< draft-ietf-dane-smtp-with-dane-13.txt   draft-ietf-dane-smtp-with-dane-14.txt >
DANE V. Dukhovni DANE V. Dukhovni
Internet-Draft Two Sigma Internet-Draft Two Sigma
Intended status: Standards Track W. Hardaker Intended status: Standards Track W. Hardaker
Expires: April 29, 2015 Parsons Expires: August 24, 2015 Parsons
October 26, 2014 February 20, 2015
SMTP security via opportunistic DANE TLS SMTP security via opportunistic DANE TLS
draft-ietf-dane-smtp-with-dane-13 draft-ietf-dane-smtp-with-dane-14
Abstract Abstract
This memo describes a downgrade-resistant protocol for SMTP transport This memo describes a downgrade-resistant protocol for SMTP transport
security between Mail Transfer Agents (MTAs) based on the DNS-Based security between Mail Transfer Agents (MTAs) based on the DNS-Based
Authentication of Named Entities (DANE) TLSA DNS record. Adoption of Authentication of Named Entities (DANE) TLSA DNS record. Adoption of
this protocol enables an incremental transition of the Internet email this protocol enables an incremental transition of the Internet email
backbone to one using encrypted and authenticated Transport Layer backbone to one using encrypted and authenticated Transport Layer
Security (TLS). Security (TLS).
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 29, 2015. This Internet-Draft will expire on August 24, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Background . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Background . . . . . . . . . . . . . . . . . . . . . . . 5
1.3. SMTP channel security . . . . . . . . . . . . . . . . . . 6 1.3. SMTP channel security . . . . . . . . . . . . . . . . . . 5
1.3.1. STARTTLS downgrade attack . . . . . . . . . . . . . . 6 1.3.1. STARTTLS downgrade attack . . . . . . . . . . . . . . 6
1.3.2. Insecure server name without DNSSEC . . . . . . . . . 7 1.3.2. Insecure server name without DNSSEC . . . . . . . . . 6
1.3.3. Sender policy does not scale . . . . . . . . . . . . 8 1.3.3. Sender policy does not scale . . . . . . . . . . . . 7
1.3.4. Too many certification authorities . . . . . . . . . 8 1.3.4. Too many certification authorities . . . . . . . . . 8
2. Identifying applicable TLSA records . . . . . . . . . . . . . 9 2. Identifying applicable TLSA records . . . . . . . . . . . . . 8
2.1. DNS considerations . . . . . . . . . . . . . . . . . . . 9 2.1. DNS considerations . . . . . . . . . . . . . . . . . . . 8
2.1.1. DNS errors, bogus and indeterminate responses . . . . 9 2.1.1. DNS errors, bogus and indeterminate responses . . . . 8
2.1.2. DNS error handling . . . . . . . . . . . . . . . . . 11 2.1.2. DNS error handling . . . . . . . . . . . . . . . . . 11
2.1.3. Stub resolver considerations . . . . . . . . . . . . 12 2.1.3. Stub resolver considerations . . . . . . . . . . . . 11
2.2. TLS discovery . . . . . . . . . . . . . . . . . . . . . . 13 2.2. TLS discovery . . . . . . . . . . . . . . . . . . . . . . 13
2.2.1. MX resolution . . . . . . . . . . . . . . . . . . . . 14 2.2.1. MX resolution . . . . . . . . . . . . . . . . . . . . 14
2.2.2. Non-MX destinations . . . . . . . . . . . . . . . . . 15 2.2.2. Non-MX destinations . . . . . . . . . . . . . . . . . 15
2.2.3. TLSA record lookup . . . . . . . . . . . . . . . . . 17 2.2.3. TLSA record lookup . . . . . . . . . . . . . . . . . 17
3. DANE authentication . . . . . . . . . . . . . . . . . . . . . 19 3. DANE authentication . . . . . . . . . . . . . . . . . . . . . 19
3.1. TLSA certificate usages . . . . . . . . . . . . . . . . . 19 3.1. TLSA certificate usages . . . . . . . . . . . . . . . . . 19
3.1.1. Certificate usage DANE-EE(3) . . . . . . . . . . . . 21 3.1.1. Certificate usage DANE-EE(3) . . . . . . . . . . . . 21
3.1.2. Certificate usage DANE-TA(2) . . . . . . . . . . . . 22 3.1.2. Certificate usage DANE-TA(2) . . . . . . . . . . . . 21
3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) . . . . 23 3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) . . . . 23
3.2. Certificate matching . . . . . . . . . . . . . . . . . . 24 3.2. Certificate matching . . . . . . . . . . . . . . . . . . 23
3.2.1. DANE-EE(3) name checks . . . . . . . . . . . . . . . 24 3.2.1. DANE-EE(3) name checks . . . . . . . . . . . . . . . 23
3.2.2. DANE-TA(2) name checks . . . . . . . . . . . . . . . 24 3.2.2. DANE-TA(2) name checks . . . . . . . . . . . . . . . 24
3.2.3. Reference identifier matching . . . . . . . . . . . . 25 3.2.3. Reference identifier matching . . . . . . . . . . . . 25
4. Server key management . . . . . . . . . . . . . . . . . . . . 26 4. Server key management . . . . . . . . . . . . . . . . . . . . 25
5. Digest algorithm agility . . . . . . . . . . . . . . . . . . 26 5. Digest algorithm agility . . . . . . . . . . . . . . . . . . 26
6. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 27 6. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 26
7. Note on DANE for Message User Agents . . . . . . . . . . . . 27 7. Note on DANE for Message User Agents . . . . . . . . . . . . 27
8. Interoperability considerations . . . . . . . . . . . . . . . 28 8. Interoperability considerations . . . . . . . . . . . . . . . 27
8.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 28 8.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 27
8.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 28 8.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 28
9. Operational Considerations . . . . . . . . . . . . . . . . . 29 9. Operational Considerations . . . . . . . . . . . . . . . . . 28
9.1. Client Operational Considerations . . . . . . . . . . . . 29 9.1. Client Operational Considerations . . . . . . . . . . . . 28
9.2. Publisher Operational Considerations . . . . . . . . . . 30 9.2. Publisher Operational Considerations . . . . . . . . . . 29
10. Security Considerations . . . . . . . . . . . . . . . . . . . 30 10. Security Considerations . . . . . . . . . . . . . . . . . . . 29
11. IANA considerations . . . . . . . . . . . . . . . . . . . . . 31 11. IANA considerations . . . . . . . . . . . . . . . . . . . . . 30
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 31
13.1. Normative References . . . . . . . . . . . . . . . . . . 31 13.1. Normative References . . . . . . . . . . . . . . . . . . 31
13.2. Informative References . . . . . . . . . . . . . . . . . 33 13.2. Informative References . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32
1. Introduction 1. Introduction
This memo specifies a new connection security model for Message This memo specifies a new connection security model for Message
Transfer Agents (MTAs). This model is motivated by key features of Transfer Agents (MTAs). This model is motivated by key features of
inter-domain SMTP delivery, in particular the fact that the inter-domain SMTP delivery, in particular the fact that the
destination server is selected indirectly via DNS Mail Exchange (MX) destination server is selected indirectly via DNS Mail Exchange (MX)
records and that neither email addresses nor MX hostnames signal a records and that neither email addresses nor MX hostnames signal a
requirement for either secure or cleartext transport. Therefore, requirement for either secure or cleartext transport. Therefore,
aside from a few manually configured exceptions, SMTP transport aside from a few manually configured exceptions, SMTP transport
skipping to change at page 4, line 46 skipping to change at page 4, line 46
MX hostname: The RRDATA of an MX record consists of a 16 bit MX hostname: The RRDATA of an MX record consists of a 16 bit
preference followed by a Mail Exchange domain name (see [RFC1035], preference followed by a Mail Exchange domain name (see [RFC1035],
Section 3.3.9). We will use the term "MX hostname" to refer to Section 3.3.9). We will use the term "MX hostname" to refer to
the latter, that is, the DNS domain name found after the the latter, that is, the DNS domain name found after the
preference value in an MX record. Thus an "MX hostname" is preference value in an MX record. Thus an "MX hostname" is
specifically a reference to a DNS domain name, rather than any specifically a reference to a DNS domain name, rather than any
host that bears that name. host that bears that name.
delayed delivery: Email delivery is a multi-hop store & forward delayed delivery: Email delivery is a multi-hop store & forward
process. When an MTA is unable forward a message that may become process. When an MTA is unable to forward a message that may
deliverable later the message is queued and delivery is retried become deliverable later the message is queued and delivery is
periodically. Some MTAs may be configured with a fallback next- retried periodically. Some MTAs may be configured with a fallback
hop destination that handles messages that the MTA would otherwise next-hop destination that handles messages that the MTA would
queue and retry. When a fallback next-hop is configured, messages otherwise queue and retry. When a fallback next-hop is
that would otherwise have to be delayed may be sent to the configured, messages that would otherwise have to be delayed may
fallback next-hop destination instead. The fallback destination be sent to the fallback next-hop destination instead. The
may itself be subject to opportunistic or mandatory DANE TLS as fallback destination may itself be subject to opportunistic or
though it were the original message destination. mandatory DANE TLS (Section 6) as though it were the original
message destination.
original next hop destination: The logical destination for mail original next hop destination: The logical destination for mail
delivery. By default this is the domain portion of the recipient delivery. By default this is the domain portion of the recipient
address, but MTAs may be configured to forward mail for some or address, but MTAs may be configured to forward mail for some or
all recipients via designated relays. The original next hop all recipients via designated relays. The original next hop
destination is, respectively, either the recipient domain or the destination is, respectively, either the recipient domain or the
associated configured relay. associated configured relay.
MTA: Message Transfer Agent ([RFC5598], Section 4.3.2). MTA: Message Transfer Agent ([RFC5598], Section 4.3.2).
MSA: Message Submission Agent ([RFC5598], Section 4.3.1). MSA: Message Submission Agent ([RFC5598], Section 4.3.1).
MUA: Message User Agent ([RFC5598], Section 4.2.1). MUA: Message User Agent ([RFC5598], Section 4.2.1).
RR: A DNS Resource Record RR: A DNS Resource Record as defined in [RFC1034], Section 3.6.
RRset: A set of DNS Resource Records for a particular class, domain RRSet: An RRSet ([RFC2181], Section 5) is a group of DNS resource
and record type. records that share the same label, class and type.
1.2. Background 1.2. Background
The Domain Name System Security Extensions (DNSSEC) add data origin The Domain Name System Security Extensions (DNSSEC) add data origin
authentication, data integrity and data non-existence proofs to the authentication, data integrity and data non-existence proofs to the
Domain Name System (DNS). DNSSEC is defined in [RFC4033], [RFC4034] Domain Name System (DNS). DNSSEC is defined in [RFC4033], [RFC4034]
and [RFC4035]. and [RFC4035].
As described in the introduction of [RFC6698], TLS authentication via As described in the introduction of [RFC6698], TLS authentication via
the existing public Certification Authority (CA) PKI suffers from an the existing public Certification Authority (CA) PKI suffers from an
skipping to change at page 6, line 8 skipping to change at page 5, line 51
The TLS protocol enables secure TCP communication. In the context of The TLS protocol enables secure TCP communication. In the context of
this memo, channel security is assumed to be provided by TLS. Used this memo, channel security is assumed to be provided by TLS. Used
without authentication, TLS provides only privacy protection against without authentication, TLS provides only privacy protection against
eavesdropping attacks. With authentication, TLS also provides data eavesdropping attacks. With authentication, TLS also provides data
integrity protection to guard against MITM attacks. integrity protection to guard against MITM attacks.
1.3. SMTP channel security 1.3. SMTP channel security
With HTTPS, Transport Layer Security (TLS) employs X.509 certificates With HTTPS, Transport Layer Security (TLS) employs X.509 certificates
[RFC5280] issued by one of the many Certificate Authorities (CAs) [RFC5280] issued by one of the many Certification Authorities (CAs)
bundled with popular web browsers to allow users to authenticate bundled with popular web browsers to allow users to authenticate
their "secure" websites. Before we specify a new DANE TLS security their "secure" websites. Before we specify a new DANE TLS security
model for SMTP, we will explain why a new security model is needed. model for SMTP, we will explain why a new security model is needed.
In the process, we will explain why the familiar HTTPS security model In the process, we will explain why the familiar HTTPS security model
is inadequate to protect inter-domain SMTP traffic. is inadequate to protect inter-domain SMTP traffic.
The subsections below outline four key problems with applying The subsections below outline four key problems with applying
traditional PKI to SMTP that are addressed by this specification. traditional PKI to SMTP that are addressed by this specification.
Since SMTP channel security policy is not explicitly specified in Since SMTP channel security policy is not explicitly specified in
either the recipient address or the MX record, a new signaling either the recipient address or the MX record, a new signaling
skipping to change at page 7, line 19 skipping to change at page 7, line 4
command ([RFC3207]). The server signals TLS support to the client command ([RFC3207]). The server signals TLS support to the client
over a cleartext SMTP connection, and, if the client also supports over a cleartext SMTP connection, and, if the client also supports
TLS, it may negotiate a TLS encrypted channel to use for email TLS, it may negotiate a TLS encrypted channel to use for email
transmission. The server's indication of TLS support can be easily transmission. The server's indication of TLS support can be easily
suppressed by an MITM attacker. Thus pre-DANE SMTP TLS security can suppressed by an MITM attacker. Thus pre-DANE SMTP TLS security can
be subverted by simply downgrading a connection to cleartext. No TLS be subverted by simply downgrading a connection to cleartext. No TLS
security feature, such as the use of PKIX, can prevent this. The security feature, such as the use of PKIX, can prevent this. The
attacker can simply disable TLS. attacker can simply disable TLS.
1.3.2. Insecure server name without DNSSEC 1.3.2. Insecure server name without DNSSEC
With SMTP, DNS Mail Exchange (MX) records abstract the next-hop With SMTP, DNS Mail Exchange (MX) records abstract the next-hop
transport endpoint and allow administrators to specify a set of transport endpoint and allow administrators to specify a set of
target servers to which SMTP traffic should be directed for a given target servers to which SMTP traffic should be directed for a given
domain. domain.
A PKIX TLS client is vulnerable to MITM attacks unless it verifies A PKIX TLS client is vulnerable to MITM attacks unless it verifies
that the server's certificate binds the public key to a name that that the server's certificate binds the public key to a name that
matches one of the client's reference identifiers. A natural choice matches one of the client's reference identifiers. A natural choice
of reference identifier is the server's domain name. However, with of reference identifier is the server's domain name. However, with
SMTP, server names are not directly encoded in the recipient address, SMTP, server names are not directly encoded in the recipient address,
instead they are obtained indirectly via MX records. Without DNSSEC, instead they are obtained indirectly via MX records. Without DNSSEC,
the MX lookup is vulnerable to MITM and DNS cache poisoning attacks. the MX lookup is vulnerable to MITM and DNS cache poisoning attacks.
Active attackers can forge DNS replies with fake MX records and can Active attackers can forge DNS replies with fake MX records and can
redirect email to servers with names of their choice. Therefore, redirect email to servers with names of their choice. Therefore,
secure verification of SMTP TLS certificates matching the server name secure verification of SMTP TLS certificates matching the server name
is not possible without DNSSEC. is not possible without DNSSEC.
One might try to harden TLS for SMTP against DNS attacks by using the One might try to harden TLS for SMTP against DNS attacks by using the
envelope recipient domain as a reference identifier and requiring envelope recipient domain as a reference identifier and by requiring
each SMTP server to possess a trusted certificate for the envelope each SMTP server to possess a trusted certificate for the envelope
recipient domain rather than the MX hostname. Unfortunately, this is recipient domain rather than the MX hostname. Unfortunately, this is
impractical as email for many domains is handled by third parties impractical as email for many domains is handled by third parties
that are not in a position to obtain certificates for all the domains that are not in a position to obtain certificates for all the domains
they serve. Deployment of the Server Name Indication (SNI) extension they serve. Deployment of the Server Name Indication (SNI) extension
to TLS (see [RFC6066] Section 3) is no panacea, since SNI key to TLS (see [RFC6066] Section 3) is no panacea, since SNI key
management is operationally challenging except when the email service management is operationally challenging except when the email service
provider is also the domain's registrar and its certificate issuer; provider is also the domain's registrar and its certificate issuer;
this is rarely the case for email. this is rarely the case for email.
skipping to change at page 8, line 18 skipping to change at page 7, line 51
more. Adding any other trusted actors to the mix can only reduce more. Adding any other trusted actors to the mix can only reduce
SMTP security. A sender may choose to further harden DNSSEC for SMTP security. A sender may choose to further harden DNSSEC for
selected high-value receiving domains by configuring explicit trust selected high-value receiving domains by configuring explicit trust
anchors for those domains instead of relying on the chain of trust anchors for those domains instead of relying on the chain of trust
from the root domain. However, detailed discussion of DNSSEC from the root domain. However, detailed discussion of DNSSEC
security practices is out of scope for this document. security practices is out of scope for this document.
1.3.3. Sender policy does not scale 1.3.3. Sender policy does not scale
Sending systems are in some cases explicitly configured to use TLS Sending systems are in some cases explicitly configured to use TLS
for mail sent to selected peer domains. This requires sending MTAs for mail sent to selected peer domains, but this requires configuring
to be configured with appropriate subject names or certificate sending MTAs with appropriate subject names or certificate content
content digests to expect in the presented server certificates. digests from their peer domains. Due to the resulting administrative
Because of the heavy administrative burden, such statically burden, such statically configured SMTP secure channels are used
configured SMTP secure channels are used rarely (generally only rarely (generally only between domains that make bilateral
between domains that make bilateral arrangements with their business arrangements with their business partners). Internet email, on the
partners). Internet email, on the other hand, requires regularly other hand, requires regularly contacting new domains for which
contacting new domains for which security configurations cannot be security configurations cannot be established in advance.
established in advance.
The abstraction of the SMTP transport endpoint via DNS MX records, The abstraction of the SMTP transport endpoint via DNS MX records,
often across organization boundaries, limits the use of public CA PKI often across organization boundaries, limits the use of public CA PKI
with SMTP to a small set of sender-configured peer domains. With with SMTP to a small set of sender-configured peer domains. With
little opportunity to use TLS authentication, sending MTAs are rarely little opportunity to use TLS authentication, sending MTAs are rarely
configured with a comprehensive list of trusted CAs. SMTP services configured with a comprehensive list of trusted CAs. SMTP services
that support STARTTLS often deploy X.509 certificates that are self- that support STARTTLS often deploy X.509 certificates that are self-
signed or issued by a private CA. signed or issued by a private CA.
1.3.4. Too many certification authorities 1.3.4. Too many certification authorities
skipping to change at page 9, line 26 skipping to change at page 9, line 8
An SMTP client that implements opportunistic DANE TLS per this An SMTP client that implements opportunistic DANE TLS per this
specification depends critically on the integrity of DNSSEC lookups, specification depends critically on the integrity of DNSSEC lookups,
as discussed in Section 1.3.2. This section lists the DNS resolver as discussed in Section 1.3.2. This section lists the DNS resolver
requirements needed to avoid downgrade attacks when using requirements needed to avoid downgrade attacks when using
opportunistic DANE TLS. opportunistic DANE TLS.
A DNS lookup may signal an error or return a definitive answer. A A DNS lookup may signal an error or return a definitive answer. A
security-aware resolver must be used for this specification. security-aware resolver must be used for this specification.
Security-aware resolvers will indicate the security status of a DNS Security-aware resolvers will indicate the security status of a DNS
RRset with one of four possible values defined in Section 4.3 of RRSet with one of four possible values defined in Section 4.3 of
[RFC4035]: "secure", "insecure", "bogus" and "indeterminate". In [RFC4035]: "secure", "insecure", "bogus" and "indeterminate". In
[RFC4035] the meaning of the "indeterminate" security status is: [RFC4035] the meaning of the "indeterminate" security status is:
An RRset for which the resolver is not able to determine whether An RRSet for which the resolver is not able to determine whether
the RRset should be signed, as the resolver is not able to obtain the RRSet should be signed, as the resolver is not able to obtain
the necessary DNSSEC RRs. This can occur when the security-aware the necessary DNSSEC RRs. This can occur when the security-aware
resolver is not able to contact security-aware name servers for resolver is not able to contact security-aware name servers for
the relevant zones. the relevant zones.
Note, the "indeterminate" security status has a conflicting Note, the "indeterminate" security status has a conflicting
definition in section 5 of [RFC4033]. definition in section 5 of [RFC4033].
There is no trust anchor that would indicate that a specific There is no trust anchor that would indicate that a specific
portion of the tree is secure. portion of the tree is secure.
To avoid further confusion, the adjective "anchorless" will be used To avoid further confusion, the adjective "anchorless" will be used
below to refer to domains or RRsets that are "indeterminate" in the below to refer to domains or RRSets that are "indeterminate" in the
[RFC4033] sense, and the term "indeterminate" will be used [RFC4033] sense, and the term "indeterminate" will be used
exclusively in the sense of [RFC4035]. exclusively in the sense of [RFC4035].
SMTP clients following this specification SHOULD NOT distinguish SMTP clients following this specification SHOULD NOT distinguish
between "insecure" and "anchorless" DNS responses. Both "insecure" between "insecure" and "anchorless" DNS responses. Both "insecure"
and "anchorless" RRsets MUST be handled identically: in either case and "anchorless" RRSets MUST be handled identically: in either case
unvalidated data for the query domain is all that is and can be unvalidated data for the query domain is all that is and can be
available, and authentication using the data is impossible. In what available, and authentication using the data is impossible. In what
follows, the term "insecure" will also include the case of follows, the term "insecure" will also include the case of
"anchorless" domains that lie in a portion of the DNS tree for which "anchorless" domains that lie in a portion of the DNS tree for which
there is no applicable trust anchor. With the DNS root zone signed, there is no applicable trust anchor. With the DNS root zone signed,
we expect that validating resolvers used by Internet-facing MTAs will we expect that validating resolvers used by Internet-facing MTAs will
be configured with trust anchor data for the root zone, and that be configured with trust anchor data for the root zone, and that
therefore "anchorless" domains should be rare in practice. therefore "anchorless" domains should be rare in practice.
As noted in section 4.3 of [RFC4035], a security-aware DNS resolver As noted in section 4.3 of [RFC4035], a security-aware DNS resolver
skipping to change at page 10, line 24 skipping to change at page 10, line 6
"indeterminate" security status (in the sense of RFC4035) to the "indeterminate" security status (in the sense of RFC4035) to the
application, and will signal a "bogus" or error result instead. If a application, and will signal a "bogus" or error result instead. If a
resolver does signal an RFC4035 "indeterminate" security status, this resolver does signal an RFC4035 "indeterminate" security status, this
MUST be treated by the SMTP client as though a "bogus" or error MUST be treated by the SMTP client as though a "bogus" or error
result had been returned. result had been returned.
An MTA making use of a non-validating security-aware stub resolver An MTA making use of a non-validating security-aware stub resolver
MAY use the stub resolver's ability, if available, to signal DNSSEC MAY use the stub resolver's ability, if available, to signal DNSSEC
validation status based on information the stub resolver has learned validation status based on information the stub resolver has learned
from an upstream validating recursive resolver. Security-Oblivious from an upstream validating recursive resolver. Security-Oblivious
stub-resolvers MUST NOT be used. In accordance with section 4.9.3 of stub-resolvers ([RFC4033]) MUST NOT be used. In accordance with
[RFC4035]: section 4.9.3 of [RFC4035]:
... a security-aware stub resolver MUST NOT place any reliance on ... a security-aware stub resolver MUST NOT place any reliance on
signature validation allegedly performed on its behalf, except signature validation allegedly performed on its behalf, except
when the security-aware stub resolver obtained the data in question when the security-aware stub resolver obtained the data in question
from a trusted security-aware recursive name server via a secure from a trusted security-aware recursive name server via a secure
channel. channel.
To avoid much repetition in the text below, we will pause to explain To avoid much repetition in the text below, we will pause to explain
the handling of "bogus" or "indeterminate" DNSSEC query responses. the handling of "bogus" or "indeterminate" DNSSEC query responses.
These are not necessarily the result of a malicious actor; they can, These are not necessarily the result of a malicious actor; they can,
for example, occur when network packets are corrupted or lost in for example, occur when network packets are corrupted or lost in
transit. Therefore, "bogus" or "indeterminate" replies are equated transit. Therefore, "bogus" or "indeterminate" replies are equated
in this memo with lookup failure. in this memo with lookup failure.
There is an important non-failure condition we need to highlight in There is an important non-failure condition we need to highlight in
addition to the obvious case of the DNS client obtaining a non-empty addition to the obvious case of the DNS client obtaining a non-empty
"secure" or "insecure" RRset of the requested type. Namely, it is "secure" or "insecure" RRSet of the requested type. Namely, it is
not an error when either "secure" or "insecure" non-existence is not an error when either "secure" or "insecure" non-existence is
determined for the requested data. When a DNSSEC response with a determined for the requested data. When a DNSSEC response with a
validation status that is either "secure" or "insecure" reports validation status that is either "secure" or "insecure" reports
either no records of the requested type or non-existence of the query either no records of the requested type or non-existence of the query
domain, the response is not a DNS error condition. The DNS client domain, the response is not a DNS error condition. The DNS client
has not been left without an answer; it has learned that records of has not been left without an answer; it has learned that records of
the requested type do not exist. the requested type do not exist.
Security-aware stub resolvers will, of course, also signal DNS lookup Security-aware stub resolvers will, of course, also signal DNS lookup
errors in other cases, for example when processing a "ServFail" errors in other cases, for example when processing a "ServFail"
RCODE, which will not have an associated DNSSEC status. All lookup RCODE, which will not have an associated DNSSEC status. All lookup
errors are treated the same way by this specification, regardless of errors are treated the same way by this specification, regardless of
whether they are from a "bogus" or "indeterminate" DNSSEC status or whether they are from a "bogus" or "indeterminate" DNSSEC status or
from a more generic DNS error: the information that was requested from a more generic DNS error: the information that was requested
cannot be obtained by the security-aware resolver at this time. A cannot be obtained by the security-aware resolver at this time. A
lookup error is thus a failure to obtain the relevant RRset if it lookup error is thus a failure to obtain the relevant RRSet if it
exists, or to determine that no such RRset exists when it does not. exists, or to determine that no such RRSet exists when it does not.
In contrast to a "bogus" or an "indeterminate" response, an In contrast to a "bogus" or an "indeterminate" response, an
"insecure" DNSSEC response is not an error, rather it indicates that "insecure" DNSSEC response is not an error, rather it indicates that
the target DNS zone is either securely opted out of DNSSEC validation the target DNS zone is either securely opted out of DNSSEC validation
or is not connected with the DNSSEC trust anchors being used. or is not connected with the DNSSEC trust anchors being used.
Insecure results will leave the SMTP client with degraded channel Insecure results will leave the SMTP client with degraded channel
security, but do not stand in the way of message delivery. See security, but do not stand in the way of message delivery. See
section Section 2.2 for further details. section Section 2.2 for further details.
2.1.2. DNS error handling 2.1.2. DNS error handling
skipping to change at page 12, line 8 skipping to change at page 11, line 37
DNS queries succeed. If any DNS failure occurs, the SMTP client MUST DNS queries succeed. If any DNS failure occurs, the SMTP client MUST
behave as described in this section, by skipping the problem SMTP behave as described in this section, by skipping the problem SMTP
server, or the problem destination. Queries for candidate TLSA server, or the problem destination. Queries for candidate TLSA
records are explicitly part of "all relevant DNS queries" and SMTP records are explicitly part of "all relevant DNS queries" and SMTP
clients MUST NOT continue to connect to an SMTP server or destination clients MUST NOT continue to connect to an SMTP server or destination
whose TLSA record lookup fails. whose TLSA record lookup fails.
2.1.3. Stub resolver considerations 2.1.3. Stub resolver considerations
SMTP clients that employ opportunistic DANE TLS to secure connections SMTP clients that employ opportunistic DANE TLS to secure connections
to SMTP servers MUST NOT use Security-Oblivious stub-resolvers. to SMTP servers MUST NOT use Security-Oblivious ([RFC4033]) stub-
resolvers.
A note about DNAME aliases: a query for a domain name whose ancestor A note about DNAME aliases: a query for a domain name whose ancestor
domain is a DNAME alias returns the DNAME RR for the ancestor domain domain is a DNAME alias returns the DNAME RR for the ancestor domain
along with a CNAME that maps the query domain to the corresponding along with a CNAME that maps the query domain to the corresponding
sub-domain of the target domain of the DNAME alias [RFC6672]. sub-domain of the target domain of the DNAME alias [RFC6672].
Therefore, whenever we speak of CNAME aliases, we implicitly allow Therefore, whenever we speak of CNAME aliases, we implicitly allow
for the possibility that the alias in question is the result of an for the possibility that the alias in question is the result of an
ancestor domain DNAME record. Consequently, no explicit support for ancestor domain DNAME record. Consequently, no explicit support for
DNAME records is needed in SMTP software; it is sufficient to process DNAME records is needed in SMTP software; it is sufficient to process
the resulting CNAME aliases. DNAME records only require special the resulting CNAME aliases. DNAME records only require special
skipping to change at page 13, line 26 skipping to change at page 13, line 23
servers that do not support TLS. Clients can safely interpret their servers that do not support TLS. Clients can safely interpret their
presence as a commitment by the server operator to implement TLS and presence as a commitment by the server operator to implement TLS and
STARTTLS. STARTTLS.
This memo defines four actions to be taken after the search for a This memo defines four actions to be taken after the search for a
TLSA record returns secure usable results, secure unusable results, TLSA record returns secure usable results, secure unusable results,
insecure or no results or an error signal. The term "usable" in this insecure or no results or an error signal. The term "usable" in this
context is in the sense of Section 4.1 of [RFC6698]. Specifically, context is in the sense of Section 4.1 of [RFC6698]. Specifically,
if the DNS lookup for a TLSA record returns: if the DNS lookup for a TLSA record returns:
A secure TLSA RRset with at least one usable record: A connection to A secure TLSA RRSet with at least one usable record: A connection to
the MTA MUST be made using authenticated and encrypted TLS, using the MTA MUST be made using authenticated and encrypted TLS, using
the techniques discussed in the rest of this document. Failure to the techniques discussed in the rest of this document. Failure to
establish an authenticated TLS connection MUST result in falling establish an authenticated TLS connection MUST result in falling
back to the next SMTP server or delayed delivery. back to the next SMTP server or delayed delivery.
A secure non-empty TLSA RRset where all the records are unusable: A A secure non-empty TLSA RRSet where all the records are unusable: A
connection to the MTA MUST be made via TLS, but authentication is connection to the MTA MUST be made via TLS, but authentication is
not required. Failure to establish an encrypted TLS connection not required. Failure to establish an encrypted TLS connection
MUST result in falling back to the next SMTP server or delayed MUST result in falling back to the next SMTP server or delayed
delivery. delivery.
An insecure TLSA RRset or DNSSEC validated proof-of-non-existent TLSA An insecure TLSA RRSet or DNSSEC validated proof-of-non-existent TLSA
records: records:
A connection to the MTA SHOULD be made using (pre-DANE) A connection to the MTA SHOULD be made using (pre-DANE)
opportunistic TLS, this includes using cleartext delivery when the opportunistic TLS, this includes using cleartext delivery when the
remote SMTP server does not appear to support TLS. The MTA MAY remote SMTP server does not appear to support TLS. The MTA MAY
retry in cleartext when delivery via TLS fails either during the retry in cleartext when delivery via TLS fails either during the
handshake or even during data transfer. handshake or even during data transfer.
Any lookup error: Lookup errors, including "bogus" and Any lookup error: Lookup errors, including "bogus" and
"indeterminate", as explained in Section 2.1.1 MUST result in "indeterminate", as explained in Section 2.1.1 MUST result in
falling back to the next SMTP server or delayed delivery. falling back to the next SMTP server or delayed delivery.
An SMTP client MAY be configured to require DANE verified delivery An SMTP client MAY be configured to mandate DANE verified delivery
for some destinations. We will call such a configuration "mandatory for some destinations. With mandatory DANE TLS (Section 6), delivery
DANE TLS". With mandatory DANE TLS, delivery proceeds only when proceeds only when "secure" TLSA records are used to establish an
"secure" TLSA records are used to establish an encrypted and encrypted and authenticated TLS channel with the SMTP server.
authenticated TLS channel with the SMTP server.
When the original next-hop destination is an address literal, rather When the original next-hop destination is an address literal, rather
than a DNS domain, DANE TLS does not apply. Delivery proceeds using than a DNS domain, DANE TLS does not apply. Delivery proceeds using
any relevant security policy configured by the MTA administrator. any relevant security policy configured by the MTA administrator.
Similarly, when an MX RRset incorrectly lists a network address in Similarly, when an MX RRSet incorrectly lists a network address in
lieu of an MX hostname, if an MTA chooses to connect to the network lieu of an MX hostname, if an MTA chooses to connect to the network
address in the non-conformant MX record, DANE TLSA does not apply for address in the non-conformant MX record, DANE TLSA does not apply for
such a connection. such a connection.
In the subsections that follow we explain how to locate the SMTP In the subsections that follow we explain how to locate the SMTP
servers and the associated TLSA records for a given next-hop servers and the associated TLSA records for a given next-hop
destination domain. We also explain which name or names are to be destination domain. We also explain which name or names are to be
used in identity checks of the SMTP server certificate. used in identity checks of the SMTP server certificate.
2.2.1. MX resolution 2.2.1. MX resolution
skipping to change at page 14, line 49 skipping to change at page 14, line 46
accordingly. accordingly.
In the language of [RFC5321] Section 5.1, the original next-hop In the language of [RFC5321] Section 5.1, the original next-hop
domain is the "initial name". If the MX lookup of the initial name domain is the "initial name". If the MX lookup of the initial name
results in a CNAME alias, the MTA replaces the initial name with the results in a CNAME alias, the MTA replaces the initial name with the
resulting name and performs a new lookup with the new name. MTAs resulting name and performs a new lookup with the new name. MTAs
typically support recursion in CNAME expansion, so this replacement typically support recursion in CNAME expansion, so this replacement
is performed repeatedly (up to the MTA's recursion limit) until the is performed repeatedly (up to the MTA's recursion limit) until the
ultimate non-CNAME domain is found. ultimate non-CNAME domain is found.
If the MX RRset (or any CNAME leading to it) is "insecure" (see If the MX RRSet (or any CNAME leading to it) is "insecure" (see
Section 2.1.1), DANE TLS need not apply, and delivery MAY proceed via Section 2.1.1), DANE TLS need not apply, and delivery MAY proceed via
pre-DANE opportunistic TLS. That said, the protocol in this memo is pre-DANE opportunistic TLS. That said, the protocol in this memo is
an "opportunistic security" protocol, meaning that it strives to an "opportunistic security" protocol, meaning that it strives to
communicate with each peer as securely as possible, while maintaining communicate with each peer as securely as possible, while maintaining
broad interoperability. Therefore, the SMTP client MAY proceed to broad interoperability. Therefore, the SMTP client MAY proceed to
use DANE TLS (as described in Section 2.2.2 below) even with MX hosts use DANE TLS (as described in Section 2.2.2 below) even with MX hosts
obtained via an "insecure" MX RRset. For example, when a hosting obtained via an "insecure" MX RRSet. For example, when a hosting
provider has a signed DNS zone and publishes TLSA records for its provider has a signed DNS zone and publishes TLSA records for its
SMTP servers, hosted domains that are not signed may still benefit SMTP servers, hosted domains that are not signed may still benefit
from the provider's TLSA records. Deliveries via the provider's SMTP from the provider's TLSA records. Deliveries via the provider's SMTP
servers will not be subject to active attacks when sending SMTP servers will not be subject to active attacks when sending SMTP
clients elect to make use of the provider's TLSA records. clients elect to make use of the provider's TLSA records.
When the MX records are not (DNSSEC) signed, an active attacker can When the MX records are not (DNSSEC) signed, an active attacker can
redirect SMTP clients to MX hosts of his choice. Such redirection is redirect SMTP clients to MX hosts of his choice. Such redirection is
tamper-evident when SMTP servers found via "insecure" MX records are tamper-evident when SMTP servers found via "insecure" MX records are
recorded as the next-hop relay in the MTA delivery logs in their recorded as the next-hop relay in the MTA delivery logs in their
original (rather than CNAME expanded) form. Sending MTAs SHOULD log original (rather than CNAME expanded) form. Sending MTAs SHOULD log
unexpanded MX hostnames when these result from insecure MX lookups. unexpanded MX hostnames when these result from insecure MX lookups.
Any successful authentication via an insecurely determined MX host Any successful authentication via an insecurely determined MX host
MUST NOT be misrepresented in the mail logs as secure delivery to the MUST NOT be misrepresented in the mail logs as secure delivery to the
intended next-hop domain. When DANE TLS is mandatory (Section 6) for intended next-hop domain. When DANE TLS is mandatory (Section 6) for
a given destination, delivery MUST be delayed when the MX RRset is a given destination, delivery MUST be delayed when the MX RRSet is
not "secure". not "secure".
Otherwise, assuming no DNS errors (Section 2.1.1), the MX RRset is Otherwise, assuming no DNS errors (Section 2.1.1), the MX RRSet is
"secure", and the SMTP client MUST treat each MX hostname as a "secure", and the SMTP client MUST treat each MX hostname as a
separate non-MX destination for opportunistic DANE TLS as described separate non-MX destination for opportunistic DANE TLS as described
in Section 2.2.2. When, for a given MX hostname, no TLSA records are in Section 2.2.2. When, for a given MX hostname, no TLSA records are
found, or only "insecure" TLSA records are found, DANE TLSA is not found, or only "insecure" TLSA records are found, DANE TLSA is not
applicable with the SMTP server in question and delivery proceeds to applicable with the SMTP server in question and delivery proceeds to
that host as with pre-DANE opportunistic TLS. To avoid downgrade that host as with pre-DANE opportunistic TLS. To avoid downgrade
attacks, any errors during TLSA lookups MUST, as explained in attacks, any errors during TLSA lookups MUST, as explained in
Section 2.1.1, cause the SMTP server in question to be treated as Section 2.1.1, cause the SMTP server in question to be treated as
unreachable. unreachable.
skipping to change at page 17, line 5 skipping to change at page 16, line 43
perform a lookup again using the new name. This replacement is perform a lookup again using the new name. This replacement is
performed recursively (up to the MTA's recursion limit). performed recursively (up to the MTA's recursion limit).
We consider the following cases for handling a DNS response for an A We consider the following cases for handling a DNS response for an A
or AAAA DNS lookup: or AAAA DNS lookup:
Not found: When the DNS queries for A and/or AAAA records yield Not found: When the DNS queries for A and/or AAAA records yield
neither a list of addresses nor a CNAME (or CNAME expansion is not neither a list of addresses nor a CNAME (or CNAME expansion is not
supported) the destination is unreachable. supported) the destination is unreachable.
Non-CNAME: The answer is not a CNAME alias. If the address RRset Non-CNAME: The answer is not a CNAME alias. If the address RRSet
is "secure", TLSA lookups are performed as described in is "secure", TLSA lookups are performed as described in
Section 2.2.3 with the initial name as the candidate TLSA base Section 2.2.3 with the initial name as the candidate TLSA base
domain. If no "secure" TLSA records are found, DANE TLS is not domain. If no "secure" TLSA records are found, DANE TLS is not
applicable and mail delivery proceeds with pre-DANE opportunistic applicable and mail delivery proceeds with pre-DANE opportunistic
TLS (which, being best-effort, degrades to cleartext delivery when TLS (which, being best-effort, degrades to cleartext delivery when
STARTTLS is not available or the TLS handshake fails). STARTTLS is not available or the TLS handshake fails).
Insecure CNAME: The input domain is a CNAME alias, but the ultimate Insecure CNAME: The input domain is a CNAME alias, but the ultimate
network address RRset is "insecure" (see Section 2.1.1). If the network address RRSet is "insecure" (see Section 2.1.1). If the
initial CNAME response is also "insecure", DANE TLS does not initial CNAME response is also "insecure", DANE TLS does not
apply. Otherwise, this case is treated just like the non-CNAME apply. Otherwise, this case is treated just like the non-CNAME
case above, where a search is performed for a TLSA record with the case above, where a search is performed for a TLSA record with the
original input domain as the candidate TLSA base domain. original input domain as the candidate TLSA base domain.
Secure CNAME: The input domain is a CNAME alias, and the ultimate Secure CNAME: The input domain is a CNAME alias, and the ultimate
network address RRset is "secure" (see Section 2.1.1). Two network address RRSet is "secure" (see Section 2.1.1). Two
candidate TLSA base domains are tried: the fully CNAME-expanded candidate TLSA base domains are tried: the fully CNAME-expanded
initial name and, failing that, then the initial name itself. initial name and, failing that, then the initial name itself.
In summary, if it is possible to securely obtain the full, CNAME- In summary, if it is possible to securely obtain the full, CNAME-
expanded, DNSSEC-validated address records for the input domain, then expanded, DNSSEC-validated address records for the input domain, then
that name is the preferred TLSA base domain. Otherwise, the that name is the preferred TLSA base domain. Otherwise, the
unexpanded input-MX domain is the candidate TLSA base domain. When unexpanded input-MX domain is the candidate TLSA base domain. When
no "secure" TLSA records are found at either the CNAME-expanded or no "secure" TLSA records are found at either the CNAME-expanded or
unexpanded domain, then DANE TLS does not apply for mail delivery via unexpanded domain, then DANE TLS does not apply for mail delivery via
the input domain in question. And, as always, errors, bogus or the input domain in question. And, as always, errors, bogus or
skipping to change at page 17, line 48 skipping to change at page 17, line 37
name of a non-MX destination or a particular MX hostname of an MX name of a non-MX destination or a particular MX hostname of an MX
destination) is in turn prefixed with service labels of the form destination) is in turn prefixed with service labels of the form
"_<port>._tcp". The resulting domain name is used to issue a DNSSEC "_<port>._tcp". The resulting domain name is used to issue a DNSSEC
query with the query type set to TLSA ([RFC6698] Section 7.1). query with the query type set to TLSA ([RFC6698] Section 7.1).
For SMTP, the destination TCP port is typically 25, but this may be For SMTP, the destination TCP port is typically 25, but this may be
different with custom routes specified by the MTA administrator in different with custom routes specified by the MTA administrator in
which case the SMTP client MUST use the appropriate number in the which case the SMTP client MUST use the appropriate number in the
"_<port>" prefix in place of "_25". If, for example, the candidate "_<port>" prefix in place of "_25". If, for example, the candidate
base domain is "mx.example.com", and the SMTP connection is to port base domain is "mx.example.com", and the SMTP connection is to port
25, the TLSA RRset is obtained via a DNSSEC query of the form: 25, the TLSA RRSet is obtained via a DNSSEC query of the form:
_25._tcp.mx.example.com. IN TLSA ? _25._tcp.mx.example.com. IN TLSA ?
The query response may be a CNAME, or the actual TLSA RRset. If the
The query response may be a CNAME, or the actual TLSA RRSet. If the
response is a CNAME, the SMTP client (through the use of its response is a CNAME, the SMTP client (through the use of its
security-aware stub resolver) restarts the TLSA query at the target security-aware stub resolver) restarts the TLSA query at the target
domain, following CNAMEs as appropriate and keeping track of whether domain, following CNAMEs as appropriate and keeping track of whether
the entire chain is "secure". If any "insecure" records are the entire chain is "secure". If any "insecure" records are
encountered, or the TLSA records don't exist, the next candidate TLSA encountered, or the TLSA records don't exist, the next candidate TLSA
base domain is tried instead. base domain is tried instead.
If the ultimate response is a "secure" TLSA RRset, then the candidate If the ultimate response is a "secure" TLSA RRSet, then the candidate
TLSA base domain will be the actual TLSA base domain and the TLSA TLSA base domain will be the actual TLSA base domain and the TLSA
RRset will constitute the TLSA records for the destination. If none RRSet will constitute the TLSA records for the destination. If none
of the candidate TLSA base domains yield "secure" TLSA records then of the candidate TLSA base domains yield "secure" TLSA records then
delivery MAY proceed via pre-DANE opportunistic TLS. SMTP clients delivery MAY proceed via pre-DANE opportunistic TLS. SMTP clients
MAY elect to use "insecure" TLSA records to avoid STARTTLS downgrades MAY elect to use "insecure" TLSA records to avoid STARTTLS downgrades
or even to skip SMTP servers that fail authentication, but MUST NOT or even to skip SMTP servers that fail authentication, but MUST NOT
misrepresent authentication success as either a secure connection to misrepresent authentication success as either a secure connection to
the SMTP server or as a secure delivery to the intended next-hop the SMTP server or as a secure delivery to the intended next-hop
domain. domain.
TLSA record publishers may leverage CNAMEs to reference a single TLSA record publishers may leverage CNAMEs to reference a single
authoritative TLSA RRset specifying a common Certification Authority authoritative TLSA RRSet specifying a common Certification Authority
or a common end entity certificate to be used with multiple TLS or a common end entity certificate to be used with multiple TLS
services. Such CNAME expansion does not change the SMTP client's services. Such CNAME expansion does not change the SMTP client's
notion of the TLSA base domain; thus, when _25._tcp.mx.example.com is notion of the TLSA base domain; thus, when _25._tcp.mx.example.com is
a CNAME, the base domain remains mx.example.com and this is still the a CNAME, the base domain remains mx.example.com and this is still the
reference identifier used together with the next-hop domain in peer reference identifier used together with the next-hop domain in peer
certificate name checks. certificate name checks.
Note that shared end entity certificate associations expose the Note that shared end entity certificate associations expose the
publishing domain to substitution attacks, where an MITM attacker can publishing domain to substitution attacks, where an MITM attacker can
reroute traffic to a different server that shares the same end entity reroute traffic to a different server that shares the same end entity
skipping to change at page 21, line 13 skipping to change at page 20, line 39
choice of records to publish will depend on site-specific practices. choice of records to publish will depend on site-specific practices.
The certificate usage element of a TLSA record plays a critical role The certificate usage element of a TLSA record plays a critical role
in determining how the corresponding certificate association data in determining how the corresponding certificate association data
field is used to authenticate server's certificate chain. The next field is used to authenticate server's certificate chain. The next
two subsections explain the process for certificate usages DANE-EE(3) two subsections explain the process for certificate usages DANE-EE(3)
and DANE-TA(2). The third subsection briefly explains why and DANE-TA(2). The third subsection briefly explains why
certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable with certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable with
opportunistic DANE TLS. opportunistic DANE TLS.
In summary, we recommend the use of either "DANE-EE(3) SPKI(1) In summary, we RECOMMEND the use of either "DANE-EE(3) SPKI(1)
SHA2-256(1)" or "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records SHA2-256(1)" or "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records
depending on site needs. Other combinations of TLSA parameters are depending on site needs. Other combinations of TLSA parameters are
either explicitly unsupported, or offer little to recommend them over either explicitly unsupported, or offer little to recommend them over
these two. these two.
The mandatory to support digest algorithm in [RFC6698] is As specified in [RFC6698], the mandatory to implement matching type
SHA2-256(1). When the server's TLSA RRset includes records with a digest algorithm is SHA2-256(1). When the server's TLSA RRSet
matching type indicating a digest record (i.e., a value other than includes records with a matching type indicating a digest record
Full(0)), a TLSA record with a SHA2-256(1) matching type SHOULD be (i.e., a value other than Full(0)), a TLSA record with a SHA2-256(1)
provided along with any other digest published, since some SMTP matching type SHOULD be provided along with any other digest
clients may support only SHA2-256(1). If at some point the SHA2-256 published, since some SMTP clients may support only SHA2-256(1). If
digest algorithm is tarnished by new cryptanalytic attacks, at some point the SHA2-256 digest algorithm is tarnished by new
publishers will need to include an appropriate stronger digest in cryptanalytic attacks, publishers will need to include an appropriate
their TLSA records, initially along with, and ultimately in place of, stronger digest in their TLSA records, initially along with, and
SHA2-256. ultimately in place of, SHA2-256.
3.1.1. Certificate usage DANE-EE(3) 3.1.1. Certificate usage DANE-EE(3)
Authentication via certificate usage DANE-EE(3) TLSA records involves Authentication via certificate usage DANE-EE(3) TLSA records involves
simply checking that the server's leaf certificate matches the TLSA simply checking that the server's leaf certificate matches the TLSA
record. In particular the binding of the server public key to its record. In particular the binding of the server public key to its
name is based entirely on the TLSA record association. The server name is based entirely on the TLSA record association. The server
MUST be considered authenticated even if none of the names in the MUST be considered authenticated even if none of the names in the
certificate match the client's reference identity for the server. certificate match the client's reference identity for the server.
Similarly, the expiration date of the server certificate MUST be Similarly, the expiration date of the server certificate MUST be
ignored, the validity period of the TLSA record key binding is ignored, the validity period of the TLSA record key binding is
determined by the validity interval of the TLSA record DNSSEC determined by the validity interval of the TLSA record DNSSEC
signature. signature.
With DANE-EE(3) servers need not employ SNI (may ignore the client's With DANE-EE(3) servers need not employ SNI (may ignore the client's
SNI message) even when the server is known under independent names SNI message) even when the server is known under independent names
that would otherwise require separate certificates. It is instead that would otherwise require separate certificates. It is instead
sufficient for the TLSA RRsets for all the domains in question to sufficient for the TLSA RRSets for all the domains in question to
match the server's default certificate. Of course with SMTP servers match the server's default certificate. Of course with SMTP servers
it is simpler still to publish the same MX hostname for all the it is simpler still to publish the same MX hostname for all the
hosted domains. hosted domains.
For domains where it is practical to make coordinated changes in DNS For domains where it is practical to make coordinated changes in DNS
TLSA records during SMTP server key rotation, it is often best to TLSA records during SMTP server key rotation, it is often best to
publish end-entity DANE-EE(3) certificate associations. DANE-EE(3) publish end-entity DANE-EE(3) certificate associations. DANE-EE(3)
certificates don't suddenly stop working when leaf or intermediate certificates don't suddenly stop working when leaf or intermediate
certificates expire, and don't fail when the server operator neglects certificates expire, and don't fail when the server operator neglects
to configure all the required issuer certificates in the server to configure all the required issuer certificates in the server
skipping to change at page 22, line 29 skipping to change at page 22, line 5
3.1.2. Certificate usage DANE-TA(2) 3.1.2. Certificate usage DANE-TA(2)
Some domains may prefer to avoid the operational complexity of Some domains may prefer to avoid the operational complexity of
publishing unique TLSA RRs for each TLS service. If the domain publishing unique TLSA RRs for each TLS service. If the domain
employs a common issuing Certification Authority to create employs a common issuing Certification Authority to create
certificates for multiple TLS services, it may be simpler to publish certificates for multiple TLS services, it may be simpler to publish
the issuing authority as a trust anchor (TA) for the certificate the issuing authority as a trust anchor (TA) for the certificate
chains of all relevant services. The TLSA query domain (TLSA base chains of all relevant services. The TLSA query domain (TLSA base
domain with port and protocol prefix labels) for each service issued domain with port and protocol prefix labels) for each service issued
by the same TA may then be set to a CNAME alias that points to a by the same TA may then be set to a CNAME alias that points to a
common TLSA RRset that matches the TA. For example: common TLSA RRSet that matches the TA. For example:
example.com. IN MX 0 mx1.example.com. example.com. IN MX 0 mx1.example.com.
example.com. IN MX 0 mx2.example.com. example.com. IN MX 0 mx2.example.com.
_25._tcp.mx1.example.com. IN CNAME tlsa201._dane.example.com. _25._tcp.mx1.example.com. IN CNAME tlsa201._dane.example.com.
_25._tcp.mx2.example.com. IN CNAME tlsa201._dane.example.com. _25._tcp.mx2.example.com. IN CNAME tlsa201._dane.example.com.
tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c14.... tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c14....
With usage DANE-TA(2) the server certificates will need to have names With usage DANE-TA(2) the server certificates will need to have names
that match one of the client's reference identifiers (see [RFC6125]). that match one of the client's reference identifiers (see [RFC6125]).
The server MAY employ SNI to select the appropriate certificate to The server MAY employ SNI to select the appropriate certificate to
skipping to change at page 25, line 46 skipping to change at page 25, line 28
When name checks are applicable (certificate usage DANE-TA(2)), if When name checks are applicable (certificate usage DANE-TA(2)), if
the server certificate contains a Subject Alternative Name extension the server certificate contains a Subject Alternative Name extension
([RFC5280]), with at least one DNS-ID ([RFC6125]) then only the DNS- ([RFC5280]), with at least one DNS-ID ([RFC6125]) then only the DNS-
IDs are matched against the client's reference identifiers. The CN- IDs are matched against the client's reference identifiers. The CN-
ID ([RFC6125]) is only considered when no DNS-IDs are present. The ID ([RFC6125]) is only considered when no DNS-IDs are present. The
server certificate is considered matched when one of its presented server certificate is considered matched when one of its presented
identifiers ([RFC5280]) matches any of the client's reference identifiers ([RFC5280]) matches any of the client's reference
identifiers. identifiers.
Wildcards are valid in either DNS-IDs or the CN-ID when applicable. Wildcards are valid in either DNS-IDs or the CN-ID when applicable.
The wildcard character must be entire first label of the DNS-ID or The wildcard character must be the entire first label of the DNS-ID
CN-ID. Thus, "*.example.com" is valid, while "smtp*.example.com" and or CN-ID. Thus, "*.example.com" is valid, while "smtp*.example.com"
"*smtp.example.com" are not. SMTP clients MUST support wildcards and "*smtp.example.com" are not. SMTP clients MUST support wildcards
that match the first label of the reference identifier, with the that match the first label of the reference identifier, with the
remaining labels matching verbatim. For example, the DNS-ID remaining labels matching verbatim. For example, the DNS-ID
"*.example.com" matches the reference identifier "mx1.example.com". "*.example.com" matches the reference identifier "mx1.example.com".
SMTP clients MAY, subject to local policy allow wildcards to match SMTP clients MAY, subject to local policy allow wildcards to match
multiple reference identifier labels, but servers cannot expect broad multiple reference identifier labels, but servers cannot expect broad
support for such a policy. Therefore any wildcards in server support for such a policy. Therefore any wildcards in server
certificates SHOULD match exactly one label in either the TLSA base certificates SHOULD match exactly one label in either the TLSA base
domain or the next-hop domain. domain or the next-hop domain.
4. Server key management 4. Server key management
Two TLSA records MUST be published before employing a new EE or TA Two TLSA records MUST be published before employing a new EE or TA
public key or certificate, one matching the currently deployed key public key or certificate, one matching the currently deployed key
and the other matching the new key scheduled to replace it. Once and the other matching the new key scheduled to replace it. Once
sufficient time has elapsed for all DNS caches to expire the previous sufficient time has elapsed for all DNS caches to expire the previous
TLSA RRset and related signature RRsets, servers may be configured to TLSA RRSet and related signature RRsets, servers may be configured to
use the new EE private key and associated public key certificate or use the new EE private key and associated public key certificate or
may employ certificates signed by the new trust anchor. may employ certificates signed by the new trust anchor.
Once the new public key or certificate is in use, the TLSA RR that Once the new public key or certificate is in use, the TLSA RR that
matches the retired key can be removed from DNS, leaving only RRs matches the retired key can be removed from DNS, leaving only RRs
that match keys or certificates in active use. that match keys or certificates in active use.
As described in Section 3.1.2, when server certificates are validated As described in Section 3.1.2, when server certificates are validated
via a DANE-TA(2) trust anchor, and CNAME records are employed to via a DANE-TA(2) trust anchor, and CNAME records are employed to
store the TA association data at a single location, the store the TA association data at a single location, the
responsibility of updating the TLSA RRset shifts to the operator of responsibility of updating the TLSA RRSet shifts to the operator of
the trust anchor. Before a new trust anchor is used to sign any new the trust anchor. Before a new trust anchor is used to sign any new
server certificates, its certificate (digest) is added to the server certificates, its certificate (digest) is added to the
relevant TLSA RRset. After enough time elapses for the original TLSA relevant TLSA RRSet. After enough time elapses for the original TLSA
RRset to age out of DNS caches, the new trust anchor can start RRSet to age out of DNS caches, the new trust anchor can start
issuing new server certificates. Once all certificates issued under issuing new server certificates. Once all certificates issued under
the previous trust anchor have expired, its associated RRs can be the previous trust anchor have expired, its associated RRs can be
removed from the TLSA RRset. removed from the TLSA RRSet.
In the DANE-TA(2) key management model server operators do not In the DANE-TA(2) key management model server operators do not
generally need to update DNS TLSA records after initially creating a generally need to update DNS TLSA records after initially creating a
CNAME record that references the centrally operated DANE-TA(2) RRset. CNAME record that references the centrally operated DANE-TA(2) RRSet.
If a particular server's key is compromised, its TLSA CNAME SHOULD be If a particular server's key is compromised, its TLSA CNAME SHOULD be
replaced with a DANE-EE(3) association until the certificate for the replaced with a DANE-EE(3) association until the certificate for the
compromised key expires, at which point it can return to using a compromised key expires, at which point it can return to using a
CNAME record. If the central trust anchor is compromised, all CNAME record. If the central trust anchor is compromised, all
servers need to be issued new keys by a new TA, and an updated DANE- servers need to be issued new keys by a new TA, and an updated DANE-
TA(2) TLSA RRset needs to be published containing just the new TA. TA(2) TLSA RRSet needs to be published containing just the new TA.
SMTP servers cannot expect broad CRL or OCSP support from SMTP SMTP servers cannot expect broad CRL or OCSP support from SMTP
clients. As outlined above, with DANE, compromised server or trust clients. As outlined above, with DANE, compromised server or trust
anchor keys can be "revoked" by removing them from the DNS without anchor keys can be "revoked" by removing them from the DNS without
the need for client-side support for OCSP or CRLs. the need for client-side support for OCSP or CRLs.
5. Digest algorithm agility 5. Digest algorithm agility
While [RFC6698] specifies multiple digest algorithms, it does not While [RFC6698] specifies multiple digest algorithms, it does not
specify a protocol by which the SMTP client and TLSA record publisher specify a protocol by which the SMTP client and TLSA record publisher
can agree on the strongest shared algorithm. Such a protocol would can agree on the strongest shared algorithm. Such a protocol would
allow the client and server to avoid exposure to any deprecated allow the client and server to avoid exposure to any deprecated
weaker algorithms that are published for compatibility with less weaker algorithms that are published for compatibility with less
capable clients, but should be ignored when possible. Such a capable clients, but should be ignored when possible. Such a
protocol is specified in [I-D.ietf-dane-ops]. SMTP clients and protocol is specified in [I-D.ietf-dane-ops]. SMTP clients and
servers that implement this specification MUST comply with the servers that implement this specification MUST comply with the
requirements outlined under "Digest Algorithm Agility" in requirements outlined under "Digest Algorithm Agility" in
[I-D.ietf-dane-ops]. [I-D.ietf-dane-ops].
skipping to change at page 29, line 27 skipping to change at page 29, line 7
9. Operational Considerations 9. Operational Considerations
9.1. Client Operational Considerations 9.1. Client Operational Considerations
An operational error on the sending or receiving side that cannot be An operational error on the sending or receiving side that cannot be
corrected in a timely manner may, at times, lead to consistent corrected in a timely manner may, at times, lead to consistent
failure to deliver time-sensitive email. The sending MTA failure to deliver time-sensitive email. The sending MTA
administrator may have to choose between letting email queue until administrator may have to choose between letting email queue until
the error is resolved and disabling opportunistic or mandatory DANE the error is resolved and disabling opportunistic or mandatory DANE
TLS for one or more destinations. The choice to disable DANE TLS TLS (Section 6) for one or more destinations. The choice to disable
security should not be made lightly. Every reasonable effort should DANE TLS security should not be made lightly. Every reasonable
be made to determine that problems with mail delivery are the result effort should be made to determine that problems with mail delivery
of an operational error, and not an attack. A fallback strategy may are the result of an operational error, and not an attack. A
be to configure explicit out-of-band TLS security settings if fallback strategy may be to configure explicit out-of-band TLS
supported by the sending MTA. security settings if supported by the sending MTA.
SMTP clients may deploy opportunistic DANE TLS incrementally by SMTP clients may deploy opportunistic DANE TLS incrementally by
enabling it only for selected sites, or may occasionally need to enabling it only for selected sites, or may occasionally need to
disable opportunistic DANE TLS for peers that fail to interoperate disable opportunistic DANE TLS for peers that fail to interoperate
due to misconfiguration or software defects on either end. Some due to misconfiguration or software defects on either end. Some
implementations MAY support DANE TLS in an "audit only" mode in which implementations MAY support DANE TLS in an "audit only" mode in which
failure to achieve the requisite security level is logged as a failure to achieve the requisite security level is logged as a
warning and delivery proceeds at a reduced security level. Unless warning and delivery proceeds at a reduced security level. Unless
local policy specifies "audit only" or that opportunistic DANE TLS is local policy specifies "audit only" or that opportunistic DANE TLS is
not to be used for a particular destination, an SMTP client MUST NOT not to be used for a particular destination, an SMTP client MUST NOT
skipping to change at page 30, line 25 skipping to change at page 29, line 47
TLSA Publishers SHOULD follow the TLSA publication size guidance TLSA Publishers SHOULD follow the TLSA publication size guidance
found in [I-D.ietf-dane-ops] under "DANE DNS Record Size Guidelines". found in [I-D.ietf-dane-ops] under "DANE DNS Record Size Guidelines".
TLSA Publishers SHOULD follow the TLSA record TTL and signature TLSA Publishers SHOULD follow the TLSA record TTL and signature
lifetime recommendations found in [I-D.ietf-dane-ops] under lifetime recommendations found in [I-D.ietf-dane-ops] under
"Operational Considerations". "Operational Considerations".
10. Security Considerations 10. Security Considerations
This protocol leverages DANE TLSA records to implement MITM resistant This protocol leverages DANE TLSA records to implement MITM resistant
opportunistic security ([I-D.dukhovni-opportunistic-security]) for opportunistic security ([RFC7435]) for SMTP. For destination domains
SMTP. For destination domains that sign their MX records and publish that sign their MX records and publish signed TLSA records for their
signed TLSA records for their MX hostnames, this protocol allows MX hostnames, this protocol allows sending MTAs to securely discover
sending MTAs to securely discover both the availability of TLS and both the availability of TLS and how to authenticate the destination.
how to authenticate the destination.
This protocol does not aim to secure all SMTP traffic, as that is not This protocol does not aim to secure all SMTP traffic, as that is not
practical until DNSSEC and DANE adoption are universal. The practical until DNSSEC and DANE adoption are universal. The
incremental deployment provided by following this specification is a incremental deployment provided by following this specification is a
best possible path for securing SMTP. This protocol coexists and best possible path for securing SMTP. This protocol coexists and
interoperates with the existing insecure Internet email backbone. interoperates with the existing insecure Internet email backbone.
The protocol does not preclude existing non-opportunistic SMTP TLS The protocol does not preclude existing non-opportunistic SMTP TLS
security arrangements, which can continue to be used as before via security arrangements, which can continue to be used as before via
manual configuration with negotiated out-of-band key and TLS manual configuration with negotiated out-of-band key and TLS
skipping to change at page 31, line 37 skipping to change at page 31, line 11
valuable review comments. Thanks also to Wietse Venema who created valuable review comments. Thanks also to Wietse Venema who created
Postfix, and whose advice and feedback were essential to the Postfix, and whose advice and feedback were essential to the
development of the Postfix DANE implementation. development of the Postfix DANE implementation.
13. References 13. References
13.1. Normative References 13.1. Normative References
[I-D.ietf-dane-ops] [I-D.ietf-dane-ops]
Dukhovni, V. and W. Hardaker, "Updates to and Operational Dukhovni, V. and W. Hardaker, "Updates to and Operational
Guidance for the DANE Protocol", draft-ietf-dane-ops-06 Guidance for the DANE Protocol", draft-ietf-dane-ops-07
(work in progress), August 2014. (work in progress), October 2014.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over
Transport Layer Security", RFC 3207, February 2002. Transport Layer Security", RFC 3207, February 2002.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005. 4033, March 2005.
skipping to change at page 33, line 7 skipping to change at page 32, line 27
Entities (DANE)", RFC 7218, April 2014. Entities (DANE)", RFC 7218, April 2014.
[X.690] International Telecommunications Union, "Recommendation [X.690] International Telecommunications Union, "Recommendation
ITU-T X.690 (2002) | ISO/IEC 8825-1:2002, Information ITU-T X.690 (2002) | ISO/IEC 8825-1:2002, Information
technology - ASN.1 encoding rules: Specification of Basic technology - ASN.1 encoding rules: Specification of Basic
Encoding Rules (BER), Canonical Encoding Rules (CER) and Encoding Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER)", July 2002. Distinguished Encoding Rules (DER)", July 2002.
13.2. Informative References 13.2. Informative References
[I-D.dukhovni-opportunistic-security]
Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", draft-dukhovni-opportunistic-
security-04 (work in progress), August 2014.
[I-D.ietf-dane-srv] [I-D.ietf-dane-srv]
Finch, T., Miller, M., and P. Saint-Andre, "Using DNS- Finch, T., Miller, M., and P. Saint-Andre, "Using DNS-
Based Authentication of Named Entities (DANE) TLSA Records Based Authentication of Named Entities (DANE) TLSA Records
with SRV Records", draft-ietf-dane-srv-08 (work in with SRV Records", draft-ietf-dane-srv-11 (work in
progress), October 2014. progress), February 2015.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997.
[RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July
2009. 2009.
[RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail",
STD 72, RFC 6409, November 2011. STD 72, RFC 6409, November 2011.
Authors' Addresses [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", RFC 7435, December 2014.
Authors' Addresses
Viktor Dukhovni Viktor Dukhovni
Two Sigma Two Sigma
Email: ietf-dane@dukhovni.org Email: ietf-dane@dukhovni.org
Wes Hardaker Wes Hardaker
Parsons Parsons
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
US US
 End of changes. 66 change blocks. 
130 lines changed or deleted 133 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/