| < draft-ietf-dane-srv-11.txt | draft-ietf-dane-srv-12.txt > | |||
|---|---|---|---|---|
| DNS-Based Authentication of Named Entities (DANE) T. Finch | DNS-Based Authentication of Named Entities (DANE) T. Finch | |||
| Internet-Draft University of Cambridge | Internet-Draft University of Cambridge | |||
| Intended status: Standards Track M. Miller | Intended status: Standards Track M. Miller | |||
| Expires: August 21, 2015 Cisco Systems, Inc. | Expires: September 24, 2015 Cisco Systems, Inc. | |||
| P. Saint-Andre | P. Saint-Andre | |||
| &yet | &yet | |||
| February 17, 2015 | March 23, 2015 | |||
| Using DNS-Based Authentication of Named Entities (DANE) TLSA Records | Using DNS-Based Authentication of Named Entities (DANE) TLSA Records | |||
| with SRV Records | with SRV Records | |||
| draft-ietf-dane-srv-11 | draft-ietf-dane-srv-12 | |||
| Abstract | Abstract | |||
| The DANE specification (RFC 6698) describes how to use TLSA resource | The DANE specification (RFC 6698) describes how to use TLSA resource | |||
| records secured by DNSSEC (RFC 4033) to associate a server's | records secured by DNSSEC (RFC 4033) to associate a server's | |||
| connection endpoint with its TLS certificate. However, application | connection endpoint with its TLS certificate. However, application | |||
| protocols that use SRV records (RFC 2782) to indirectly name the | protocols that use SRV records (RFC 2782) to indirectly name the | |||
| target server connection endpoints for a service domain cannot apply | target server connection endpoints for a service domain cannot apply | |||
| the rules from RFC 6698. Therefore this document provides guidelines | the rules from RFC 6698. Therefore this document provides guidelines | |||
| that enable such protocols to locate and use TLSA records. | that enable such protocols to locate and use TLSA records. | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 40 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 21, 2015. | This Internet-Draft will expire on September 24, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 5, line 38 ¶ | skipping to change at page 5, line 38 ¶ | |||
| _imap._tcp.example.com. 86400 IN SRV 10 0 9143 imap.example.net. | _imap._tcp.example.com. 86400 IN SRV 10 0 9143 imap.example.net. | |||
| leads to the TLSA query shown below: | leads to the TLSA query shown below: | |||
| _9143._tcp.imap.example.net. IN TLSA ? | _9143._tcp.imap.example.net. IN TLSA ? | |||
| 3.4. Impact on TLS Usage | 3.4. Impact on TLS Usage | |||
| The client SHALL determine if the TLSA records returned in the | The client SHALL determine if the TLSA records returned in the | |||
| previous step are usable according to Section 4.1 of [RFC6698]. This | previous step are usable according to Section 4.1 of [RFC6698]. This | |||
| affects the use TLS as follows: | affects the use of TLS as follows: | |||
| o If the TLSA response is "secure" and usable, then the client MUST | o If the TLSA response is "secure" and usable, then the client MUST | |||
| use TLS when connecting to the target server. The TLSA records | use TLS when connecting to the target server. The TLSA records | |||
| are used when validating the server's certificate as described in | are used when validating the server's certificate as described in | |||
| Section 4. | Section 4. | |||
| o If the TLSA response is "bogus" or "indeterminate" (or the lookup | o If the TLSA response is "bogus" or "indeterminate" (or the lookup | |||
| fails for reasons other than no records), then the client MUST NOT | fails for reasons other than no records), then the client MUST NOT | |||
| connect to the target server (the client can still use other SRV | connect to the target server (the client can still use other SRV | |||
| targets). | targets). | |||
| skipping to change at page 10, line 50 ¶ | skipping to change at page 10, line 50 ¶ | |||
| Protocol: TLSA", RFC 6698, August 2012. | Protocol: TLSA", RFC 6698, August 2012. | |||
| [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify | [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify | |||
| Conversations about DNS-Based Authentication of Named | Conversations about DNS-Based Authentication of Named | |||
| Entities (DANE)", RFC 7218, April 2014. | Entities (DANE)", RFC 7218, April 2014. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [I-D.ietf-dane-smtp-with-dane] | [I-D.ietf-dane-smtp-with-dane] | |||
| Dukhovni, V. and W. Hardaker, "SMTP security via | Dukhovni, V. and W. Hardaker, "SMTP security via | |||
| opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-13 | opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-15 | |||
| (work in progress), October 2014. | (work in progress), March 2015. | |||
| [I-D.ietf-xmpp-dna] | [I-D.ietf-xmpp-dna] | |||
| Saint-Andre, P. and M. Miller, "Domain Name Associations | Saint-Andre, P., Miller, M., and P. Hancke, "Domain Name | |||
| (DNA) in the Extensible Messaging and Presence Protocol | Associations (DNA) in the Extensible Messaging and | |||
| (XMPP)", draft-ietf-xmpp-dna-08 (work in progress), | Presence Protocol (XMPP)", draft-ietf-xmpp-dna-09 (work in | |||
| October 2014. | progress), February 2015. | |||
| [RFC3403] Mealling, M., "Dynamic Delegation Discovery System (DDDS) | [RFC3403] Mealling, M., "Dynamic Delegation Discovery System (DDDS) | |||
| Part Three: The Domain Name System (DNS) Database", RFC | Part Three: The Domain Name System (DNS) Database", RFC | |||
| 3403, October 2002. | 3403, October 2002. | |||
| [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, | [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, | |||
| October 2008. | October 2008. | |||
| [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence | [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence | |||
| Protocol (XMPP): Core", RFC 6120, March 2011. | Protocol (XMPP): Core", RFC 6120, March 2011. | |||
| skipping to change at page 12, line 8 ¶ | skipping to change at page 12, line 8 ¶ | |||
| _9143._tcp.imap.example.net. RRSIG TLSA ... | _9143._tcp.imap.example.net. RRSIG TLSA ... | |||
| Mail messages received for addresses at example.com are retrieved via | Mail messages received for addresses at example.com are retrieved via | |||
| IMAP at imap.example.net. Connections to imap.example.net port 9143 | IMAP at imap.example.net. Connections to imap.example.net port 9143 | |||
| that use STARTTLS will get a server certificate that authenticates | that use STARTTLS will get a server certificate that authenticates | |||
| the name imap.example.net. | the name imap.example.net. | |||
| A.2. XMPP | A.2. XMPP | |||
| ; XMPP domain | ; XMPP domain | |||
| _xmpp-client.example.com. SRV 1 0 5222 im.example.net. | _xmpp-client._tcp.example.com. SRV 1 0 5222 im.example.net. | |||
| _xmpp-client.example.com. RRSIG SRV ... | _xmpp-client._tcp.example.com. RRSIG SRV ... | |||
| ; target server host name | ; target server host name | |||
| im.example.net. A 192.0.2.3 | im.example.net. A 192.0.2.3 | |||
| im.example.net. RRSIG A ... | im.example.net. RRSIG A ... | |||
| im.example.net. AAAA 2001:db8:212:8::e:4 | im.example.net. AAAA 2001:db8:212:8::e:4 | |||
| im.example.net. RRSIG AAAA ... | im.example.net. RRSIG AAAA ... | |||
| ; TLSA resource record | ; TLSA resource record | |||
| _5222._tcp.im.example.net. TLSA ... | _5222._tcp.im.example.net. TLSA ... | |||
| End of changes. 8 change blocks. | ||||
| 13 lines changed or deleted | 13 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||