsa211._dane.example.com.
tlsa211._dane.example.com. IN TLSA 2 1 1 e3b0c44298fc1c14.... tlsa211._dane.example.com. IN TLSA 2 1 1 e3b0c44298fc1c149a...
The SMTP servers mail.example.com and mail2.example.com will be The SMTP servers mx1.example.com and mx2.example.com will be expected
expected to have certificates issued under a common trust anchor, but to have certificates issued under a common trust anchor, but each MX
each MX hostname's TLSA base domain remains unchanged despite the hostname's TLSA base domain remains unchanged despite the above CNAME
above CNAME records. Each SMTP server's certificate subject name (or records. Correspondingly, each SMTP server will be associated with a
one of the subject alternative names) is expected to match either the pair of reference identifiers consisting of its hostname plus the
corresponding MX hostname or else "example.com". next-hop domain "example.com".
If, during TLSA resolution (including possible CNAME indirection), at If, during TLSA resolution (including possible CNAME indirection), at
least one "secure" TLSA record is found (even if not usable because least one "secure" TLSA record is found (even if not usable because
it is unsupported by the implementation or support is it is unsupported by the implementation or support is
administratively disabled), then the corresponding host has signaled administratively disabled), then the corresponding host has signaled
its commitment to implement TLS. The SMTP client SHOULD NOT deliver its commitment to implement TLS. The SMTP client SHOULD NOT deliver
mail via the corresponding host unless a TLS session is negotiated mail via the corresponding host unless a TLS session is negotiated
via STARTTLS. This is required to avoid MITM STARTTLS downgrade via STARTTLS. This is required to avoid MITM STARTTLS downgrade
attacks. attacks.
skipping to change at page 17, line 47 skipping to change at page 17, line 50
arise during CNAME expansion that are neither the original, nor the arise during CNAME expansion that are neither the original, nor the
final name, are never candidate TLSA base domains, even if "secure". final name, are never candidate TLSA base domains, even if "secure".
2.3. DANE authentication 2.3. DANE authentication
This section describes which TLSA records are applicable to SMTP This section describes which TLSA records are applicable to SMTP
opportunistic DANE TLS and how to apply such records to authenticate opportunistic DANE TLS and how to apply such records to authenticate
the SMTP server. With opportunistic DANE TLS, both the TLS support the SMTP server. With opportunistic DANE TLS, both the TLS support
implied by the presence of DANE TLSA records and the verification implied by the presence of DANE TLSA records and the verification
parameters necessary to authenticate the TLS peer are obtained parameters necessary to authenticate the TLS peer are obtained
together, therefore authentication via this protocol is expected to together. In contrast to protocols where channel security policy is
be less prone to connection failure caused by incompatible set exclusively by the client, authentication via this protocol is
configuration of the client and server. expected to be less prone to connection failure caused by
incompatible configuration of the client and server.
2.3.1. TLSA certificate usages 2.3.1. TLSA certificate usages
The DANE TLSA specification [RFC6698] defines multiple TLSA RR types The DANE TLSA specification [RFC6698] defines multiple TLSA RR types
via combinations of 3 numeric parameters. The numeric values of via combinations of 3 numeric parameters. The numeric values of
these parameters were later given symbolic names in these parameters were later given symbolic names in
[I-D.ietf-dane-registry-acronyms]. The rest of the TLSA record is [I-D.ietf-dane-registry-acronyms]. The rest of the TLSA record is
the "certificate association data field", which specifies the full or the "certificate association data field", which specifies the full or
digest value of a certificate or public key. The parameters are: digest value of a certificate or public key. The parameters are:
skipping to change at page 19, line 5 skipping to change at page 18, line 49
algorithm id, any parameters and the public key data. algorithm id, any parameters and the public key data.
The matching type field specifies how the TLSA RR Certificate The matching type field specifies how the TLSA RR Certificate
Association Data field is to be compared with the certificate or Association Data field is to be compared with the certificate or
public key. A value of Full(0) means an exact match: the full DER public key. A value of Full(0) means an exact match: the full DER
encoding of the certificate or public key is given in the TLSA RR. A encoding of the certificate or public key is given in the TLSA RR. A
value of SHA2-256(1) means that the association data matches the value of SHA2-256(1) means that the association data matches the
SHA2-256 digest of the certificate or public key, and likewise SHA2-256 digest of the certificate or public key, and likewise
SHA2-512(2) means a SHA2-512 digest is used. SHA2-512(2) means a SHA2-512 digest is used.
Since opportunistic DANE TLS will be used by non-interactive MTAs,
with no user to "press OK" when authentication fails, reliability of
peer authentication is paramount. Server operators are advised to
publish TLSA records that are least likely to fail authentication due
to interoperability or operational problems. Because DANE TLS relies
on coordinated changes to DNS and SMTP server settings, the best
choice of records to publish will depend on site-specific practices.
The certificate usage element of a TLSA record plays a critical role The certificate usage element of a TLSA record plays a critical role
in determining how the corresponding certificate association data in determining how the corresponding certificate association data
field is used to authenticate server's certificate chain. The next field is used to authenticate server's certificate chain. The next
two subsections explain the process for certificate usages DANE-EE(3) two subsections explain the process for certificate usages DANE-EE(3)
and DANE-TA(2). The third subsection briefly explains why and DANE-TA(2). The third subsection briefly explains why
certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable with certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable with
opportunistic DANE TLS. opportunistic DANE TLS.
2.3.1.1. Certificate usage DANE-EE(3) In summary, we recommend the use of either "DANE-EE(3) SPKI(1)
SHA2-256(1)" or "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records
depending on site needs. Other combinations of TLSA parameters are
either explicitly unsupported, or offer little to recommend them over
these two.
Since opportunistic DANE TLS will be used by non-interactive MTAs, The mandatory to support digest algorithm in [RFC6698] is
with no user to "press OK" when authentication fails, reliability of SHA2-256(1). When the server's TLSA RRset includes records with a
peer authentication is paramount. matching type indicating a digest record (i.e., a value other than
Full(0)), a TLSA record with a SHA2-256(1) matching type SHOULD be
provided along with any other digest published, since some SMTP
clients may support only SHA2-256(1). If at some point the SHA2-256
digest algorithm is tarnished by new cryptanalytic attacks,
publishers will need to include an appropriate stronger digest in
their TLSA records, initially along with, and ultimately in place of,
SHA2-256.
2.3.1.1. Certificate usage DANE-EE(3)
Authentication via certificate usage DANE-EE(3) TLSA records involves Authentication via certificate usage DANE-EE(3) TLSA records involves
simply checking that the server's leaf certificate matches the TLSA simply checking that the server's leaf certificate matches the TLSA
record. Other than extracting the relevant certificate elements for record. In particular the binding of the server public key to its
comparison, no other use is made of the certificate content. name is based entirely on the TLSA record association The server MUST
Authentication via certificate usage DANE-EE(3) TLSA records involves be considered authenticated even if none of the names in the
no certificate authority signature checks. It also involves no certificate match the client's reference identity for the server.
server name checks, and thus does not impose any new requirements on
the names contained in the server certificate (SNI is not required
when the TLSA record matches the server's default certificate).
Two TLSA records MUST be published before updating a server's public Similarly, the expiration date of the server certificate MUST be
key, one matching the currently deployed key and the other matching ignored, the validity period of the TLSA record key binding is
the new key scheduled to replace it. Once sufficient time has determined by the validity interval of the TLSA record DNSSEC
elapsed for all DNS caches to expire the previous TLSA RRset and signature.
related signature RRsets, the server may be reconfigured to use the
new private key and associated public key certificate. Once the With DANE-EE(3) servers need not employ SNI (may ignore the client's
server is using the new key, the TLSA RR that matches the retired key SNI message) even when the server is known under independent names
can be removed from DNS, leaving only the RR that matches the new that would otherwise require separate certificates. It is instead
key. sufficient for the TLSA RRsets for all the domains in question to
match the server's default certificate. Of course with SMTP servers
it is simpler still to publish the same MX hostname for all the
hosted domains.
For domains where it is practical to make coordinated changes in DNS
TLSA records during SMTP server key rotation, it is often best to
publish end-entity DANE-EE(3) certificate associations. DANE-EE(3)
certificates don't suddenly stop working when leaf or intermediate
certificates expire, and don't fail when the server operator neglects
to configure all the required issuer certificates in the server
certificate chain.
TLSA records published for SMTP servers SHOULD, in most cases, be TLSA records published for SMTP servers SHOULD, in most cases, be
"DANE-EE(3) SPKI(1) SHA2-256(1)" records. Since all DANE "DANE-EE(3) SPKI(1) SHA2-256(1)" records. Since all DANE
implementations are required to support SHA2-256, this record works implementations are required to support SHA2-256, this record type
for all clients and need not change across certificate renewals with works for all clients and need not change across certificate renewals
the same key. with the same key.
2.3.1.2. Certificate usage DANE-TA(2) 2.3.1.2. Certificate usage DANE-TA(2)
Some domains may prefer to avoid the operational complexity of Some domains may prefer to avoid the operational complexity of
publishing unique TLSA RRs for each TLS service. If the domain publishing unique TLSA RRs for each TLS service. If the domain
employs a common issuing Certificate Authority to create certificates employs a common issuing Certification Authority to create
for multiple TLS services, it may be simpler to publish the issuing certificates for multiple TLS services, it may be simpler to publish
authority as a trust anchor (TA) for the certificate chains of all the issuing authority as a trust anchor (TA) for the certificate
relevant services. The TLSA query domain (TLSA base domain with port chains of all relevant services. The TLSA query domain (TLSA base
and protocol prefix labels) for each service issued by the same TA domain with port and protocol prefix labels) for each service issued
may then be set to a CNAME alias that points to a common TLSA RRset by the same TA may then be set to a CNAME alias that points to a
that matches the TA. common TLSA RRset that matches the TA. For example:
example.com. IN MX 0 mx1.example.com.
example.com. IN MX 0 mx2.example.com.
_25._tcp.mx1.example.com. IN CNAME tlsa211._dane.example.com.
_25._tcp.mx2.example.com. IN CNAME tlsa211._dane.example.com.
tlsa211._dane.example.com. IN TLSA 2 1 1 e3b0c44298fc1c14....
With usage DANE-TA(2) the server certificates will need to have names
that match one of the client's reference identifiers (see [RFC6125]).
The server MAY employ SNI to select the appropriate certificate to
present to the client.
SMTP servers that rely on certificate usage DANE-TA(2) TLSA records SMTP servers that rely on certificate usage DANE-TA(2) TLSA records
for TLS authentication MUST include the TA certificate as part of the for TLS authentication MUST include the TA certificate as part of the
certificate chain presented in the TLS handshake server certificate certificate chain presented in the TLS handshake server certificate
message even when it is a self-signed root certificate. At this message even when it is a self-signed root certificate. At this
time, many SMTP servers are not configured with a comprehensive list time, many SMTP servers are not configured with a comprehensive list
of trust anchors, nor are they expected to at any point in the of trust anchors, nor are they expected to at any point in the
future. Some MTAs will ignore all locally trusted certificates when future. Some MTAs will ignore all locally trusted certificates when
processing usage DANE-TA(2) TLSA records. Thus even when the TA processing usage DANE-TA(2) TLSA records. Thus even when the TA
happens to be a public Certificate Authority known to the SMTP happens to be a public Certification Authority known to the SMTP
client, authentication is likely to fail unless the TA is included in client, authentication is likely to fail unless the TA certificate is
the TLS server certificate message. included in the TLS server certificate message.
TLSA Publishers should publish either "DANE-TA(2) SPKI(1) Full(0)" or TLSA records with selector Full(0) are discouraged. While these
"DANE-TA(2) Cert(0) SHA2-256(1)" TLSA parameters. As with leaf potentially obviate the need to transmit the TA certificate in the
certificate rollover discussed in Section 2.3.1.1, two such TLSA RRs TLS server certificate message, client implementations may not be
need to be published to facilitate TA certificate rollover. able to augment the server certificate chain with the data obtained
from DNS, especially when the TLSA record supplies a bare key
(selector SPKI(1)). Since the server will need to transmit the TA
certificate in any case, server operators SHOULD publish TLSA records
with a selector other than Full(0) and avoid potential
interoperability issues with large TLSA records containing full
certificates or keys.
TLSA Publishers employing DANE-TA(2) records SHOULD publish records
with a selector of Cert(0). Such TLSA records are associated with
the whole trust anchor certificate, not just with the trust anchor
public key. In particular, the SMTP client SHOULD then apply any
relevant constraints from the trust anchor certificate, such as, for
example, path length constraints.
While a selector of SPKI(1) may also be employed, the resulting TLSA
record will not specify the full trust anchor certificate content,
and elements of the trust anchor certificate other than the public
key become mutable. This may, for example, allow a subsidiary CA to
issue a chain that violates the trust anchor's path length or name
constraints.
2.3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) 2.3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1)
SMTP servers SHOULD NOT publish TLSA RRs with certificate usage SMTP servers SHOULD NOT publish TLSA RRs with certificate usage
"PKIX-TA(0)" or "PKIX-EE(1)". SMTP clients cannot be expected to be "PKIX-TA(0)" or "PKIX-EE(1)". SMTP clients cannot be expected to be
configured with a suitably complete set of trusted public CAs. Even configured with a suitably complete set of trusted public CAs. Even
with a full set of public CAs, SMTP clients cannot (without relying with a full set of public CAs, SMTP clients cannot (without relying
on DNSSEC for secure MX records and DANE for STARTTLS support on DNSSEC for secure MX records and DANE for STARTTLS support
signalling) perform [RFC6125] server identity verification or prevent signaling) perform [RFC6125] server identity verification or prevent
STARTTLS downgrade attacks. The use of trusted public CAs offers no STARTTLS downgrade attacks. The use of trusted public CAs offers no
added security since an attacker capable of compromising DNSSEC is added security since an attacker capable of compromising DNSSEC is
free to replace any PKIX-TA(0) or PKIX-EE(1) TLSA records with free to replace any PKIX-TA(0) or PKIX-EE(1) TLSA records with
records bearing any convenient non-PKIX certificate usage. records bearing any convenient non-PKIX certificate usage.
SMTP client treatment of TLSA RRs with certificate usages "PKIX- SMTP client treatment of TLSA RRs with certificate usages "PKIX-
TA(0)" or "PKIX-EE(1)" is undefined. For example, clients MAY (will TA(0)" or "PKIX-EE(1)" is undefined. For example, clients MAY (will
likely) treat such TLSA records as unusable. likely) treat such TLSA records as unusable.
2.3.2. Certificate matching 2.3.2. Certificate matching
When at least one usable "secure" TLSA record is found, the SMTP When at least one usable "secure" TLSA record is found, the SMTP
client SHOULD use TLSA records to authenticate the SMTP server. client SHOULD use TLSA records to authenticate the SMTP server.
Messages SHOULD NOT be delivered via the SMTP server if Messages SHOULD NOT be delivered via the SMTP server if
authentication fails, otherwise the SMTP client is vulnerable to MITM authentication fails, otherwise the SMTP client is vulnerable to MITM
attacks. attacks.
2.3.2.1. DANE-EE(3) name checks
The SMTP client MUST NOT perform certificate name checks with
certificate usage DANE-EE(3), see Section 2.3.1.1 above.
2.3.2.2. DANE-TA(2) name checks
To match a server via a TLSA record with certificate usage DANE- To match a server via a TLSA record with certificate usage DANE-
TA(2), the client MUST perform name checks to ensure that it has TA(2), the client MUST perform name checks to ensure that it has
reached the correct server. In all cases the SMTP client MUST accept reached the correct server. In all DANE-TA(2) cases the SMTP client
the TLSA base domain as a valid DNS name in the server certificate. MUST include the TLSA base domain as one of the valid reference
identifiers for matching the server certificate.
TLSA records for MX hostnames: If the TLSA base domain was obtained TLSA records for MX hostnames: If the TLSA base domain was obtained
indirectly via an MX lookup (including any CNAME-expanded name of indirectly via an MX lookup (including any CNAME-expanded name of
an MX hostname), then the original next-hop domain used in the MX an MX hostname), then the original next-hop domain used in the MX
lookup MUST be accepted in the peer certificate. The CNAME- lookup MUST be included as as a second reference identifier. The
expanded original next-hop domain MUST also be accepted if CNAME-expanded original next-hop domain MUST be included as a
different from the initial query name. third reference identifier if different from the original next-hop
domain.
TLSA records for Non-MX hostnames: If MX records were not used TLSA records for Non-MX hostnames: If MX records were not used
(e.g., if none exist) and the TLSA base domain is the CNAME- (e.g., if none exist) and the TLSA base domain is the CNAME-
expanded original next-hop domain, then the original next-hop expanded original next-hop domain, then the original next-hop
domain MUST also be accepted. domain MUST be included as a second reference identifier.
Accepting certificates with the original next-hop domain in addition Accepting certificates with the original next-hop domain in addition
to the MX hostname allows a domain with multiple MX hostnames to to the MX hostname allows a domain with multiple MX hostnames to
field a single certificate bearing a single domain name (i.e., the field a single certificate bearing a single domain name (i.e., the
email domain) across all the SMTP servers. This also aids inter- email domain) across all the SMTP servers. This also aids
operability with pre-DANE SMTP clients that are configured to look interoperability with pre-DANE SMTP clients that are configured to
for the email domain name in server certificates. For example, with look for the email domain name in server certificates. For example,
"secure" DNS records as below: with "secure" DNS records as below:
exchange.example.org. IN CNAME mail.example.org. exchange.example.org. IN CNAME mail.example.org.
mail.example.org. IN CNAME example.com. mail.example.org. IN CNAME example.com.
example.com. IN MX 10 mx10.example.com. example.com. IN MX 10 mx10.example.com.
example.com. IN MX 15 mx15.example.com. example.com. IN MX 15 mx15.example.com.
example.com. IN MX 20 mx20.example.com. example.com. IN MX 20 mx20.example.com.
; ;
mx10.example.com. IN A 192.0.2.10 mx10.example.com. IN A 192.0.2.10
_25._tcp.mx10.example.com. IN TLSA 2 0 1 ... _25._tcp.mx10.example.com. IN TLSA 2 0 1 ...
; ;
mx15.example.com. IN CNAME mxbackup.example.com. mx15.example.com. IN CNAME mxbackup.example.com.
mxbackup.example.com. IN A 192.0.2.15 mxbackup.example.com. IN A 192.0.2.15
; _25._tcp.mxbackup.example.com. IN TLSA ? (NXDOMAIN) ; _25._tcp.mxbackup.example.com. IN TLSA ? (NXDOMAIN)
_25._tcp.mx15.example.com. IN TLSA 2 0 1 ... _25._tcp.mx15.example.com. IN TLSA 2 0 1 ...
; ;
mx20.example.com. IN CNAME mxbackup.example.net. mx20.example.com. IN CNAME mxbackup.example.net.
mxbackup.example.net. IN A 198.51.100.20 mxbackup.example.net. IN A 198.51.100.20
_25._tcp.mxbackup.example.net. IN TLSA 2 0 1 ... _25._tcp.mxbackup.example.net. IN TLSA 2 0 1 ...
Certificate name checks for delivery of mail to exchange.example.org Certificate name checks for delivery of mail to exchange.example.org
via any of the associated SMTP servers MUST accept at least the names via any of the associated SMTP servers MUST accept at least the names
"exchange.example.org" and "example.com", which are respectively the "exchange.example.org" and "example.com", which are respectively the
original and fully expanded next-hop domain. When the SMTP server is original and fully expanded next-hop domain. When the SMTP server is
mx10.example.com, name checks MUST accept the TLSA base domain mx10.example.com, name checks MUST accept the TLSA base domain
"mx10.example.com". If, despite the fact that MX hostnames are "mx10.example.com". If, despite the fact that MX hostnames are
required to not be aliases, the MTA supports delivery via required to not be aliases, the MTA supports delivery via
"mx15.example.com" or "mx20.example.com" then name checks MUST accept "mx15.example.com" or "mx20.example.com" then name checks MUST accept
the respective TLSA base domains "mx15.example.com" and the respective TLSA base domains "mx15.example.com" and
"mxbackup.example.net". "mxbackup.example.net".
The SMTP client MUST NOT perform certificate usage name checks with 2.3.2.3. Reference identifier matching
certificate usage DANE-EE(3), since with usage DANE-EE(3) the server
is authenticated directly by matching the TLSA RRset to its
certificate or public key without resorting to any issuing authority.
The certificate content is ignored except to match the certificate or
public key (ASN.1 DER encoding or its digest) with the TLSA RRset.
To ensure that the server sends the right certificate chain, the SMTP
client MUST send the TLS SNI extension containing the TLSA base
domain. This precludes the use of the backward compatible SSL 2.0
compatible SSL HELLO by the SMTP client. The minimum SSL/TLS client
HELLO version for SMTP clients performing DANE authentication is SSL
3.0, but a client that offers SSL 3.0 MUST also offer at least TLS
1.0 and MUST include the SNI extension. Servers that don't make use
of SNI MAY negotiate SSL 3.0 if offered by the client.
Each SMTP server MUST present a certificate chain (see [RFC5246] When name checks are applicable (certificate usage DANE-TA(2)), if
Section 7.4.2) that matches at least one of the TLSA records. The the server certificate contains a Subject Alternative Name extension
server MAY rely on SNI to determine which certificate chain to ([RFC5280]), with at least one DNS-ID ([RFC6125]) then only the DNS-
present to the client. Clients that don't send SNI information may IDs are matched against the client's reference identifiers. The CN-
not see the expected certificate chain. ID ([RFC6125]) is only considered when no DNS-IDs are present. The
server certificate is considered matched when one of its presented
identifiers ([RFC5280]) matches any of the client's reference
identifiers.
If the server's TLSA RRset includes records with a matching type Wildcards are valid in either DNS-IDs or the CN-ID when applicable.
indicating a digest record (i.e., a value other than Full(0)), a TLSA The wildcard character must be entire first label of the DNS-ID or
record with a SHA2-256(1) matching type SHOULD be provided along with CN-ID. Thus, "*.example.com" is valid, while "smtp*.example.com" and
any other digest published, since some SMTP clients may support only "*smtp.example.com" are not. SMTP clients MUST support wildcards
SHA2-256(1). that match the first label of the reference identifier, with the
remaining labels matching verbatim. For example, the DNS-ID
"*.example.com" matches the reference identifier "mx1.example.com".
SMTP clients MAY, subject to local policy allow wildcards to match
multiple reference identifier labels, but servers cannot expect broad
support for such a policy. Therefore any wildcards in server
certificates SHOULD match exactly one label in either the TLSA base
domain or the next-hop domain.
If the server's TLSA records match the server's default certificate 2.3.3. Key rotation
chain, the server need not support SNI. In either case, the server
need not include the SNI extension in its TLS HELLO as simply
returning a matching certificate chain is sufficient. Servers MUST
NOT enforce the use of SNI by clients, as the client may be using
unauthenticated opportunistic TLS and may not expect any particular
certificate from the server. If the client sends no SNI extension,
or sends an SNI extension for an unsupported domain, the server MUST
simply send its default certificate chain. The reason for not
enforcing strict matching of the requested SNI hostname is that DANE
TLS clients are typically willing to accept multiple server names,
but can only send one name in the SNI extension. The server's
default certificate may match a different name acceptable to the
client, e.g., the original next-hop domain.
An SMTP client employing pre-DANE opportunistic TLS MAY include some Two TLSA records MUST be published before employing a new EE or TA
anonymous TLS cipher suites in its TLS HELLO in addition to at least public key or certificate, one matching the currently deployed key
one non-anonymous cipher suite (since servers often do support any of and the other matching the new key scheduled to replace it. Once
the anonymous ones). Therefore, an SMTP server MUST either select sufficient time has elapsed for all DNS caches to expire the previous
some suitable non-anonymous cipher suite offered by the client, or if TLSA RRset and related signature RRsets, servers may be configured to
it selects an anonymous cipher suite, it MUST NOT fail to complete use the new EE private key and associated public key certificate or
the handshake merely because an anonymous cipher suite was chosen. may employ certificates signed by the new trust anchor.
Note that while SMTP server operators are under no obligation to Once the new public key or certificate is in use, the TLSA RR that
enable anonymous cipher suites, no security is gained by sending matches the retired key can be removed from DNS, leaving only RRs
certificates to clients that will ignore them. Indeed support for that match keys or certificates in active use.
anonymous cipher suites in the server makes audit trails more
informative. Log entries that record connections that employed an
anonymous cipher suite record the fact that the clients did not care
to authenticate the server.
2.3.3. Digest algorithm agility 2.3.4. Digest algorithm agility
While [RFC6698] specifies multiple digest algorithms, it does not While [RFC6698] specifies multiple digest algorithms, it does not
specify a protocol by which the SMTP client and TLSA record publisher specify a protocol by which the SMTP client and TLSA record publisher
can agree on the strongest shared algorithm. Such a protocol would can agree on the strongest shared algorithm. Such a protocol would
allow the client and server to avoid exposure to any deprecated allow the client and server to avoid exposure to any deprecated
weaker algorithms that are published for compatibilty with less weaker algorithms that are published for compatibility with less
capable clients, but should be ignored when possible. We specify capable clients, but should be ignored when possible. We specify
such a protocol below. such a protocol below.
Suppose that a DANE TLS client authenticating a TLS server considers Suppose that a DANE TLS client authenticating a TLS server considers
digest algorithm BETTER stronger than digest algorithm WORSE. digest algorithm BETTER stronger than digest algorithm WORSE.
Suppose further that a server's TLSA RRset contains some records with Suppose further that a server's TLSA RRset contains some records with
BETTER as the digest algorithm. Finally, suppose that for every raw BETTER as the digest algorithm. Finally, suppose that for every raw
public key or certificate object that is included in the server's public key or certificate object that is included in the server's
TLSA RRset in digest form, whenever that object appears with TLSA RRset in digest form, whenever that object appears with
algorithm WORSE with some usage and selector it also appears with algorithm WORSE with some usage and selector it also appears with
skipping to change at page 25, line 32 skipping to change at page 26, line 40
changes in the receiver's expected certificate properties are made on changes in the receiver's expected certificate properties are made on
the receiver end and don't require manually communicated the receiver end and don't require manually communicated
configuration changes. With mandatory DANE TLS, when no usable TLSA configuration changes. With mandatory DANE TLS, when no usable TLSA
records are found, message delivery is delayed. Thus, mail is only records are found, message delivery is delayed. Thus, mail is only
sent when an authenticated TLS channel is established to the remote sent when an authenticated TLS channel is established to the remote
SMTP server. SMTP server.
Administrators of mail servers that employ mandatory DANE TLS, need Administrators of mail servers that employ mandatory DANE TLS, need
to carefully monitor their mail logs and queues. If a partner domain to carefully monitor their mail logs and queues. If a partner domain
unwittingly misconfigures their TLSA records, disables DNSSEC, or unwittingly misconfigures their TLSA records, disables DNSSEC, or
misconfigures SMTP server certificate chains, mail will be delayed. misconfigures SMTP server certificate chains, mail will be delayed
and may bounce if the issue is not resolved in a timely manner.
4. Operational Considerations 4. Note on DANE for Message User Agents
We note that the SMTP protocol is also used between Message User
Agents (MUAs) and Message Submission Agents (MSAs) [RFC6409]. In
[RFC6186] a protocol is specified that enables an MUA to dynamically
locate the MSA based on the user's email address. SMTP connection
security considerations for MUAs implementing [RFC6186] are largely
analogous to connection security requirements for MTAs, and this
specification could be applied largely verbatim with DNS MX records
replaced by corresponding DNS Service (SRV) records
[I-D.ietf-dane-srv].
4.1. Client Operational Considerations However, until MUAs begin to adopt the dynamic configuration
mechanisms of [RFC6186] they are adequately served by more
traditional static TLS security policies. Specification of DANE TLS
for Message User Agent (MUA) to Message Submission Agent (MSA) SMTP
is left to future documents that focus specifically on SMTP security
between MUAs and MSAs.
5. Interoperability considerations
5.1. SNI support
To ensure that the server sends the right certificate chain, the SMTP
client MUST send the TLS SNI extension containing the TLSA base
domain. This precludes the use of the backward compatible SSL 2.0
compatible SSL HELLO by the SMTP client. The minimum SSL/TLS client
HELLO version for SMTP clients performing DANE authentication is SSL
3.0, but a client that offers SSL 3.0 MUST also offer at least TLS
1.0 and MUST include the SNI extension. Servers that don't make use
of SNI MAY negotiate SSL 3.0 if offered by the client.
Each SMTP server MUST present a certificate chain (see [RFC5246]
Section 7.4.2) that matches at least one of the TLSA records. The
server MAY rely on SNI to determine which certificate chain to
present to the client. Clients that don't send SNI information may
not see the expected certificate chain.
If the server's TLSA records match the server's default certificate
chain, the server need not support SNI. In either case, the server
need not include the SNI extension in its TLS HELLO as simply
returning a matching certificate chain is sufficient. Servers MUST
NOT enforce the use of SNI by clients, as the client may be using
unauthenticated opportunistic TLS and may not expect any particular
certificate from the server. If the client sends no SNI extension,
or sends an SNI extension for an unsupported domain, the server MUST
simply send its default certificate chain. The reason for not
enforcing strict matching of the requested SNI hostname is that DANE
TLS clients are typically willing to accept multiple server names,
but can only send one name in the SNI extension. The server's
default certificate may match a different name acceptable to the
client, e.g., the original next-hop domain.
5.2. Anonymous TLS cipher suites
Since many SMTP servers either do not support or do not enable any
anonymous TLS cipher suites, SMTP client TLS HELLO messages SHOULD
offer to negotiate a typical set of non-anonymous cipher suites
required for interoperability with such servers. An SMTP client
employing pre-DANE opportunistic TLS MAY in addition include one or
more anonymous TLS cipher suites in its TLS HELLO. SMTP servers,
that need to interoperate with opportunistic TLS clients SHOULD be
prepared to interoperate with such clients by either always selecting
a mutually supported non-anonymous cipher suite or by correctly
handling client connections that negotiate anonymous cipher suites.
Note that while SMTP server operators are under no obligation to
enable anonymous cipher suites, no security is gained by sending
certificates to clients that will ignore them. Indeed support for
anonymous cipher suites in the server makes audit trails more
informative. Log entries that record connections that employed an
anonymous cipher suite record the fact that the clients did not care
to authenticate the server.
6. Operational Considerations
6.1. Client Operational Considerations
An operational error on the sending or receiving side that cannot be
corrected in a timely manner may, at times, lead to consistent
failure to deliver time-sensitive email. The sending MTA
administrator may have to choose between letting email queue until
the error is resolved and disabling opportunistic or mandatory DANE
TLS for one or more destinations. The choice to disable DANE TLS
security should not be made lightly. Every reasonable effort should
be made to determine that problems with mail delivery are the result
of an operational error, and not an attack. A fallback strategy may
be to configure explicit out-of-band TLS security settings if
supported by the sending MTA.
SMTP clients may deploy opportunistic DANE TLS incrementally by SMTP clients may deploy opportunistic DANE TLS incrementally by
enabling it only for selected sites, or may occasionally need to enabling it only for selected sites, or may occasionally need to
disable opportunistic DANE TLS for peers that fail to interoperate disable opportunistic DANE TLS for peers that fail to interoperate
due to misconfiguration or software defects on either end. Unless due to misconfiguration or software defects on either end. Some
local policy specifies that opportunistic DANE TLS is not to be used implementations MAY support DANE TLS in an "audit only" mode in which
for a particular destination, an SMTP client MUST NOT deliver mail failure to achieve the requisite security level is logged as a
via a server whose certificate chain fails to match at least one TLSA warning and delivery proceeds at a reduced security level. Unless
record when usable TLSA records are found for that server. local policy specifies "audit only" or that opportunistic DANE TLS is
not to be used for a particular destination, an SMTP client MUST NOT
deliver mail via a server whose certificate chain fails to match at
least one TLSA record when usable TLSA records are found for that
server.
4.2. Publisher Operational Considerations 6.2. Publisher Operational Considerations
SMTP servers that publish certificate usage DANE-TA(2) associations SMTP servers that publish certificate usage DANE-TA(2) associations
MUST include the TA certificate in their TLS server certificate MUST include the TA certificate in their TLS server certificate
chain, even when that TA certificate is a self-signed root chain, even when that TA certificate is a self-signed root
certificate. certificate.
TLSA Publishers must follow the digest agility guidelines in TLSA Publishers must follow the digest agility guidelines in
Section 2.3.3 and must make sure that all objects published in digest Section 2.3.4 and must make sure that all objects published in digest
form for a particular usage and selector are published with the same form for a particular usage and selector are published with the same
set of digest algorithms. set of digest algorithms.
TLSA Publishers should follow the TLSA publication size guidance TLSA Publishers should follow the TLSA publication size guidance
found in [I-D.ietf-dane-ops] about "DANE DNS Record Size Guidelines". found in [I-D.ietf-dane-ops] about "DANE DNS Record Size Guidelines".
5. Security Considerations 7. Security Considerations
This protocol leverages DANE TLSA records to implement MITM resistant This protocol leverages DANE TLSA records to implement MITM resistant
opportunistic channel security for SMTP. For destination domains opportunistic channel security for SMTP. For destination domains
that sign their MX records and publish signed TLSA records for their that sign their MX records and publish signed TLSA records for their
MX hostnames, this protocol allows sending MTAs to securely discover MX hostnames, this protocol allows sending MTAs to securely discover
both the availability of TLS and how to authenticate the destination. both the availability of TLS and how to authenticate the destination.
This protocol does not aim to secure all SMTP traffic, as that is not This protocol does not aim to secure all SMTP traffic, as that is not
practical until DNSSEC and DANE adoption are universal. The practical until DNSSEC and DANE adoption are universal. The
incremental deployment provided by following this specification is a incremental deployment provided by following this specification is a
skipping to change at page 26, line 50 skipping to change at page 30, line 23
certificate usages 0 and 1 simplifies implementation and deployment certificate usages 0 and 1 simplifies implementation and deployment
with no adverse security consequences. with no adverse security consequences.
Implementations must strictly follow the portions of this Implementations must strictly follow the portions of this
specification that indicate when it is appropriate to initiate a non- specification that indicate when it is appropriate to initiate a non-
authenticated connection or cleartext connection to a SMTP server. authenticated connection or cleartext connection to a SMTP server.
Specifically, in order to prevent downgrade attacks on this protocol, Specifically, in order to prevent downgrade attacks on this protocol,
implementation must not initiate a connection when this specification implementation must not initiate a connection when this specification
indicates a particular SMTP server must be considered unreachable. indicates a particular SMTP server must be considered unreachable.
6. IANA considerations 8. IANA considerations
This specification requires no support from IANA. This specification requires no support from IANA.
7. Acknowledgements 9. Acknowledgements
The authors would like to extend great thanks to Tony Finch, who The authors would like to extend great thanks to Tony Finch, who
started the original version of a DANE SMTP document. His work is started the original version of a DANE SMTP document. His work is
greatly appreciated and has been incorporated into this document. greatly appreciated and has been incorporated into this document.
The authors would like to additionally thank Phil Pennock for his The authors would like to additionally thank Phil Pennock for his
comments and advice on this document. comments and advice on this document.
Acknowledgments from Viktor: Thanks to Paul Hoffman who motivated me Acknowledgments from Viktor: Thanks to Paul Hoffman who motivated me
to begin work on this memo and provided feedback on early drafts. to begin work on this memo and provided feedback on early drafts.
Thanks to Patrick Koetter, Perry Metzger and Nico Williams for Thanks to Patrick Koetter, Perry Metzger and Nico Williams for
valuable review comments. Thanks also to Wietse Venema who created valuable review comments. Thanks also to Wietse Venema who created
Postfix, and whose advice and feedback were essential to the Postfix, and whose advice and feedback were essential to the
development of the Postfix DANE implementation. development of the Postfix DANE implementation.
8. References 10. References
8.1. Normative References 10.1. Normative References
[I-D.ietf-dane-ops] [I-D.ietf-dane-ops]
Dukhovni, V. and W. Hardaker, "DANE TLSA implementation Dukhovni, V. and W. Hardaker, "DANE TLSA implementation
and operational guidance", draft-ietf-dane-ops-02 (work in and operational guidance", draft-ietf-dane-ops-00 (work in
progress), January 2014. progress), October 2013.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over
Transport Layer Security", RFC 3207, February 2002. Transport Layer Security", RFC 3207, February 2002.
skipping to change at page 28, line 32 skipping to change at page 32, line 5
[RFC6186] Daboo, C., "Use of SRV Records for Locating Email [RFC6186] Daboo, C., "Use of SRV Records for Locating Email
Submission/Access Services", RFC 6186, March 2011. Submission/Access Services", RFC 6186, March 2011.
[RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the
DNS", RFC 6672, June 2012. DNS", RFC 6672, June 2012.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS) of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", RFC 6698, August 2012. Protocol: TLSA", RFC 6698, August 2012.
8.2. Informative References 10.2. Informative References
[I-D.ietf-dane-registry-acronyms] [I-D.ietf-dane-registry-acronyms]
Gudmundsson, O., "Adding acronyms to simplify DANE Gudmundsson, O., "Adding acronyms to simplify DANE
conversations", draft-ietf-dane-registry-acronyms-03 (work conversations", draft-ietf-dane-registry-acronyms-01 (work
in progress), January 2014. in progress), October 2013.
[I-D.ietf-dane-srv] [I-D.ietf-dane-srv]
Finch, T., Miller, M., and P. Saint-Andre, "Using DNS- Finch, T., "Using DNS-Based Authentication of Named
Based Authentication of Named Entities (DANE) TLSA records Entities (DANE) TLSA records with SRV and MX records.",
with SRV and MX records.", draft-ietf-dane-srv-05 (work in draft-ietf-dane-srv-02 (work in progress), February 2013.
progress), February 2014.
[RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July
2009. 2009.
[RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail",
STD 72, RFC 6409, November 2011. STD 72, RFC 6409, November 2011.
Authors' Addresses Authors' Addresses
Viktor Dukhovni Viktor Dukhovni
Unaffiliated Two Sigma
Email: ietf-dane@dukhovni.org Email: ietf-dane@dukhovni.org
Wes Hardaker Wes Hardaker
Parsons Parsons
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
US US
Email: ietf@hardakers.net Email: ietf@hardakers.net
 End of changes. 84 change blocks. 
303 lines changed or deleted 435 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/