< draft-ietf-dane-srv-10.txt		draft-ietf-dane-srv-11.txt >
	DNS-Based Authentication of Named Entities (DANE) T. Finch		DNS-Based Authentication of Named Entities (DANE) T. Finch
	Internet-Draft University of Cambridge		Internet-Draft University of Cambridge
	Intended status: Standards Track M. Miller		Intended status: Standards Track M. Miller
	Expires: August 20, 2015 Cisco Systems, Inc.		Expires: August 21, 2015 Cisco Systems, Inc.
	P. Saint-Andre		P. Saint-Andre
	&yet		&yet
	February 16, 2015		February 17, 2015
	Using DNS-Based Authentication of Named Entities (DANE) TLSA Records		Using DNS-Based Authentication of Named Entities (DANE) TLSA Records
	with SRV Records		with SRV Records
	draft-ietf-dane-srv-10		draft-ietf-dane-srv-11
	Abstract		Abstract
	The DANE specification (RFC 6698) describes how to use TLSA resource		The DANE specification (RFC 6698) describes how to use TLSA resource
	records secured by DNSSEC (RFC 4033) to associate a server's		records secured by DNSSEC (RFC 4033) to associate a server's
	connection endpoint with its TLS certificate. However, application		connection endpoint with its TLS certificate. However, application
	protocols that use SRV records (RFC 2782) to indirectly name the		protocols that use SRV records (RFC 2782) to indirectly name the
	target server connection endpoints for a service domain cannot apply		target server connection endpoints for a service domain cannot apply
	the rules from RFC 6698. Therefore this document provides guidelines		the rules from RFC 6698. Therefore this document provides guidelines
	that enable such protocols to locate and use TLSA records.		that enable such protocols to locate and use TLSA records.
	skipping to change at page 1, line 40 ¶		skipping to change at page 1, line 40 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on August 20, 2015.		This Internet-Draft will expire on August 21, 2015.
	Copyright Notice		Copyright Notice
	Copyright (c) 2015 IETF Trust and the persons identified as the		Copyright (c) 2015 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 4, line 21 ¶		skipping to change at page 4, line 21 ¶
	When the client makes an SRV query, a successful result will		When the client makes an SRV query, a successful result will
	typically be a list of one or more SRV records (or possibly a chain		typically be a list of one or more SRV records (or possibly a chain
	of CNAME / DNAME aliases leading to such a list).		of CNAME / DNAME aliases leading to such a list).
	NOTE: Implementers need to be aware that unsuccessful results can		NOTE: Implementers need to be aware that unsuccessful results can
	occur because of various DNS-related errors; guidance on avoiding		occur because of various DNS-related errors; guidance on avoiding
	downgrade attacks can be found in Section 2.1 of		downgrade attacks can be found in Section 2.1 of
	[I-D.ietf-dane-smtp-with-dane].		[I-D.ietf-dane-smtp-with-dane].
	For this specification to apply, the entire DNS RRset that is		For this specification to apply, the entire chain of DNS RRset(s)
	returned MUST be "secure" according to DNSSEC validation (Section 5		returned MUST be "secure" according to DNSSEC validation (Section 5
	of [RFC4035]). In the case where the answer is obtained via a chain		of [RFC4035]). In the case where the answer is obtained via a chain
	of CNAME and/or DNAME aliases, the whole chain of CNAME and DNAME		of CNAME and/or DNAME aliases, the whole chain of CNAME and DNAME
	RRsets MUST also be secure.		RRsets MUST also be secure.
	If the SRV lookup fails because the RRset is "bogus" (or the lookup		If the SRV lookup fails because the RRset is "bogus" (or the lookup
	fails for reasons other than no records), the client MUST abort its		fails for reasons other than no records), the client MUST abort its
	attempt to connect to the desired service. If the lookup result is		attempt to connect to the desired service. If the lookup result is
	"insecure" (or no SRV records exist), this protocol does not apply		"insecure" (or no SRV records exist), this protocol does not apply
	and the client SHOULD fall back to its non-DNSSEC, non-DANE (and		and the client SHOULD fall back to its non-DNSSEC, non-DANE (and
End of changes. 5 change blocks.
	5 lines changed or deleted		5 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/