| < draft-ietf-dane-smtp-with-dane-17.txt | draft-ietf-dane-smtp-with-dane-18.txt > | |||
|---|---|---|---|---|
| DANE V. Dukhovni | DANE V. Dukhovni | |||
| Internet-Draft Two Sigma | Internet-Draft Two Sigma | |||
| Intended status: Standards Track W. Hardaker | Intended status: Standards Track W. Hardaker | |||
| Expires: November 17, 2015 Parsons | Expires: November 27, 2015 Parsons | |||
| May 16, 2015 | May 26, 2015 | |||
| SMTP security via opportunistic DANE TLS | SMTP security via opportunistic DANE TLS | |||
| draft-ietf-dane-smtp-with-dane-17 | draft-ietf-dane-smtp-with-dane-18 | |||
| Abstract | Abstract | |||
| This memo describes a downgrade-resistant protocol for SMTP transport | This memo describes a downgrade-resistant protocol for SMTP transport | |||
| security between Mail Transfer Agents (MTAs) based on the DNS-Based | security between Mail Transfer Agents (MTAs) based on the DNS-Based | |||
| Authentication of Named Entities (DANE) TLSA DNS record. Adoption of | Authentication of Named Entities (DANE) TLSA DNS record. Adoption of | |||
| this protocol enables an incremental transition of the Internet email | this protocol enables an incremental transition of the Internet email | |||
| backbone to one using encrypted and authenticated Transport Layer | backbone to one using encrypted and authenticated Transport Layer | |||
| Security (TLS). | Security (TLS). | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 17, 2015. | This Internet-Draft will expire on November 27, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 34 ¶ | skipping to change at page 2, line 34 ¶ | |||
| 2.2.2. Non-MX destinations . . . . . . . . . . . . . . . . . 15 | 2.2.2. Non-MX destinations . . . . . . . . . . . . . . . . . 15 | |||
| 2.2.3. TLSA record lookup . . . . . . . . . . . . . . . . . 17 | 2.2.3. TLSA record lookup . . . . . . . . . . . . . . . . . 17 | |||
| 3. DANE authentication . . . . . . . . . . . . . . . . . . . . . 19 | 3. DANE authentication . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 3.1. TLSA certificate usages . . . . . . . . . . . . . . . . . 19 | 3.1. TLSA certificate usages . . . . . . . . . . . . . . . . . 19 | |||
| 3.1.1. Certificate usage DANE-EE(3) . . . . . . . . . . . . 20 | 3.1.1. Certificate usage DANE-EE(3) . . . . . . . . . . . . 20 | |||
| 3.1.2. Certificate usage DANE-TA(2) . . . . . . . . . . . . 21 | 3.1.2. Certificate usage DANE-TA(2) . . . . . . . . . . . . 21 | |||
| 3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) . . . . 22 | 3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) . . . . 22 | |||
| 3.2. Certificate matching . . . . . . . . . . . . . . . . . . 23 | 3.2. Certificate matching . . . . . . . . . . . . . . . . . . 23 | |||
| 3.2.1. DANE-EE(3) name checks . . . . . . . . . . . . . . . 23 | 3.2.1. DANE-EE(3) name checks . . . . . . . . . . . . . . . 23 | |||
| 3.2.2. DANE-TA(2) name checks . . . . . . . . . . . . . . . 23 | 3.2.2. DANE-TA(2) name checks . . . . . . . . . . . . . . . 23 | |||
| 3.2.3. Reference identifier matching . . . . . . . . . . . . 24 | 3.2.3. Reference identifier matching . . . . . . . . . . . . 25 | |||
| 4. Server key management . . . . . . . . . . . . . . . . . . . . 25 | 4. Server key management . . . . . . . . . . . . . . . . . . . . 25 | |||
| 5. Digest algorithm agility . . . . . . . . . . . . . . . . . . 26 | 5. Digest algorithm agility . . . . . . . . . . . . . . . . . . 26 | |||
| 6. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 26 | 6. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 26 | |||
| 7. Note on DANE for Message User Agents . . . . . . . . . . . . 27 | 7. Note on DANE for Message User Agents . . . . . . . . . . . . 27 | |||
| 8. Interoperability considerations . . . . . . . . . . . . . . . 27 | 8. Interoperability considerations . . . . . . . . . . . . . . . 27 | |||
| 8.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 27 | 8.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 8.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 28 | 8.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 28 | |||
| 9. Operational Considerations . . . . . . . . . . . . . . . . . 28 | 9. Operational Considerations . . . . . . . . . . . . . . . . . 28 | |||
| 9.1. Client Operational Considerations . . . . . . . . . . . . 28 | 9.1. Client Operational Considerations . . . . . . . . . . . . 28 | |||
| 9.2. Publisher Operational Considerations . . . . . . . . . . 29 | 9.2. Publisher Operational Considerations . . . . . . . . . . 29 | |||
| 10. Security Considerations . . . . . . . . . . . . . . . . . . . 29 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 29 | |||
| 11. IANA considerations . . . . . . . . . . . . . . . . . . . . . 30 | 11. IANA considerations . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 | 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 | 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 13.1. Normative References . . . . . . . . . . . . . . . . . . 30 | 13.1. Normative References . . . . . . . . . . . . . . . . . . 31 | |||
| 13.2. Informative References . . . . . . . . . . . . . . . . . 32 | 13.2. Informative References . . . . . . . . . . . . . . . . . 32 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 1. Introduction | 1. Introduction | |||
| This memo specifies a new connection security model for Message | This memo specifies a new connection security model for Message | |||
| Transfer Agents (MTAs). This model is motivated by key features of | Transfer Agents (MTAs). This model is motivated by key features of | |||
| inter-domain SMTP delivery, in particular the fact that the | inter-domain SMTP delivery, in particular the fact that the | |||
| destination server is selected indirectly via DNS Mail Exchange (MX) | destination server is selected indirectly via DNS Mail Exchange (MX) | |||
| records and that neither email addresses nor MX hostnames signal a | records and that neither email addresses nor MX hostnames signal a | |||
| skipping to change at page 14, line 47 ¶ | skipping to change at page 14, line 47 ¶ | |||
| In the language of [RFC5321] Section 5.1, the original next-hop | In the language of [RFC5321] Section 5.1, the original next-hop | |||
| domain is the "initial name". If the MX lookup of the initial name | domain is the "initial name". If the MX lookup of the initial name | |||
| results in a CNAME alias, the MTA replaces the initial name with the | results in a CNAME alias, the MTA replaces the initial name with the | |||
| resulting name and performs a new lookup with the new name. MTAs | resulting name and performs a new lookup with the new name. MTAs | |||
| typically support recursion in CNAME expansion, so this replacement | typically support recursion in CNAME expansion, so this replacement | |||
| is performed repeatedly (up to the MTA's recursion limit) until the | is performed repeatedly (up to the MTA's recursion limit) until the | |||
| ultimate non-CNAME domain is found. | ultimate non-CNAME domain is found. | |||
| If the MX RRSet (or any CNAME leading to it) is "insecure" (see | If the MX RRSet (or any CNAME leading to it) is "insecure" (see | |||
| Section 2.1.1), DANE TLS need not apply, and delivery MAY proceed via | Section 2.1.1) and DANE TLS for the given destination is mandatory | |||
| pre-DANE opportunistic TLS. That said, the protocol in this memo is | (Section 6), delivery MUST be delayed. If the MX RRSet is "insecure" | |||
| an "opportunistic security" protocol, meaning that it strives to | and DANE TLS is not mandatory, the SMTP client is free to use pre- | |||
| communicate with each peer as securely as possible, while maintaining | DANE opportunistic TLS (possibly even cleartext). | |||
| broad interoperability. Therefore, the SMTP client MAY proceed to | ||||
| use DANE TLS (as described in Section 2.2.2 below) even with MX hosts | Since the protocol in this memo is an "opportunistic security" | |||
| obtained via an "insecure" MX RRSet. For example, when a hosting | protocol ([RFC7435]) the SMTP client MAY elect to use DANE TLS (as | |||
| provider has a signed DNS zone and publishes TLSA records for its | described in Section 2.2.2 below) even with MX hosts obtained via an | |||
| SMTP servers, hosted domains that are not signed may still benefit | "insecure" MX RRSet. For example, when a hosting provider has a | |||
| from the provider's TLSA records. Deliveries via the provider's SMTP | signed DNS zone and publishes TLSA records for its SMTP servers, | |||
| servers will not be subject to active attacks when sending SMTP | hosted domains that are not signed may still benefit from the | |||
| clients elect to make use of the provider's TLSA records. | provider's TLSA records. Deliveries via the provider's SMTP servers | |||
| will not be subject to active attacks when sending SMTP clients elect | ||||
| to make use of the provider's TLSA records (active attacks that | ||||
| tamper with the "insecure" MX RRSet are of course still possible in | ||||
| this case). | ||||
| When the MX records are not (DNSSEC) signed, an active attacker can | When the MX records are not (DNSSEC) signed, an active attacker can | |||
| redirect SMTP clients to MX hosts of his choice. Such redirection is | redirect SMTP clients to MX hosts of his choice. Such redirection is | |||
| tamper-evident when SMTP servers found via "insecure" MX records are | tamper-evident when SMTP servers found via "insecure" MX records are | |||
| recorded as the next-hop relay in the MTA delivery logs in their | recorded as the next-hop relay in the MTA delivery logs in their | |||
| original (rather than CNAME expanded) form. Sending MTAs SHOULD log | original (rather than CNAME expanded) form. Sending MTAs SHOULD log | |||
| unexpanded MX hostnames when these result from insecure MX lookups. | unexpanded MX hostnames when these result from insecure MX lookups. | |||
| Any successful authentication via an insecurely determined MX host | Any successful authentication via an insecurely determined MX host | |||
| MUST NOT be misrepresented in the mail logs as secure delivery to the | MUST NOT be misrepresented in the mail logs as secure delivery to the | |||
| intended next-hop domain. When DANE TLS is mandatory (Section 6) for | intended next-hop domain. | |||
| a given destination, delivery MUST be delayed when the MX RRSet is | ||||
| not "secure". | ||||
| In the absence of DNS lookup errors (Section 2.1.1), if the MX RRset | In the absence of DNS lookup errors (Section 2.1.1), if the MX RRSet | |||
| is not "insecure" then it is "secure", and the SMTP client MUST treat | is not "insecure" then it is "secure", and the SMTP client MUST treat | |||
| each MX hostname as a separate non-MX destination for opportunistic | each MX hostname as described in Section 2.2.2). When, for a given | |||
| DANE TLS (as described in Section 2.2.2). When, for a given MX | MX hostname, no TLSA records are found, or only "insecure" TLSA | |||
| hostname, no TLSA records are found, or only "insecure" TLSA records | records are found, DANE TLSA is not applicable with the SMTP server | |||
| are found, DANE TLSA is not applicable with the SMTP server in | in question and delivery proceeds to that host as with pre-DANE | |||
| question and delivery proceeds to that host as with pre-DANE | ||||
| opportunistic TLS. To avoid downgrade attacks, any errors during | opportunistic TLS. To avoid downgrade attacks, any errors during | |||
| TLSA lookups MUST, as explained in Section 2.1.1, cause the SMTP | TLSA lookups MUST, as explained in Section 2.1.1, cause the SMTP | |||
| server in question to be treated as unreachable. | server in question to be treated as unreachable. | |||
| 2.2.2. Non-MX destinations | 2.2.2. Non-MX destinations | |||
| This section describes the algorithm used to locate the TLSA records | This section describes the algorithm used to locate the TLSA records | |||
| and associated TLSA base domain for an input domain that is not | and associated TLSA base domain for an input domain that is not | |||
| subject to MX resolution or that lacks MX records. Such domains | subject to MX resolution, that represents a hostname from a secure MX | |||
| include: | RRSet, or that lacks MX records. Such domains include: | |||
| o Any host configured by the sending MTA administrator as the next- | o Any host configured by the sending MTA administrator as the next- | |||
| hop relay for some or all domains, that is not subject to MX | hop relay for some or all domains, that is not subject to MX | |||
| resolution. | resolution. | |||
| o When a domain has MX records, we treat each MX host listed in | o When a domain has MX records, we treat each MX host listed in | |||
| those MX records as though it were a non-MX destination. That is, | those MX records as though it were a non-MX destination. That is, | |||
| in the same way as we would treat an administrator-configured | in the same way as we would treat an administrator-configured | |||
| relay that handles mail for that domain. (Unlike administrator- | relay that handles mail for that domain. (Unlike administrator- | |||
| specified relays, MTAs are not required to support CNAME expansion | specified relays, MTAs are not required to support CNAME expansion | |||
| skipping to change at page 17, line 31 ¶ | skipping to change at page 17, line 33 ¶ | |||
| that name is the preferred TLSA base domain. Otherwise, the | that name is the preferred TLSA base domain. Otherwise, the | |||
| unexpanded input-MX domain is the candidate TLSA base domain. When | unexpanded input-MX domain is the candidate TLSA base domain. When | |||
| no "secure" TLSA records are found at either the CNAME-expanded or | no "secure" TLSA records are found at either the CNAME-expanded or | |||
| unexpanded domain, then DANE TLS does not apply for mail delivery via | unexpanded domain, then DANE TLS does not apply for mail delivery via | |||
| the input domain in question. And, as always, errors, bogus or | the input domain in question. And, as always, errors, bogus or | |||
| indeterminate results for any query in the process MUST result in | indeterminate results for any query in the process MUST result in | |||
| delaying or abandoning delivery. | delaying or abandoning delivery. | |||
| 2.2.3. TLSA record lookup | 2.2.3. TLSA record lookup | |||
| Each candidate TLSA base domain (the original or fully CNAME-expanded | For a particular SMTP server, the associated TLSA base domain is | |||
| name of a non-MX destination or a particular MX hostname of an MX | either the server hostname or, when that hostname is an alias (CNAME | |||
| destination) is in turn prefixed with service labels of the form | or DNAME), possibly its fully alias-expanded name if every stage in | |||
| "_<port>._tcp". The resulting domain name is used to issue a DNSSEC | the alias expansion is "secure". This yields either one or two | |||
| query with the query type set to TLSA ([RFC6698] Section 7.1). | candidate TLSA base domains for the SMTP server. When there are two | |||
| candidate TLSA base domains, the alias-expanded domain name has a | ||||
| higher precedence (is tried first). The first of these to yield a | ||||
| "secure" TLSA RRSet is the final TLSA base domain. | ||||
| Each candidate TLSA base domain (alias-expanded or original) is in | ||||
| turn prefixed with service labels of the form "_<port>._tcp". The | ||||
| resulting domain name is used to issue a DNSSEC query with the query | ||||
| type set to TLSA ([RFC6698] Section 7.1). | ||||
| For SMTP, the destination TCP port is typically 25, but this may be | For SMTP, the destination TCP port is typically 25, but this may be | |||
| different with custom routes specified by the MTA administrator in | different with custom routes specified by the MTA administrator in | |||
| which case the SMTP client MUST use the appropriate number in the | which case the SMTP client MUST use the appropriate number in the | |||
| "_<port>" prefix in place of "_25". If, for example, the candidate | "_<port>" prefix in place of "_25". If, for example, the candidate | |||
| base domain is "mx.example.com", and the SMTP connection is to port | base domain is "mx.example.com", and the SMTP connection is to port | |||
| 25, the TLSA RRSet is obtained via a DNSSEC query of the form: | 25, the TLSA RRSet is obtained via a DNSSEC query of the form: | |||
| _25._tcp.mx.example.com. IN TLSA ? | _25._tcp.mx.example.com. IN TLSA ? | |||
| The query response may be a CNAME, or the actual TLSA RRSet. If the | The query response may be a CNAME, or the actual TLSA RRSet. If the | |||
| response is a CNAME, the SMTP client (through the use of its | response is a CNAME, the SMTP client (through the use of its | |||
| security-aware stub resolver) restarts the TLSA query at the target | security-aware stub resolver) restarts the TLSA query at the target | |||
| domain, following CNAMEs as appropriate and keeping track of whether | domain, following CNAMEs as appropriate and keeps track of whether | |||
| the entire chain is "secure". If any "insecure" records are | the entire chain is "secure". If any "insecure" records are | |||
| encountered, or the TLSA records don't exist, the next candidate TLSA | encountered, or the TLSA records don't exist, the next candidate TLSA | |||
| base domain is tried instead. | base domain is tried instead. | |||
| If the ultimate response is a "secure" TLSA RRSet, then the candidate | If the ultimate response is a "secure" TLSA RRSet, then the candidate | |||
| TLSA base domain will be the actual TLSA base domain and the TLSA | TLSA base domain will be the actual TLSA base domain and the TLSA | |||
| RRSet will constitute the TLSA records for the destination. If none | RRSet will constitute the TLSA records for the destination. If none | |||
| of the candidate TLSA base domains yield "secure" TLSA records then | of the candidate TLSA base domains yield "secure" TLSA records then | |||
| delivery MAY proceed via pre-DANE opportunistic TLS. SMTP clients | the SMTP client is free to use pre-DANE opportunistic TLS (possibly | |||
| MAY elect to use "insecure" TLSA records to avoid STARTTLS downgrades | even cleartext). | |||
| or even to skip SMTP servers that fail authentication, but MUST NOT | ||||
| misrepresent authentication success as either a secure connection to | ||||
| the SMTP server or as a secure delivery to the intended next-hop | ||||
| domain. | ||||
| TLSA record publishers may leverage CNAMEs to reference a single | TLSA record publishers may leverage CNAMEs to reference a single | |||
| authoritative TLSA RRSet specifying a common Certification Authority | authoritative TLSA RRSet specifying a common Certification Authority | |||
| or a common end entity certificate to be used with multiple TLS | or a common end-entity certificate to be used with multiple TLS | |||
| services. Such CNAME expansion does not change the SMTP client's | services. Such CNAME expansion does not change the SMTP client's | |||
| notion of the TLSA base domain; thus, when _25._tcp.mx.example.com is | notion of the TLSA base domain; thus, when _25._tcp.mx.example.com is | |||
| a CNAME, the base domain remains mx.example.com and this is still the | a CNAME, the base domain remains mx.example.com and this is still the | |||
| reference identifier used together with the next-hop domain in peer | reference identifier used together with the next-hop domain in peer | |||
| certificate name checks. | certificate name checks. | |||
| Note that shared end entity certificate associations expose the | Note that shared end-entity certificate associations expose the | |||
| publishing domain to substitution attacks, where an MITM attacker can | publishing domain to substitution attacks, where an MITM attacker can | |||
| reroute traffic to a different server that shares the same end entity | reroute traffic to a different server that shares the same end-entity | |||
| certificate. Such shared end entity TLSA records SHOULD be avoided | certificate. Such shared end-entity TLSA records SHOULD be avoided | |||
| unless the servers in question are functionally equivalent or employ | unless the servers in question are functionally equivalent or employ | |||
| mutually incompatible protocols (an active attacker gains nothing by | mutually incompatible protocols (an active attacker gains nothing by | |||
| diverting client traffic from one such server to another). | diverting client traffic from one such server to another). | |||
| A better example, employing a shared trust anchor rather than shared | A better example, employing a shared trust anchor rather than shared | |||
| end-entity certificates, is illustrated by the DNSSEC validated | end-entity certificates, is illustrated by the DNSSEC validated | |||
| records below: | records below: | |||
| example.com. IN MX 0 mx1.example.com. | example.com. IN MX 0 mx1.example.com. | |||
| example.com. IN MX 0 mx2.example.com. | example.com. IN MX 0 mx2.example.com. | |||
| skipping to change at page 20, line 13 ¶ | skipping to change at page 20, line 18 ¶ | |||
| choice of records to publish will depend on site-specific practices. | choice of records to publish will depend on site-specific practices. | |||
| The certificate usage element of a TLSA record plays a critical role | The certificate usage element of a TLSA record plays a critical role | |||
| in determining how the corresponding certificate association data | in determining how the corresponding certificate association data | |||
| field is used to authenticate server's certificate chain. The next | field is used to authenticate server's certificate chain. The next | |||
| two subsections explain the process for certificate usages DANE-EE(3) | two subsections explain the process for certificate usages DANE-EE(3) | |||
| and DANE-TA(2). The third subsection briefly explains why | and DANE-TA(2). The third subsection briefly explains why | |||
| certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable with | certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable with | |||
| opportunistic DANE TLS. | opportunistic DANE TLS. | |||
| In summary, we RECOMMEND the use of either "DANE-EE(3) SPKI(1) | In summary, we RECOMMEND the use of "DANE-EE(3) SPKI(1) SHA2-256(1)", | |||
| SHA2-256(1)" or "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records | with "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records as a second | |||
| depending on site needs. Other combinations of TLSA parameters are | choice, depending on site needs. See the following two subsections | |||
| either explicitly unsupported, or offer little to recommend them over | for more details. Other combinations of TLSA parameters are either | |||
| these two. | explicitly unsupported, or offer little to recommend them over these | |||
| two. | ||||
| 3.1.1. Certificate usage DANE-EE(3) | 3.1.1. Certificate usage DANE-EE(3) | |||
| Authentication via certificate usage DANE-EE(3) TLSA records involves | Authentication via certificate usage DANE-EE(3) TLSA records involves | |||
| simply checking that the server's leaf certificate matches the TLSA | simply checking that the server's leaf certificate matches the TLSA | |||
| record. In particular the binding of the server public key to its | record. In particular the binding of the server public key to its | |||
| name is based entirely on the TLSA record association. The server | name is based entirely on the TLSA record association. The server | |||
| MUST be considered authenticated even if none of the names in the | MUST be considered authenticated even if none of the names in the | |||
| certificate match the client's reference identity for the server. | certificate match the client's reference identity for the server. | |||
| Similarly, the expiration date of the server certificate MUST be | The expiration date of the server certificate MUST be ignored: the | |||
| ignored, the validity period of the TLSA record key binding is | validity period of the TLSA record key binding is determined by the | |||
| determined by the validity interval of the TLSA record DNSSEC | validity interval of the TLSA record DNSSEC signature. | |||
| signature. | ||||
| With DANE-EE(3) servers need not employ SNI (may ignore the client's | With DANE-EE(3), servers need not employ SNI (they may ignore the | |||
| SNI message) even when the server is known under independent names | client's SNI message) even when the server is known under independent | |||
| that would otherwise require separate certificates. It is instead | names that would otherwise require separate certificates. It is | |||
| sufficient for the TLSA RRSets for all the domains in question to | instead sufficient for the TLSA RRSets for all the domains in | |||
| match the server's default certificate. Of course with SMTP servers | question to match the server's default certificate. Of course with | |||
| it is simpler still to publish the same MX hostname for all the | SMTP servers it is simpler still to publish the same MX hostname for | |||
| hosted domains. | all the hosted domains. | |||
| For domains where it is practical to make coordinated changes in DNS | For domains where it is practical to make coordinated changes in DNS | |||
| TLSA records during SMTP server key rotation, it is often best to | TLSA records during SMTP server key rotation, it is often best to | |||
| publish end-entity DANE-EE(3) certificate associations. DANE-EE(3) | publish end-entity DANE-EE(3) certificate associations. DANE-EE(3) | |||
| certificates don't suddenly stop working when leaf or intermediate | certificates don't suddenly stop working when leaf or intermediate | |||
| certificates expire, and don't fail when the server operator neglects | certificates expire, and don't fail when the server operator neglects | |||
| to configure all the required issuer certificates in the server | to configure all the required issuer certificates in the server | |||
| certificate chain. | certificate chain. | |||
| TLSA records published for SMTP servers SHOULD, in most cases, be | TLSA records published for SMTP servers SHOULD, in most cases, be | |||
| skipping to change at page 21, line 44 ¶ | skipping to change at page 21, line 50 ¶ | |||
| servers are not configured with a comprehensive list of trust | servers are not configured with a comprehensive list of trust | |||
| anchors, nor are they expected to at any point in the future. Some | anchors, nor are they expected to at any point in the future. Some | |||
| MTAs will ignore all locally trusted certificates when processing | MTAs will ignore all locally trusted certificates when processing | |||
| usage DANE-TA(2) TLSA records. Thus even when the TA happens to be a | usage DANE-TA(2) TLSA records. Thus even when the TA happens to be a | |||
| public Certification Authority known to the SMTP client, | public Certification Authority known to the SMTP client, | |||
| authentication is likely to fail unless the TA certificate is | authentication is likely to fail unless the TA certificate is | |||
| included in the TLS server certificate message. | included in the TLS server certificate message. | |||
| With some SMTP server software it is not possible to configure the | With some SMTP server software it is not possible to configure the | |||
| server to include self-signed (root) CA certificates in the server | server to include self-signed (root) CA certificates in the server | |||
| certificate chain. Such servers MUST either publish DANE-TA(2) | certificate chain. Such servers either MUST publish DANE-TA(2) | |||
| records for an intermediate certificate or MUST instead use DANE- | records for an intermediate certificate or MUST instead use DANE- | |||
| EE(3) TLSA records. | EE(3) TLSA records. | |||
| TLSA records with matching type Full(0) are discouraged. While these | TLSA records with matching type Full(0) are discouraged. While these | |||
| potentially obviate the need to transmit the TA certificate in the | potentially obviate the need to transmit the TA certificate in the | |||
| TLS server certificate message, client implementations may not be | TLS server certificate message, client implementations may not be | |||
| able to augment the server certificate chain with the data obtained | able to augment the server certificate chain with the data obtained | |||
| from DNS, especially when the TLSA record supplies a bare key | from DNS, especially when the TLSA record supplies a bare key | |||
| (selector SPKI(1)). Since the server will need to transmit the TA | (selector SPKI(1)). Since the server will need to transmit the TA | |||
| certificate in any case, server operators SHOULD publish TLSA records | certificate in any case, server operators SHOULD publish TLSA records | |||
| skipping to change at page 22, line 27 ¶ | skipping to change at page 22, line 34 ¶ | |||
| While a selector of SPKI(1) may also be employed, the resulting TLSA | While a selector of SPKI(1) may also be employed, the resulting TLSA | |||
| record will not specify the full trust anchor certificate content, | record will not specify the full trust anchor certificate content, | |||
| and elements of the trust anchor certificate other than the public | and elements of the trust anchor certificate other than the public | |||
| key become mutable. This may, for example, allow a subsidiary CA to | key become mutable. This may, for example, allow a subsidiary CA to | |||
| issue a chain that violates the trust anchor's path length or name | issue a chain that violates the trust anchor's path length or name | |||
| constraints. | constraints. | |||
| 3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) | 3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) | |||
| Note, this section applies to MTA-to-MTA SMTP on port 25. That is, | Note, this section applies to MTA-to-MTA SMTP, which is normally on | |||
| to servers that are the SMTP servers for one or more destination | port 25. That is, to servers that are the SMTP servers for one or | |||
| domains. Other uses of SMTP, such as in MUA-to-MSA submission on | more destination domains. Other uses of SMTP, such as in MUA-to-MSA | |||
| ports 587 or 465 are out of scope for this document. Where those | submission on ports 587 or 465 are out of scope for this document. | |||
| other uses also employ TLS opportunistically and/or depend on DNSSEC | Where those other uses also employ TLS opportunistically and/or | |||
| as a result of DNS-based discovery of service location, the relevant | depend on DNSSEC as a result of DNS-based discovery of service | |||
| specifications should, as appropriate, arrive at similar conclusions. | location, the relevant specifications should, as appropriate, arrive | |||
| at similar conclusions. | ||||
| As noted in Section 1.3.1 and Section 1.3.2, sending MTAs cannot, | As noted in Section 1.3.1 and Section 1.3.2, sending MTAs cannot, | |||
| without relying on DNSSEC for secure MX records and DANE for STARTTLS | without relying on DNSSEC for secure MX records and DANE for STARTTLS | |||
| support signaling, perform server identity verification or prevent | support signaling, perform server identity verification or prevent | |||
| STARTTLS downgrade attacks. The use of PKIX CAs offers no added | STARTTLS downgrade attacks. The use of PKIX CAs offers no added | |||
| security since an attacker capable of compromising DNSSEC is free to | security since an attacker capable of compromising DNSSEC is free to | |||
| replace any PKIX-TA(0) or PKIX-EE(1) TLSA records with records | replace any PKIX-TA(0) or PKIX-EE(1) TLSA records with records | |||
| bearing any convenient non-PKIX certificate usage. Finally, as | bearing any convenient non-PKIX certificate usage. Finally, as | |||
| explained in Section 1.3.4, there is no list of trusted CAs agreed by | explained in Section 1.3.4, there is no list of trusted CAs agreed by | |||
| all MTAs, and no user to "click OK" when a server's CA is not trusted | all MTAs, and no user to "click OK" when a server's CA is not trusted | |||
| skipping to change at page 23, line 16 ¶ | skipping to change at page 23, line 24 ¶ | |||
| Opportunistic DANE TLS needs to interoperate without bilateral | Opportunistic DANE TLS needs to interoperate without bilateral | |||
| coordination of security settings between client and server systems. | coordination of security settings between client and server systems. | |||
| Therefore, parameter choices that are fragile in the absence of | Therefore, parameter choices that are fragile in the absence of | |||
| bilateral coordination are unsupported. Nothing is lost since the | bilateral coordination are unsupported. Nothing is lost since the | |||
| PKIX certificate usages cannot aid SMTP TLS security, they can only | PKIX certificate usages cannot aid SMTP TLS security, they can only | |||
| impede SMTP TLS interoperability. | impede SMTP TLS interoperability. | |||
| SMTP client treatment of TLSA RRs with certificate usages PKIX-TA(0) | SMTP client treatment of TLSA RRs with certificate usages PKIX-TA(0) | |||
| or PKIX-EE(1) is undefined. As with any other unsupported | or PKIX-EE(1) is undefined. As with any other unsupported | |||
| certificate usage, SMTP clients MAY treat such records as "unusable" | certificate usage, SMTP clients MAY treat such records as "unusable". | |||
| 3.2. Certificate matching | 3.2. Certificate matching | |||
| When at least one usable "secure" TLSA record is found, the SMTP | When at least one usable "secure" TLSA record is found, the SMTP | |||
| client MUST use TLSA records to authenticate the SMTP server. | client MUST use TLSA records to authenticate the SMTP server. | |||
| Messages MUST NOT be delivered via the SMTP server if authentication | Messages MUST NOT be delivered via the SMTP server if authentication | |||
| fails, otherwise the SMTP client is vulnerable to MITM attacks. | fails, otherwise the SMTP client is vulnerable to MITM attacks. | |||
| 3.2.1. DANE-EE(3) name checks | 3.2.1. DANE-EE(3) name checks | |||
| skipping to change at page 25, line 24 ¶ | skipping to change at page 25, line 35 ¶ | |||
| support for such a policy. Therefore any wildcards in server | support for such a policy. Therefore any wildcards in server | |||
| certificates SHOULD match exactly one label in either the TLSA base | certificates SHOULD match exactly one label in either the TLSA base | |||
| domain or the next-hop domain. | domain or the next-hop domain. | |||
| 4. Server key management | 4. Server key management | |||
| Two TLSA records MUST be published before employing a new EE or TA | Two TLSA records MUST be published before employing a new EE or TA | |||
| public key or certificate, one matching the currently deployed key | public key or certificate, one matching the currently deployed key | |||
| and the other matching the new key scheduled to replace it. Once | and the other matching the new key scheduled to replace it. Once | |||
| sufficient time has elapsed for all DNS caches to expire the previous | sufficient time has elapsed for all DNS caches to expire the previous | |||
| TLSA RRSet and related signature RRsets, servers may be configured to | TLSA RRSet and related signature RRSets, servers may be configured to | |||
| use the new EE private key and associated public key certificate or | use the new EE private key and associated public key certificate or | |||
| may employ certificates signed by the new trust anchor. | may employ certificates signed by the new trust anchor. | |||
| Once the new public key or certificate is in use, the TLSA RR that | Once the new public key or certificate is in use, the TLSA RR that | |||
| matches the retired key can be removed from DNS, leaving only RRs | matches the retired key can be removed from DNS, leaving only RRs | |||
| that match keys or certificates in active use. | that match keys or certificates in active use. | |||
| As described in Section 3.1.2, when server certificates are validated | As described in Section 3.1.2, when server certificates are validated | |||
| via a DANE-TA(2) trust anchor, and CNAME records are employed to | via a DANE-TA(2) trust anchor, and CNAME records are employed to | |||
| store the TA association data at a single location, the | store the TA association data at a single location, the | |||
| skipping to change at page 26, line 43 ¶ | skipping to change at page 27, line 7 ¶ | |||
| MX hostnames, a sending MTA can be configured to use the receiving | MX hostnames, a sending MTA can be configured to use the receiving | |||
| domains's DANE TLSA records to authenticate the corresponding SMTP | domains's DANE TLSA records to authenticate the corresponding SMTP | |||
| server. Authentication via DANE TLSA records is easier to manage, as | server. Authentication via DANE TLSA records is easier to manage, as | |||
| changes in the receiver's expected certificate properties are made on | changes in the receiver's expected certificate properties are made on | |||
| the receiver end and don't require manually communicated | the receiver end and don't require manually communicated | |||
| configuration changes. With mandatory DANE TLS, when no usable TLSA | configuration changes. With mandatory DANE TLS, when no usable TLSA | |||
| records are found, message delivery is delayed. Thus, mail is only | records are found, message delivery is delayed. Thus, mail is only | |||
| sent when an authenticated TLS channel is established to the remote | sent when an authenticated TLS channel is established to the remote | |||
| SMTP server. | SMTP server. | |||
| Administrators of mail servers that employ mandatory DANE TLS, need | Administrators of mail servers that employ mandatory DANE TLS need to | |||
| to carefully monitor their mail logs and queues. If a partner domain | carefully monitor their mail logs and queues. If a partner domain | |||
| unwittingly misconfigures their TLSA records, disables DNSSEC, or | unwittingly misconfigures their TLSA records, disables DNSSEC, or | |||
| misconfigures SMTP server certificate chains, mail will be delayed | misconfigures SMTP server certificate chains, mail will be delayed | |||
| and may bounce if the issue is not resolved in a timely manner. | and may bounce if the issue is not resolved in a timely manner. | |||
| 7. Note on DANE for Message User Agents | 7. Note on DANE for Message User Agents | |||
| We note that the SMTP protocol is also used between Message User | We note that the SMTP protocol is also used between Message User | |||
| Agents (MUAs) and Message Submission Agents (MSAs) [RFC6409]. In | Agents (MUAs) and Message Submission Agents (MSAs) [RFC6409]. In | |||
| [RFC6186] a protocol is specified that enables an MUA to dynamically | [RFC6186] a protocol is specified that enables an MUA to dynamically | |||
| locate the MSA based on the user's email address. SMTP connection | locate the MSA based on the user's email address. SMTP connection | |||
| skipping to change at page 30, line 38 ¶ | skipping to change at page 31, line 4 ¶ | |||
| comments and advice on this document. | comments and advice on this document. | |||
| Acknowledgments from Viktor: Thanks to Paul Hoffman who motivated me | Acknowledgments from Viktor: Thanks to Paul Hoffman who motivated me | |||
| to begin work on this memo and provided feedback on early drafts. | to begin work on this memo and provided feedback on early drafts. | |||
| Thanks to Patrick Koetter, Perry Metzger and Nico Williams for | Thanks to Patrick Koetter, Perry Metzger and Nico Williams for | |||
| valuable review comments. Thanks also to Wietse Venema who created | valuable review comments. Thanks also to Wietse Venema who created | |||
| Postfix, and whose advice and feedback were essential to the | Postfix, and whose advice and feedback were essential to the | |||
| development of the Postfix DANE implementation. | development of the Postfix DANE implementation. | |||
| 13. References | 13. References | |||
| 13.1. Normative References | 13.1. Normative References | |||
| [I-D.ietf-dane-ops] | [I-D.ietf-dane-ops] | |||
| Dukhovni, V. and W. Hardaker, "Updates to and Operational | Dukhovni, V. and W. Hardaker, "Updates to and Operational | |||
| Guidance for the DANE Protocol", draft-ietf-dane-ops-07 | Guidance for the DANE Protocol", draft-ietf-dane-ops-08 | |||
| (work in progress), October 2014. | (work in progress), May 2015. | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | ||||
| STD 13, RFC 1034, November 1987. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over | [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over | |||
| Transport Layer Security", RFC 3207, February 2002. | Transport Layer Security", RFC 3207, February 2002. | |||
| [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "DNS Security Introduction and Requirements", RFC | Rose, "DNS Security Introduction and Requirements", RFC | |||
| 4033, March 2005. | 4033, March 2005. | |||
| skipping to change at page 31, line 28 ¶ | skipping to change at page 31, line 43 ¶ | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, | [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, | |||
| October 2008. | October 2008. | |||
| [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July | ||||
| 2009. | ||||
| [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: | [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: | |||
| Extension Definitions", RFC 6066, January 2011. | Extension Definitions", RFC 6066, January 2011. | |||
| [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | |||
| Verification of Domain-Based Application Service Identity | Verification of Domain-Based Application Service Identity | |||
| within Internet Public Key Infrastructure Using X.509 | within Internet Public Key Infrastructure Using X.509 | |||
| (PKIX) Certificates in the Context of Transport Layer | (PKIX) Certificates in the Context of Transport Layer | |||
| Security (TLS)", RFC 6125, March 2011. | Security (TLS)", RFC 6125, March 2011. | |||
| [RFC6186] Daboo, C., "Use of SRV Records for Locating Email | [RFC6186] Daboo, C., "Use of SRV Records for Locating Email | |||
| skipping to change at page 32, line 13 ¶ | skipping to change at page 32, line 33 ¶ | |||
| Entities (DANE)", RFC 7218, April 2014. | Entities (DANE)", RFC 7218, April 2014. | |||
| 13.2. Informative References | 13.2. Informative References | |||
| [I-D.ietf-dane-srv] | [I-D.ietf-dane-srv] | |||
| Finch, T., Miller, M., and P. Saint-Andre, "Using DNS- | Finch, T., Miller, M., and P. Saint-Andre, "Using DNS- | |||
| Based Authentication of Named Entities (DANE) TLSA Records | Based Authentication of Named Entities (DANE) TLSA Records | |||
| with SRV Records", draft-ietf-dane-srv-14 (work in | with SRV Records", draft-ietf-dane-srv-14 (work in | |||
| progress), April 2015. | progress), April 2015. | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | ||||
| STD 13, RFC 1034, November 1987. | ||||
| [RFC1035] Mockapetris, P., "Domain names - implementation and | [RFC1035] Mockapetris, P., "Domain names - implementation and | |||
| specification", STD 13, RFC 1035, November 1987. | specification", STD 13, RFC 1035, November 1987. | |||
| [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS | [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS | |||
| Specification", RFC 2181, July 1997. | Specification", RFC 2181, July 1997. | |||
| [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC | [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC | |||
| 4949, August 2007. | 4949, August 2007. | |||
| [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July | ||||
| 2009. | ||||
| [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", | [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", | |||
| STD 72, RFC 6409, November 2011. | STD 72, RFC 6409, November 2011. | |||
| [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection | [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection | |||
| Most of the Time", RFC 7435, December 2014. | Most of the Time", RFC 7435, December 2014. | |||
| Authors' Addresses | Authors' Addresses | |||
| Viktor Dukhovni | Viktor Dukhovni | |||
| Two Sigma | Two Sigma | |||
| Email: ietf-dane@dukhovni.org | Email: ietf-dane@dukhovni.org | |||
| Wes Hardaker | Wes Hardaker | |||
| Parsons | Parsons | |||
| P.O. Box 382 | P.O. Box 382 | |||
| Davis, CA 95617 | Davis, CA 95617 | |||
| US | US | |||
| End of changes. 30 change blocks. | ||||
| 83 lines changed or deleted | 87 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||