idnits 2.17.1 draft-ietf-dane-ops-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 26, 2014) is 3470 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) == Outdated reference: A later version (-06) exists of draft-dukhovni-opportunistic-security-04 == Outdated reference: A later version (-19) exists of draft-ietf-dane-smtp-with-dane-12 == Outdated reference: A later version (-14) exists of draft-ietf-dane-srv-08 -- Obsolete informational reference (is this intentional?): RFC 6962 (Obsoleted by RFC 9162) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DANE V. Dukhovni 3 Internet-Draft Unaffiliated 4 Intended status: Standards Track W. Hardaker 5 Expires: April 29, 2015 Parsons 6 October 26, 2014 8 Updates to and Operational Guidance for the DANE Protocol 9 draft-ietf-dane-ops-07 11 Abstract 13 This memo clarifies and updates the DNS-Based Authentication of Named 14 Entities (DANE) TLSA specification based on subsequent implementation 15 experience. It also contains guidance for implementers, operators 16 and protocol developers who want to make use of DANE records. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on April 29, 2015. 35 Copyright Notice 37 Copyright (c) 2014 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. DANE TLSA Record Overview . . . . . . . . . . . . . . . . . . 4 55 2.1. Example TLSA record . . . . . . . . . . . . . . . . . . . 6 56 3. DANE TLS Requirements . . . . . . . . . . . . . . . . . . . . 6 57 4. DANE Certificate-Usage Selection Guidelines . . . . . . . . . 7 58 4.1. Opportunistic Security and PKIX usages . . . . . . . . . 7 59 4.2. Interaction with Certificate Transparency . . . . . . . . 7 60 4.3. Transitioning between PKIX-TA/EE and DANE-TA/EE . . . . . 8 61 5. Certificate-Usage Specific DANE Updates and Guidelines . . . 8 62 5.1. Certificate Usage DANE-EE(3) . . . . . . . . . . . . . . 8 63 5.2. Certificate Usage DANE-TA(2) . . . . . . . . . . . . . . 10 64 5.3. Certificate Usage PKIX-EE(1) . . . . . . . . . . . . . . 13 65 5.4. Certificate Usage PKIX-TA(0) . . . . . . . . . . . . . . 13 66 6. Service Provider and TLSA Publisher Synchronization . . . . . 14 67 7. TLSA Base Domain and CNAMEs . . . . . . . . . . . . . . . . . 16 68 8. TLSA Publisher Requirements . . . . . . . . . . . . . . . . . 17 69 8.1. Key rollover with fixed TLSA Parameters . . . . . . . . . 18 70 8.2. Switching to DANE-TA from DANE-EE . . . . . . . . . . . . 19 71 8.3. Switching to New TLSA Parameters . . . . . . . . . . . . 19 72 8.4. TLSA Publisher Requirements Summary . . . . . . . . . . . 20 73 9. Digest Algorithm Agility . . . . . . . . . . . . . . . . . . 20 74 10. General DANE Guidelines . . . . . . . . . . . . . . . . . . . 21 75 10.1. DANE DNS Record Size Guidelines . . . . . . . . . . . . 22 76 10.2. Certificate Name Check Conventions . . . . . . . . . . . 22 77 10.3. Design Considerations for Protocols Using DANE . . . . . 24 78 11. Note on DNSSEC Security . . . . . . . . . . . . . . . . . . . 24 79 12. Summary of Updates to RFC6698 . . . . . . . . . . . . . . . . 25 80 13. Operational Considerations . . . . . . . . . . . . . . . . . 26 81 14. Security Considerations . . . . . . . . . . . . . . . . . . . 26 82 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 83 16. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27 84 17. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 85 17.1. Normative References . . . . . . . . . . . . . . . . . . 27 86 17.2. Informative References . . . . . . . . . . . . . . . . . 28 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 89 1. Introduction 91 The DANE TLSA specification ([RFC6698]) introduces the DNS "TLSA" 92 resource record type. TLSA records associate a certificate or a 93 public key of an end-entity or a trusted issuing authority with the 94 corresponding TLS transport endpoint. DNSSEC validated DANE TLSA 95 records can be used to augment or replace the use of trusted public 96 Certification Authorities (CAs). 98 [RFC6698] defines three TLSA record fields with respectively 4, 2 and 99 3 currently specified values. These yield 24 distinct combinations 100 of TLSA record types. This memo will recommend a smaller set of 101 best-practice combinations of these fields to simplify protocol 102 design, implementation and deployment. 104 Implementation complexity also arises from the fact that the TLS 105 transport endpoint is often specified indirectly via Service Records 106 (SRV), Mail Exchange (MX) records, CNAME records or other mechanisms 107 that map an abstract service domain to a concrete server domain. 108 With service indirection there are multiple potential places for 109 clients to find the relevant TLSA records. Service indirection is 110 often used to implement "virtual hosting", where a single Service 111 Provider transport endpoint simultaneously supports multiple hosted 112 domain names. With services that employ TLS, such hosting 113 arrangements may require the Service Provider to deploy multiple 114 pairs of private keys and certificates. The TLS clients, then, 115 signal the desired domain to the TLSA server via the Server Name 116 Indication (SNI) extension ([RFC6066], section 3). This memo 117 provides operational guidelines intended to maximize interoperability 118 between DANE TLS clients and servers. 120 In the context of this memo, channel security is assumed to be 121 provided by TLS or DTLS. The Transport Layer Security (TLS) 122 [RFC5246] and Datagram Transport Layer Security (DTLS) [RFC6347] 123 protocols provide secured TCP and UDP communication, respectively, 124 over IP. By convention, "TLS" will be used throughout this document 125 and, unless otherwise specified, the text applies equally well to the 126 DTLS over UDP protocol. Used without authentication, TLS provides 127 protection only against eavesdropping through its use of encryption. 128 With authentication, TLS also provides integrity protection and 129 authentication, which protects the transport against man-in-the- 130 middle (MITM) attacks. 132 Other related documents that build on [RFC6698] are 133 [I-D.ietf-dane-srv] and [I-D.ietf-dane-smtp-with-dane]. 135 In Section 12 we summarize the normative updates this document makes 136 to [RFC6698]. 138 1.1. Terminology 140 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 141 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 142 "OPTIONAL" in this document are to be interpreted as described in 143 [RFC2119]. 145 The following terms are used throughout this document: 147 Service Provider: A company or organization that offers to host a 148 service on behalf of the owner of a Customer Domain. The original 149 domain name associated with the service often remains under the 150 control of the customer. Connecting applications may be directed 151 to the Service Provider via a redirection resource record. 152 Example redirection records include MX, SRV, and CNAME. The 153 Service Provider frequently provides services for many customers 154 and must carefully manage any TLS credentials offered to 155 connecting applications to ensure name matching is handled easily 156 by the applications. 158 Customer Domain: As described above, a TLS client may be interacting 159 with a service that is hosted by a third party. We will refer to 160 the domain name used to locate the service (prior to any 161 redirection) as the "Customer Domain". 163 TLSA Publisher: The entity responsible for publishing a TLSA record 164 within a DNS zone. This zone will be assumed DNSSEC-signed and 165 validatable to a trust anchor, unless otherwise specified. If the 166 Customer Domain is not outsourcing their DNS service, the TLSA 167 Publisher will be the customer themselves. Otherwise, the TLSA 168 Publisher may be the operator of the outsourced DNS service. 170 public key: The term "public key" is short-hand for the 171 subjectPublicKeyInfo component of a PKIX [RFC5280] certificate. 173 SNI: The "Server Name Indication" (SNI) TLS protocol extension 174 allows a TLS client to request a connection to a particular 175 service name of a TLS server ([RFC6066], section 3). Without this 176 TLS extension, a TLS server has no choice but to offer a PKIX 177 certificate with a default list of server names, making it 178 difficult to host multiple Customer Domains at the same IP- 179 addressed based TLS service endpoint (i.e., "secure virtual 180 hosting"). 182 TLSA parameters: In [RFC6698] the TLSA record is defined to consist 183 of four fields. The first three of these are numeric parameters 184 that specify the meaning of the data in fourth and final field. 185 To avoid language contortions when we need to distinguish between 186 the first three fields that together define a TLSA record "type" 187 and the fourth that provides a data value of that type, we will 188 call the first three fields "TLSA parameters", or sometimes just 189 "parameters" when obvious from context. 191 2. DANE TLSA Record Overview 193 DANE TLSA [RFC6698] specifies a protocol for publishing TLS server 194 certificate associations via DNSSEC [RFC4033] [RFC4034] [RFC4035]. 196 The DANE TLSA specification defines multiple TLSA RR types via 197 combinations of numeric values of the first three fields of the TLSA 198 record (i.e. the "TLSA parameters"). The numeric values of these 199 parameters were later given symbolic names in [RFC7218]. These 200 parameters are: 202 The Certificate Usage field: Section 2.1.1 of [RFC6698] specifies 4 203 values: PKIX-TA(0), PKIX-EE(1), DANE-TA(2), and DANE-EE(3). There 204 is an additional private-use value: PrivCert(255), which, given 205 its private scope, shall not be considered further in this 206 document. All other values are reserved for use by future 207 specifications. 209 The selector field: Section 2.1.2 of [RFC6698] specifies 2 values: 210 Cert(0), SPKI(1). There is an additional private-use value: 211 PrivSel(255). All other values are reserved for use by future 212 specifications. 214 The matching type field: Section 2.1.3 of [RFC6698] specifies 3 215 values: Full(0), SHA2-256(1), SHA2-512(2). There is an additional 216 private-use value: PrivMatch(255). All other values are reserved 217 for use by future specifications. 219 We may think of TLSA Certificate Usage values 0 through 3 as a 220 combination of two one-bit flags. The low-bit chooses between trust 221 anchor (TA) and end entity (EE) certificates. The high bit chooses 222 between PKIX, or public PKI issued, and DANE, or domain-issued trust 223 anchors: 225 o When the low bit is set (PKIX-EE(1) and DANE-EE(3)) the TLSA 226 record matches an EE certificate (also commonly referred to as a 227 leaf or server certificate.) 229 o When the low bit is not set (PKIX-TA(0) and DANE-TA(2)) the TLSA 230 record matches a trust anchor (a Certification Authority) that 231 issued one of the certificates in the server certificate chain. 233 o When the high bit is set (DANE-TA(2) and DANE-EE(3)), the server 234 certificate chain is domain-issued and may be verified without 235 reference to any pre-configured Certification Authority trust 236 anchor. Trust is based solely on the content of the TLSA records 237 obtained via DNSSEC. 239 o When the high bit is not set (PKIX-TA(0) and PKIX-EE(1)), the TLSA 240 record publishes a server policy stating that its certificate 241 chain must pass PKIX validation [RFC5280] and the DANE TLSA record 242 is used to signal an additional requirement that the PKIX 243 validated server certificate chain also contains the referenced CA 244 or EE certificate. 246 The selector field specifies whether the TLSA RR matches the whole 247 certificate (Cert(0)) or just its subjectPublicKeyInfo (SPKI(1)). 248 The subjectPublicKeyInfo is an ASN.1 DER encoding of the 249 certificate's algorithm id, any parameters and the public key data. 251 The matching type field specifies how the TLSA RR Certificate 252 Association Data field is to be compared with the certificate or 253 public key. A value of Full(0) means an exact match: the full DER 254 encoding of the certificate or public key is given in the TLSA RR. A 255 value of SHA2-256(1) means that the association data matches the 256 SHA2-256 digest of the certificate or public key, and likewise 257 SHA2-512(2) means a SHA2-512 digest is used. Of the two digest 258 algorithms, for now only SHA2-256(1) is mandatory to implement. 259 Clients SHOULD implement SHA2-512(2), but servers SHOULD NOT 260 exclusively publish SHA2-512(2) digests. The digest algorithm 261 agility protocol defined in Section 9 SHOULD be used by clients to 262 decide how to process TLSA RRsets that employ multiple digest 263 algorithms. Server operators MUST publish TLSA RRsets that are 264 compatible with digest algorithm agility. 266 2.1. Example TLSA record 268 In the example TLSA record below: 270 _25._tcp.mail.example.com. IN TLSA PKIX-TA Cert SHA2-256 ( 271 E8B54E0B4BAA815B06D3462D65FBC7C0 272 CF556ECCF9F5303EBFBB77D022F834C0 ) 274 The TLSA Certificate Usage is DANE-TA(2), the selector is Cert(0) and 275 the matching type is SHA2-256(1). The last field is the Certificate 276 Association Data Field, which in this case contains the SHA2-256 277 digest of the server certificate. 279 3. DANE TLS Requirements 281 [RFC6698] does not discuss what versions of TLS are required when 282 using DANE records. This document specifies that TLS clients that 283 support DANE/TLSA MUST support at least TLS 1.0 and SHOULD support 284 TLS 1.2. TLS clients and servers using DANE SHOULD support the 285 "Server Name Indication" (SNI) extension of TLS. 287 4. DANE Certificate-Usage Selection Guidelines 289 As mentioned in Section 2, the TLSA certificate usage field takes one 290 of four possible values. With PKIX-TA(0) and PKIX-EE(1), the 291 validation of peer certificate chains requires additional pre- 292 configured CA trust anchors that are mutually trusted by the 293 operators of the TLS server and client. With DANE-TA(2) and DANE- 294 EE(3), no pre-configured CA trust anchors are required and the 295 published DANE TLSA records are sufficient to verify the peer's 296 certificate chain. 298 Protocol designers should carefully consider which set of DANE 299 certificate usages to support. Simultaneous support for all four 300 usages is NOT RECOMMENDED for DANE clients. Protocol designers 301 should either use the PKIX-TA(0) and PKIX-EE(1) certificate usages, 302 or use the DANE-TA(2) and DANE-EE(3) usages. If all four usages are 303 deployed together, an attacker capable of compromising the integrity 304 of DNSSEC needs only to replace server's TLSA RRset with one that 305 lists suitable DANE-EE(3) or DANE-TA(2) records, effectively 306 bypassing the PKIX required checks.. In other words, when all four 307 usages are supported, PKIX-TA(2) and PKIX-EE(1) offer only illusory 308 incremental security. 310 This document recommends that clients should generally support just 311 the DANE-TA(2) and DANE-EE(3) certificate usages. With DANE-TA(2) 312 and DANE-EE(3) clients don't need to track a large changing list of 313 X.509 trust-anchors. Supporting PKIX-TA(0) or PKIX-EE(1) decreases 314 the operational reliability of DANE-based authentication. 316 The DNSSEC TLSA records for servers MAY include both sets of usages 317 if the server needs to support a mixture of clients; some supporting 318 one pair of usages and some the other. 320 4.1. Opportunistic Security and PKIX usages 322 When the client's protocol design is based on Opportunistic Security 323 (OS, [I-D.dukhovni-opportunistic-security]), and the use of 324 authentication is based on the presence of server TLSA records, it is 325 especially important to avoid the PKIX-EE(1) and PKIX-TA(0) 326 certificate usages. Since the presence and data integrity of TLSA 327 records relies on DNSSEC, PKIX-TA(0) and PKIX-EE(1) TLSA records do 328 not provide additional security. With the PKIX-TA(0) and PKIX-EE(1) 329 usages offering no more security, but being more prone to failure, 330 they are a poor fit for opportunistic security and SHOULD NOT be used 331 in that context. 333 4.2. Interaction with Certificate Transparency 334 Certificate Transparency (CT) [RFC6962] defines an experimental 335 approach to mitigate the risk of rogue or compromised public CAs 336 issuing unauthorized certificates. This section clarifies the 337 interaction of CT and DANE. 339 When a server is authenticated via a DANE TLSA RR with TLSA 340 Certificate Usage DANE-EE(3), the domain owner has directly specified 341 the certificate associated with the given service without reference 342 to any public certification authority. Therefore, when a TLS client 343 authenticates the TLS server via a TLSA record with usage DANE-EE(3), 344 CT checks SHOULD NOT be performed. Publication of the server 345 certificate or public key (digest) in a TLSA record in a DNSSEC 346 signed zone by the domain owner assures the TLS client that the 347 certificate is not an unauthorized certificate issued by a rogue CA 348 without the domain owner's consent. 350 When a server is authenticated via a DANE TLSA record with TLSA usage 351 DANE-TA(2) and the server certificate does not chain to a known 352 public root CA, CT cannot apply (CT logs only accept chains that 353 start with a known, public root). Since TLSA Certificate Usage DANE- 354 TA(2) is generally intended to support non-public trust anchors, TLS 355 clients SHOULD NOT perform CT checks with usage DANE-TA(2). 357 4.3. Transitioning between PKIX-TA/EE and DANE-TA/EE 359 The choice of preferred certificate usages may need to change as a 360 protocol evolves. When transitioning between PKIX-TA/PKIX-EE and 361 DANE-TA/DANE-EE, clients begin to enable support for the new 362 certificate usage values. If the new preferred certificate usages 363 are PKIX-TA/EE this requires installing and managing the appropriate 364 set of CA trust anchors. During this time servers will publish both 365 types of TLSA records. At some later time when the vast majority of 366 servers have published the new preferred TLSA records, clients can 367 stop supporting the legacy certificate usages. Similarly, servers 368 can stop publishing legacy TLSA records once the vast majority of 369 clients support the new certificate usages. 371 5. Certificate-Usage Specific DANE Updates and Guidelines 373 The four Certificate Usage values from the TLSA record, DANE-EE(3), 374 DANE-TA(2), PKIX-EE(1) and PKIX-TA(0), are discussed below. 376 5.1. Certificate Usage DANE-EE(3) 378 In this section the meaning of DANE-EE(3) is updated from [RFC6698] 379 to specify that peer identity matching and that validity interval 380 compliance is based solely on the TLSA RRset properties. We also 381 extend [RFC6698] to cover the use of DANE authentication of raw 382 public keys [I-D.ietf-tls-oob-pubkey] via TLSA records with 383 Certificate Usage DANE-EE(3) and selector SPKI(1). 385 Authentication via certificate usage DANE-EE(3) TLSA records involves 386 simply checking that the server's leaf certificate matches the TLSA 387 record. In particular, the binding of the server public key to its 388 name is based entirely on the TLSA record association. The server 389 MUST be considered authenticated even if none of the names in the 390 certificate match the client's reference identity for the server. 392 Similarly, with DANE-EE(3), the expiration date of the server 393 certificate MUST be ignored. The validity period of the TLSA record 394 key binding is determined by the validity interval of the TLSA record 395 DNSSEC signatures. 397 With DANE-EE(3) servers that know all the connecting clients are 398 making use of DANE, they need not employ SNI (i.e., the may ignore 399 the client's SNI message) even when the server is known under 400 multiple domain names that would otherwise require separate 401 certificates. It is instead sufficient for the TLSA RRsets for all 402 the domain names in question to match the server's primary 403 certificate. For application protocols where the server name is 404 obtained indirectly via SRV, MX or similar records, it is simplest to 405 publish a single hostname as the target server name for all the 406 hosted domains. 408 In organizations where it is practical to make coordinated changes in 409 DNS TLSA records before server key rotation, it is generally best to 410 publish end-entity DANE-EE(3) certificate associations in preference 411 to other choices of certificate usage. DANE-EE(3) TLSA records 412 support multiple server names without SNI, don't suddenly stop 413 working when leaf or intermediate certificates expire, and don't fail 414 when a server operator neglects to include all the required issuer 415 certificates in the server certificate chain. 417 TLSA records published for DANE servers SHOULD, as a best practice, 418 be "DANE-EE(3) SPKI(1) SHA2-256(1)" records. Since all DANE 419 implementations are required to support SHA2-256, this record type 420 works for all clients and need not change across certificate renewals 421 with the same key. This TLSA record type easily supports hosting 422 arrangements with a single certificate matching all hosted domains. 423 It is also the easiest to implement correctly in the client. 425 Another advantage of "DANE-EE(3) SPKI(1)" (with any suitable matching 426 type) TLSA records is that they are compatible with the raw public 427 key TLS extension specified in [I-D.ietf-tls-oob-pubkey]. DANE 428 clients that support this extension can use the TLSA record to 429 authenticate servers that negotiate the use of raw public keys in 430 place of X.509 certificate chains. Provided the server adheres to 431 the requirements of Section 8, the fact that raw public keys are not 432 compatible with any other TLSA record types will not get in the way 433 of successful authentication. Clients that employ DANE to 434 authenticate the peer server SHOULD NOT negotiate the use of raw 435 public keys unless the server's TLSA RRset includes compatible TLSA 436 records. 438 While it is, in principle, also possible to authenticate raw public 439 keys via "DANE-EE(3) Cert(0) Full(0)" records by extracting the 440 public key from the certificate in DNS, this is in conflict with the 441 indicated selector and requires extra logic on clients that not all 442 implementations are expected to provide. Servers SHOULD NOT rely on 443 "DANE-EE(3) Cert(0) Full(0)" TLSA records to publish authentication 444 data for raw public keys. 446 5.2. Certificate Usage DANE-TA(2) 448 This section updates [RFC6698] by specifying a new operational 449 requirement for servers publishing TLSA records with a usage of DANE- 450 TA(2): such servers MUST include the trust-anchor certificate in 451 their TLS server certificate message. 453 Some domains may prefer to avoid the operational complexity of 454 publishing unique TLSA RRs for each TLS service. If the domain 455 employs a common issuing Certification Authority to create 456 certificates for multiple TLS services, it may be simpler to publish 457 the issuing authority as a trust anchor (TA) for the certificate 458 chains of all relevant services. The TLSA query domain (TLSA base 459 domain with port and protocol prefix labels) for each service issued 460 by the same TA may then be set to a CNAME alias that points to a 461 common TLSA RRset that matches the TA. For example: 463 www1.example.com. IN A 192.0.2.1 464 www2.example.com. IN A 192.0.2.2 465 _443._tcp.www1.example.com. IN CNAME tlsa201._dane.example.com. 466 _443._tcp.www2.example.com. IN CNAME tlsa201._dane.example.com. 467 tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c14... 469 With usage DANE-TA(2) the server certificates will need to have names 470 that match one of the client's reference identifiers (see [RFC6125]). 471 The server SHOULD employ SNI to select the appropriate certificate to 472 present to the client. 474 5.2.1. Recommended record combinations 476 TLSA records with matching type Full(0) are NOT RECOMMENDED. While 477 these potentially obviate the need to transmit the TA certificate in 478 the TLS server certificate message, client implementations may not be 479 able to augment the server certificate chain with the data obtained 480 from DNS, especially when the TLSA record supplies a bare key 481 (selector SPKI(1)). Since the server will need to transmit the TA 482 certificate in any case, server operators SHOULD publish TLSA records 483 with a matching type other than Full(0) and avoid potential DNS 484 interoperability issues with large TLSA records containing full 485 certificates or keys (see Section 10.1.1). 487 TLSA Publishers employing DANE-TA(2) records SHOULD publish records 488 with a selector of Cert(0). Such TLSA records are associated with 489 the whole trust anchor certificate, not just with the trust anchor 490 public key. In particular, the client SHOULD then apply any relevant 491 constraints from the trust anchor certificate, such as, for example, 492 path length constraints. 494 While a selector of SPKI(1) may also be employed, the resulting TLSA 495 record will not specify the full trust anchor certificate content, 496 and elements of the trust anchor certificate other than the public 497 key become mutable. This may, for example, enable a subsidiary CA to 498 issue a chain that violates the trust anchor's path length or name 499 constraints. 501 5.2.2. Trust anchor digests and server certificate chain 503 With DANE-TA(2) (these TLSA records are expected to match the digest 504 of a TA certificate or public key), a complication arises when the TA 505 certificate is omitted from the server's certificate chain, perhaps 506 on the basis of Section 7.4.2 of [RFC5246]: 508 The sender's certificate MUST come first in the list. Each 509 following certificate MUST directly certify the one preceding 510 it. Because certificate validation requires that root keys be 511 distributed independently, the self-signed certificate that 512 specifies the root certification authority MAY be omitted from 513 the chain, under the assumption that the remote end must 514 already possess it in order to validate it in any case. 516 With TLSA Certificate Usage DANE-TA(2), there is no expectation that 517 the client is pre-configured with the trust anchor certificate. In 518 fact, client implementations are free to ignore all locally 519 configured trust anchors when processing usage DANE-TA(2) TLSA 520 records and may rely exclusively on the certificates provided in the 521 server's certificate chain. But, with a digest in the TLSA record, 522 the TLSA record contains neither the full trust anchor certificate 523 nor the full public key. If the TLS server's certificate chain does 524 not contain the trust anchor certificate, DANE clients will be unable 525 to authenticate the server. 527 TLSA Publishers that publish TLSA Certificate Usage DANE-TA(2) 528 associations with a selector of SPKI(1) or using a digest-based 529 matching type (not Full(0)) MUST ensure that the corresponding server 530 is configured to also include the trust anchor certificate in its TLS 531 handshake certificate chain, even if that certificate is a self- 532 signed root CA and would have been optional in the context of the 533 existing public CA PKI. 535 5.2.3. Trust anchor public keys 537 TLSA records with TLSA Certificate Usage DANE-TA(2), selector SPKI(1) 538 and a matching type of Full(0) will publish the full public key of a 539 trust anchor via DNS. In section 6.1.1 of [RFC5280] the definition 540 of a trust anchor consists of the following four parts: 542 1. the trusted issuer name, 544 2. the trusted public key algorithm, 546 3. the trusted public key, and 548 4. optionally, the trusted public key parameters associated with the 549 public key. 551 Items 2-4 are precisely the contents of the subjectPublicKeyInfo 552 published in the TLSA record. The issuer name is not included in the 553 subjectPublicKeyInfo. 555 With TLSA Certificate Usage DANE-TA(2), the client may not have the 556 associated trust anchor certificate, and cannot generally verify 557 whether a particular certificate chain is "issued by" the trust 558 anchor described in the TLSA record. 560 When the server certificate chain includes a CA certificate whose 561 public key matches the TLSA record, the client can match that CA as 562 the intended issuer. Otherwise, the client can only check that the 563 topmost certificate in the server's chain is "signed by" the trust 564 anchor's public key in the TLSA record. Such a check may be 565 difficult to implement, and cannot be expected to be supported by all 566 clients. 568 Thus, servers should not rely on "DANE-TA(2) SPKI(1) Full(0)" TLSA 569 records to be sufficient to authenticate chains issued by the 570 associated public key in the absence of a corresponding certificate 571 in the server's TLS certificate message. Servers SHOULD include the 572 TA certificate in their certificate chain. 574 If none of the server's certificate chain elements match a public key 575 specified in a TLSA record, and at least one "DANE-TA(2) SPKI(1) 576 Full(0)" TLSA record is available, clients are encouraged to check 577 whether the topmost certificate in the chain is signed by the 578 provided public key and has not expired, and in that case consider 579 the server authenticated, provided the rest of the chain passes 580 validation including leaf certificate name checks. 582 5.3. Certificate Usage PKIX-EE(1) 584 This Certificate Usage is similar to DANE-EE(3), but in addition PKIX 585 verification is required. Therefore, name checks, certificate 586 expiration, etc., apply as they would without DANE. 588 5.4. Certificate Usage PKIX-TA(0) 590 This section updates [RFC6698] by specifying new client 591 implementation requirements. Clients that trust intermediate 592 certificates MUST be prepared to construct longer PKIX chains than 593 would be required for PKIX alone. 595 TLSA Certificate Usage PKIX-TA(0) allows a domain to publish 596 constraints on the set of PKIX certification authorities trusted to 597 issue certificates for its TLS servers. This TLSA record matches 598 PKIX-verified trust chains which contain an issuer certificate (root 599 or intermediate) that matches its association data field (typically a 600 certificate or digest). 602 PKIX-TA(0) also requires more complex coordination between the 603 Customer Domain and the Service Provider in hosting arrangements. 604 Thus, this certificate usage is NOT RECOMMENDED when the Service 605 Provider is not also the TLSA Publisher. 607 TLSA Publishers who publish TLSA records for a particular public root 608 CA, will expect that clients will only accept chains anchored at that 609 root. It is possible, however, that the client's trusted certificate 610 store includes some intermediate CAs, either with or without the 611 corresponding root CA. When a client constructs a trust chain 612 leading from a trusted intermediate CA to the server leaf 613 certificate, such a "truncated" chain might not contain the trusted 614 root published in the server's TLSA record. 616 If the omitted root is also trusted, the client may erroneously 617 reject the server chain if it fails to determine that the shorter 618 chain it constructed extends to a longer trusted chain that matches 619 the TLSA record. Thus, when matching a usage PKIX-TA(0) TLSA record, 620 a client SHOULD NOT always stop extending the chain when the first 621 locally trusted certificate is found. If no TLSA records have 622 matched any of the elements of the chain, and the trusted certificate 623 found is not self-issued, the client MUST attempt to build a longer 624 chain in the hope that a certificate closer to the root may in fact 625 match the server's TLSA record. 627 6. Service Provider and TLSA Publisher Synchronization 629 Complications arise when the TLSA Publisher is not the same entity as 630 the Service Provider. In this situation, the TLSA Publisher and the 631 Service Provider must cooperate to ensure that TLSA records published 632 by the TLSA Publisher don't fall out of sync with the server 633 certificate used by the Service Provider. 635 Whenever possible, the TLSA Publisher and the Service Provider should 636 be the same entity. Otherwise, changes in the service certificate 637 chain must be carefully coordinated between the parties involved. 638 Such coordination is difficult and service outages will result when 639 coordination fails. 641 Having the master TLSA record in the Service Provider's zone avoids 642 the complexity of bilateral coordination of server certificate 643 configuration and TLSA record management. Even when the TLSA RRset 644 must be published in the Customer Domain's DNS zone (perhaps the 645 client application does not "chase" CNAMEs to the TLSA base domain), 646 it is possible to employ CNAME records to delegate the content of the 647 TLSA RRset to a domain operated by the Service Provider. Certificate 648 name checks generally constrain the applicability of TLSA CNAMEs 649 across organizational boundaries to Certificate Usages DANE-EE(3) and 650 DANE-TA(2): 652 Certificate Usage DANE-EE(3): In this case the Service Provider can 653 publish a single TLSA RRset that matches the server certificate or 654 public key digest. The same RRset works for all Customer Domains 655 because name checks do not apply with DANE-EE(3) TLSA records (see 656 Section 5.1). A Customer Domain can create a CNAME record 657 pointing to the TLSA RRset published by the Service Provider. 659 Certificate Usage DANE-TA(2): When the Service Provider operates a 660 private certification authority, the Service Provider is free to 661 issue a certificate bearing any customer's domain name. Without 662 DANE, such a certificate would not pass trust verification, but 663 with DANE, the customer's TLSA RRset that is aliased to the 664 provider's TLSA RRset can delegate authority to the provider's CA 665 for the corresponding service. The Service Provider can generate 666 appropriate certificates for each customer and use the SNI 667 information provided by clients to select the right certificate 668 chain to present to each client. 670 Below are example DNS records (assumed "secure" and shown without the 671 associated DNSSEC information, such as record signatures) that 672 illustrate both of of the above models in the case of an HTTPS 673 service whose clients all support DANE TLS. These examples work even 674 with clients that don't "chase" CNAMEs when constructing the TLSA 675 base domain (see Section 7 below). 677 ; The hosted web service is redirected via a CNAME alias. 678 ; The associated TLSA RRset is also redirected via a CNAME alias. 679 ; 680 ; A single certificate at the provider works for all Customer 681 ; Domains due to the use of the DANE-EE(3) Certificate Usage. 682 ; 683 www1.example.com. IN CNAME w1.example.net. 684 _443._tcp.www1.example.com. IN CNAME _443._tcp.w1.example.net. 685 _443._tcp.w1.example.net. IN TLSA DANE-EE SPKI SHA2-256 ( 686 8A9A70596E869BED72C69D97A8895DFA 687 D86F300A343FECEFF19E89C27C896BC9 ) 689 ; 690 ; A CA at the provider can also issue certificates for each Customer 691 ; Domain, and use the DANE-TA(2) Certificate Usage type to 692 ; indicate a trust anchor. 693 ; 694 www2.example.com. IN CNAME w2.example.net. 695 _443._tcp.www2.example.com. IN CNAME _443._tcp.w2.example.net. 696 _443._tcp.w2.example.net. IN TLSA DANE-TA Cert SHA2-256 ( 697 C164B2C3F36D068D42A6138E446152F5 698 68615F28C69BD96A73E354CAC88ED00C ) 700 With protocols that support explicit transport redirection via DNS MX 701 records, SRV records, or other similar records, the TLSA base domain 702 is based on the redirected transport end-point, rather than the 703 origin domain. With SMTP, for example, when an email service is 704 hosted by a Service Provider, the Customer Domain's MX hostnames will 705 point at the Service Provider's SMTP hosts. When the Customer 706 Domain's DNS zone is signed, the MX hostnames can be securely used as 707 the base domains for TLSA records that are published and managed by 708 the Service Provider. For example (without the required DNSSEC 709 information, such as record signatures): 711 ; Hosted SMTP service 712 ; 713 example.com. IN MX 0 mx1.example.net. 714 example.com. IN MX 0 mx2.example.net. 715 _25._tcp.mx1.example.net. IN TLSA DANE-EE SPKI SHA2-256 ( 716 8A9A70596E869BED72C69D97A8895DFA 717 D86F300A343FECEFF19E89C27C896BC9 ) 718 _25._tcp.mx2.example.net. IN TLSA DANE-EE SPKI SHA2-256 ( 719 C164B2C3F36D068D42A6138E446152F5 720 68615F28C69BD96A73E354CAC88ED00C ) 722 If redirection to the Service Provider's domain (via MX or SRV 723 records or any similar mechanism) is not possible, and aliasing of 724 the TLSA record is not an option, then more complex coordination 725 between the Customer Domain and Service Provider will be required. 726 Either the Customer Domain periodically provides private keys and a 727 corresponding certificate chain to the Provider (after making 728 appropriate changes in its TLSA records), or the Service Provider 729 periodically generates the keys and certificates and must wait for 730 matching TLSA records to be published by its Customer Domains before 731 deploying newly generated keys and certificate chains. In Section 7 732 below, we describe an approach that employs CNAME "chasing" to avoid 733 the difficulties of coordinating key management across organization 734 boundaries. 736 For further information about combining DANE and SRV, please see 737 [I-D.ietf-dane-srv]. 739 7. TLSA Base Domain and CNAMEs 741 When the application protocol does not support service location 742 indirection via MX, SRV or similar DNS records, the service may be 743 redirected via a CNAME. A CNAME is a more blunt instrument for this 744 purpose, since unlike an MX or SRV record, it remaps the entire 745 origin domain to the target domain for all protocols. 747 The complexity of coordinating key management is largely eliminated 748 when DANE TLSA records are found in the Service Provider's domain, as 749 discussed in Section 6. Therefore, DANE TLS clients connecting to a 750 server whose domain name is a CNAME alias SHOULD follow the CNAME 751 hop-by-hop to its ultimate target host (noting at each step whether 752 the CNAME is DNSSEC-validated). If at each stage of CNAME expansion 753 the DNSSEC validation status is "secure", the final target name 754 SHOULD be the preferred base domain for TLSA lookups. 756 Implementations failing to find a TLSA record using a base name of 757 the final target of a CNAME expansion SHOULD issue a TLSA query using 758 the original destination name. That is, the preferred TLSA base 759 domain should be derived from the fully expanded name, and failing 760 that should be the initial domain name. 762 When the TLSA base domain is the result of "secure" CNAME expansion, 763 the resulting domain name MUST be used as the HostName in SNI, and 764 MUST be the primary reference identifier for peer certificate 765 matching with certificate usages other than DANE-EE(3). 767 Protocol-specific TLSA specifications may provide additional guidance 768 or restrictions when following CNAME expansions. 770 Though CNAMEs are illegal on the right hand side of most indirection 771 records, such as MX and SRV records, they are supported by some 772 implementations. For example, if the MX or SRV host is a CNAME 773 alias, some implementations may "chase" the CNAME. If they do, they 774 SHOULD use the target hostname as the preferred TLSA base domain as 775 described above (and if the TLSA records are found there, use the 776 CNAME expanded domain also in SNI and certificate name checks). 778 8. TLSA Publisher Requirements 780 This section updates [RFC6698] by specifying a requirement on the 781 TLSA Publisher to ensure that each combination of Certificate Usage, 782 selector and matching type in the server's TLSA RRset MUST include at 783 least one record that matches the server's current certificate chain. 784 TLSA records that match recently retired or yet to be deployed 785 certificate chains will be present during key rollover. Such past or 786 future records must never be the only records published for any given 787 combination of usage, selector and matching type. We describe a TLSA 788 record update algorithm that ensures this requirement is met. 790 While a server is to be considered authenticated when its certificate 791 chain is matched by any of the published TLSA records, not all 792 clients support all combinations of TLSA record parameters. Some 793 clients may not support some digest algorithms, others may either not 794 support, or may exclusively support, the PKIX Certificate Usages. 795 Some clients may prefer to negotiate [I-D.ietf-tls-oob-pubkey] raw 796 public keys, which are only compatible with TLSA records whose 797 Certificate Usage is DANE-EE(3) with selector SPKI(1). 799 A consequence of the above uncertainty as to which TLSA parameters 800 are supported by any given client is that servers need to ensure that 801 each and every parameter combination that appears in the TLSA RRset 802 is, on its own, sufficient to match the server's current certificate 803 chain. In particular, when deploying new keys or new parameter 804 combinations some care is required to not generate parameter 805 combinations that only match past or future certificate chains (or 806 raw public keys). The rest of this section explains how to update 807 the TLSA RRset in a manner that ensures the above requirement is met. 809 8.1. Key rollover with fixed TLSA Parameters 811 The simplest case is key rollover while retaining the same set of 812 published parameter combinations. In this case, TLSA records 813 matching the existing server certificate chain (or raw public keys) 814 are first augmented with corresponding records matching the future 815 keys, at least two TTLs or longer before the the new chain is 816 deployed. This allows the obsolete RRset to age out of client caches 817 before the new chain is used in TLS handshakes. Once sufficient time 818 has elapsed and all clients performing DNS lookups are retrieving the 819 updated TLSA records, the server administrator may deploy the new 820 certificate chain, verify that it works, and then remove any obsolete 821 records matching the no longer active chain: 823 ; The initial TLSA RRset 824 ; 825 _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46... 827 ; The transitional TLSA RRset published at least 2*TTL seconds 828 ; before the actual key change 829 ; 830 _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46... 831 _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b... 833 ; The final TLSA RRset after the key change 834 ; 835 _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b... 837 The next case to consider is adding or switching to a new combination 838 of TLSA parameters. In this case publish the new parameter 839 combinations for the server's existing certificate chain first, and 840 only then deploy new keys if desired: 842 ; Initial TLSA RRset 843 ; 844 _443._tcp.www.example.org. IN TLSA 1 1 1 01d09d19c2139a46... 846 ; New TLSA RRset, same key re-published as DANE-EE(3) 847 ; 848 _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46... 850 8.2. Switching to DANE-TA from DANE-EE 852 A more complex involves switching to a trust-anchor or PKIX usage 853 from a chain that is either self-signed, or issued by a private CA 854 and thus not compatible with PKIX. Here the process is to first add 855 TLSA records matching the future chain that is issued by the desired 856 future CA (private or PKIX), but initially with the same parameters 857 as the legacy chain. Then, after deploying the new keys, switch to 858 the new TLSA parameter combination. 860 ; The initial TLSA RRset 861 ; 862 _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46... 864 ; A transitional TLSA RRset, published at least 2*TTL before the 865 ; actual key change. The new keys are issued by a DANE-TA(2) CA, 866 ; but for now specified via a DANE-EE(3) association. 867 ; 868 _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46... 869 _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b... 871 ; The final TLSA RRset after the key change. Now that the old 872 ; self-signed EE keys are not an impediment, specify the issuing 873 ; TA of the new keys. 874 ; 875 _443._tcp.www.example.org. IN TLSA 2 0 1 c57bce38455d9e3d... 877 8.3. Switching to New TLSA Parameters 879 When employing a new digest algorithm in the TLSA RRset, for 880 compatibility with digest agility specified in Section 9 below, 881 administrators should publish the new digest algorithm with each 882 combinations of Certificate Usage and selector for each associated 883 key or chain used with any other digest algorithm. When removing an 884 algorithm, remove it entirely. Each digest algorithm employed should 885 match the same set of chains (or raw public keys). 887 ; The initial TLSA RRset with EE SHA2-256 associations for two keys. 888 ; 889 _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46... 890 _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b... 892 ; The new TLSA RRset also with SHA2-512 associations for each key 893 ; 894 _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46... 895 _443._tcp.www.example.org. IN TLSA 3 1 2 d9947c35089310bc... 896 _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b... 897 _443._tcp.www.example.org. IN TLSA 3 1 2 89a7486a4b6ae714... 899 8.4. TLSA Publisher Requirements Summary 901 In summary, server operators updating TLSA records should make one 902 change at a time. The individual safe changes are: 904 o Pre-publish new certificate associations that employ the same TLSA 905 parameters (usage, selector and matching type) as existing TLSA 906 records, but match certificate chains that will be deployed in the 907 near future. Wait for stale TLSA RRsets to expire from DNS caches 908 before configuring servers to use the new certificate chain. 910 o Remove TLSA records matching no longer deployed certificate 911 chains. 913 o Extend the TLSA RRset with a new combination of parameters (usage, 914 selector and matching type) that is used to generate matching 915 associations for all certificate chains that are published with 916 some other parameter combination. 918 The above steps are intended to ensure that at all times and for each 919 combination of usage, selector and matching type at least one TLSA 920 record corresponds to the server's current certificate chain. No 921 combination of Certificate Usage, selector and matching type in a 922 server's TLSA RRset should ever match only some combination of future 923 or past certificate chains. As a result, no matter what combinations 924 of usage, selector and matching type may be supported by a given 925 client, they will be sufficient to authenticate the server. 927 9. Digest Algorithm Agility 928 While [RFC6698] specifies multiple digest algorithms, it does not 929 specify a protocol by which the TLS client and TLSA record publisher 930 can agree on the strongest shared algorithm. Such a protocol would 931 allow the client and server to avoid exposure to any deprecated 932 weaker algorithms that are published for compatibility with less 933 capable clients, but should be ignored when possible. We specify 934 such a protocol below. 936 Suppose that a DANE TLS client authenticating a TLS server considers 937 digest algorithm "BetterAlg" stronger than digest algorithm 938 "WorseAlg". Suppose further that a server's TLSA RRset contains some 939 records with "BetterAlg" as the digest algorithm. Suppose also that 940 the server adheres to the requirements of Section 8 and ensures that 941 each combination of TLSA parameters contains at least one record that 942 matches the server's current certificate chain (or raw public keys). 943 Under the above assumptions the client can safely ignore TLSA records 944 with the weaker algorithm "WorseAlg", because it suffices to only 945 check the records with the stronger algorithm "BetterAlg". 947 To make digest algorithm agility possible, all published TLSA RRsets 948 for use with DANE TLS MUST conform to the requirements of Section 8. 949 With servers publishing compliant TLSA RRsets, TLS clients can, for 950 each combination of usage and selector, ignore all digest records 951 except those that employ their notion of the strongest digest 952 algorithm. (The server should only publish algorithms it deems 953 acceptable at all.) The ordering of digest algorithms by strength is 954 not specified in advance; it is entirely up to the TLS client. TLS 955 client implementations SHOULD make the digest algorithm preference 956 ordering a configurable option. 958 Note, TLSA records with a matching type of Full(0) that publish an 959 entire certificate or public key object play no role in digest 960 algorithm agility. They neither trump the processing of records that 961 employ digests, nor are they ignored in the presence of any records 962 with a digest (i.e. non-zero) matching type. 964 TLS clients SHOULD use digest algorithm agility when processing the 965 DANE TLSA records of an TLS server. Algorithm agility is to be 966 applied after first discarding any unusable or malformed records 967 (unsupported digest algorithm, or incorrect digest length). Thus, 968 for each usage and selector, the client SHOULD process only any 969 usable records with a matching type of Full(0) and the usable records 970 whose digest algorithm is considered by the client to be the 971 strongest among usable records with the given usage and selector. 973 10. General DANE Guidelines 974 These guidelines provide guidance for using or designing protocols 975 for DANE. 977 10.1. DANE DNS Record Size Guidelines 979 Selecting a combination of TLSA parameters to use requires careful 980 thought. One important consideration to take into account is the 981 size of the resulting TLSA record after its parameters are selected. 983 10.1.1. UDP and TCP Considerations 985 Deployments SHOULD avoid TLSA record sizes that cause UDP 986 fragmentation. 988 Although DNS over TCP would provide the ability to more easily 989 transfer larger DNS records between clients and servers, it is not 990 universally deployed and is still prohibited by some firewalls. 991 Clients that request DNS records via UDP typically only use TCP upon 992 receipt of a truncated response in the DNS response message sent over 993 UDP. Setting the TC bit alone will be insufficient if the response 994 containing the TC bit is itself fragmented. 996 10.1.2. Packet Size Considerations for TLSA Parameters 998 Server operators SHOULD NOT publish TLSA records using both a TLSA 999 Selector of Cert(0) and a TLSA Matching Type of Full(0), as even a 1000 single certificate is generally too large to be reliably delivered 1001 via DNS over UDP. Furthermore, two TLSA records containing full 1002 certificates will need to be published simultaneously during a 1003 certificate rollover, as discussed in Section 8.1. 1005 While TLSA records using a TLSA Selector of SPKI(1) and a TLSA 1006 Matching Type of Full(0) (which publish the bare public keys without 1007 the overhead of a containing X.509 certificate) are generally more 1008 compact, these too should be used with caution as they are still 1009 larger than necessary. Rather, servers SHOULD publish digest-based 1010 TLSA Matching Types in their TLSA records. The complete 1011 corresponding certificate should, instead, be transmitted to the 1012 client in-band during the TLS handshake, which can be easily verified 1013 using the digest value. 1015 In summary, the use of a TLSA Matching Type of Full(0) is NOT 1016 RECOMMENDED and the use of a digest-based matching type, such as 1017 SHA2-256(1) SHOULD be used. 1019 10.2. Certificate Name Check Conventions 1020 Certificates presented by a TLS server will generally contain a 1021 subjectAltName (SAN) extension or a Common Name (CN) element within 1022 the subject distinguished name (DN). The TLS server's DNS domain 1023 name is normally published within these elements, ideally within the 1024 subjectAltName extension. (The use of the CN field for this purpose 1025 is deprecated.) 1027 When a server hosts multiple domains at the same transport endpoint, 1028 the server's ability to respond with the right certificate chain is 1029 predicated on correct SNI information from the client. DANE clients 1030 MUST send the SNI extension with a HostName value of the base domain 1031 of the TLSA RRset. 1033 Except with TLSA Certificate Usage DANE-EE(3), where name checks are 1034 not applicable (see Section 5.1), DANE clients MUST verify that the 1035 client has reached the correct server by checking that the server 1036 name is listed in the server certificate's SAN or CN. The server 1037 name used for this comparison SHOULD be the base domain of the TLSA 1038 RRset. Additional acceptable names may be specified by protocol- 1039 specific DANE standards. For example, with SMTP both the destination 1040 domain name and the MX host name are acceptable names to be found in 1041 the server certificate (see [I-D.ietf-dane-smtp-with-dane]). 1043 It is the responsibility of the service operator, in coordination 1044 with the TLSA Publisher, to ensure that at least one of the TLSA 1045 records published for the service will match the server's certificate 1046 chain (either the default chain or the certificate that was selected 1047 based on the SNI information provided by the client). 1049 Given the DNSSEC validated DNS records below: 1051 example.com. IN MX 0 mail.example.com. 1052 mail.example.com. IN A 192.0.2.1 1053 _25._tcp.mail.example.com. IN TLSA DANE-TA Cert SHA2-256 ( 1054 E8B54E0B4BAA815B06D3462D65FBC7C0 1055 CF556ECCF9F5303EBFBB77D022F834C0 ) 1057 The TLSA base domain is "mail.example.com" and is required to be the 1058 HostName in the client's SNI extension. The server certificate chain 1059 is required to be be signed by a trust anchor with the above 1060 certificate SHA2-256 digest. Finally, one of the DNS names in the 1061 server certificate is required to be be either "mail.example.com" or 1062 "example.com" (this additional name is a concession to compatibility 1063 with prior practice, see [I-D.ietf-dane-smtp-with-dane] for details). 1065 The semantics of wildcards in server certificates are left to 1066 individual application protocol specifications. 1068 10.3. Design Considerations for Protocols Using DANE 1070 When a TLS client goes to the trouble of authenticating a certificate 1071 chain presented by a TLS server, it will typically not continue to 1072 use that server in the event of authentication failure, or else 1073 authentication serves no purpose. Some clients may, at times, 1074 operate in an "audit" mode, where authentication failure is reported 1075 to the user or in logs as a potential problem, but the connection 1076 proceeds despite the failure. Nevertheless servers publishing TLSA 1077 records MUST be configured to allow correctly configured clients to 1078 successfully authenticate their TLS certificate chains. 1080 A service with DNSSEC-validated TLSA records implicitly promises TLS 1081 support. When all the TLSA records for a service are found 1082 "unusable", due to unsupported parameter combinations or malformed 1083 associated data, DANE clients cannot authenticate the service 1084 certificate chain. When authenticated TLS is dictated by the 1085 application, the client SHOULD NOT connect to the associated server. 1086 If, on the other hand, the use of TLS is "opportunistic", then the 1087 client SHOULD generally use the server via an unauthenticated TLS 1088 connection, but if TLS encryption cannot be established, the client 1089 MUST NOT use the server. Standards for DANE specific to the 1090 particular application protocol may modify the above requirements, as 1091 appropriate, to specify whether the connection should be established 1092 anyway without relying on TLS security, with only encryption but not 1093 authentication, or whether to refuse to connect entirely. 1094 Application protocols need to specify when to prioritize security 1095 over the ability to connect under adverse conditions. 1097 11. Note on DNSSEC Security 1099 Clearly the security of the DANE TLSA PKI rests on the security of 1100 the underlying DNSSEC infrastructure. While this memo is not a guide 1101 to DNSSEC security, a few comments may be helpful to TLSA 1102 implementers. 1104 With the existing public CA PKI, name constraints are rarely used, 1105 and a public root CA can issue certificates for any domain of its 1106 choice. With DNSSEC, under the Registry/Registrar/Registrant model, 1107 the situation is different: only the registrar of record can update a 1108 domain's DS record in the registry parent zone (in some cases, 1109 however, the registry is the sole registrar). With many gTLDs, for 1110 which multiple registrars compete to provide domains in a single 1111 registry, it is important to make sure that rogue registrars cannot 1112 easily initiate an unauthorized domain transfer, and thus take over 1113 DNSSEC for the domain. DNS Operators SHOULD use a registrar lock of 1114 their domains to offer some protection against this possibility. 1116 When the registrar is also the DNS operator for the domain, one needs 1117 to consider whether the registrar will allow orderly migration of the 1118 domain to another registrar or DNS operator in a way that will 1119 maintain DNSSEC integrity. TLSA Publishers SHOULD ensure their 1120 registrar publishes a suitable domain transfer policy. 1122 DNSSEC signed RRsets cannot be securely revoked before they expire. 1123 Operators should plan accordingly and not generate signatures with 1124 excessively long duration periods. For domains publishing high-value 1125 keys, a signature lifetime of a few days is reasonable, and the zone 1126 should be resigned daily. For domains with less critical data, a 1127 reasonable signature lifetime is a couple of weeks to a month, and 1128 the zone should be resigned weekly. Monitoring of the signature 1129 lifetime is important. If the zone is not resigned in a timely 1130 manner, one risks a major outage and the entire domain will become 1131 bogus. 1133 12. Summary of Updates to RFC6698 1135 Authors note: is this section needed? Or is it sufficiently clear 1136 above that we don't need to restate things here? 1138 o In Section 3 we update [RFC6698] to specify a requirement for 1139 clients to support at least TLS 1.0, and to support SNI. 1141 o In Section 5.1 we update [RFC6698] to specify peer identity 1142 matching and certificate validity interval based solely on the 1143 basis of the TLSA RRset. We also specify DANE authentication of 1144 raw public keys [I-D.ietf-tls-oob-pubkey] via TLSA records with 1145 Certificate Usage DANE-EE(3) and selector SPKI(1). 1147 o In Section 5.2 we update [RFC6698] to require that servers 1148 publishing digest TLSA records with a usage of DANE-TA(2) MUST 1149 include the trust-anchor certificate in their TLS server 1150 certificate message. This extends to the case of "2 1 0" TLSA 1151 records which publish a full public key. 1153 o In Section 5.3 and Section 5.4, we explain that PKIX-EE(1) and 1154 PKIX-TA(0) are generally NOT RECOMMENDED. With usage PKIX-TA(0) 1155 we note that clients may need to processes extended trust chains 1156 beyond the first trusted issuer, when that issuer is not self- 1157 signed. 1159 o In Section 7, we recommend that DANE application protocols specify 1160 that when possible securely CNAME expanded names be used to derive 1161 the TLSA base domain. 1163 o In Section 8, we specify a strategy for managing TLSA records that 1164 interoperates with DANE clients regardless of what subset of the 1165 possible TLSA record types (combinations of TLSA parameters) is 1166 supported by the client. 1168 o In Section 9, we propose a digest algorithm agility protocol. 1169 [Note: This section does not yet represent the rough consensus of 1170 the DANE working group and requires further discussion. Perhaps 1171 this belongs in a separate document.] 1173 o In Section 10.1 we recommend against the use of Full(0) TLSA 1174 records, as digest records are generally much more compact. 1176 13. Operational Considerations 1178 The DNS time-to-live (TTL) of TLSA records needs to be chosen with 1179 care. When an unplanned change in the server's certificate chain and 1180 TLSA RRset is required, such as when keys are compromised or lost, 1181 clients that cache stale TLSA records will fail to validate the 1182 certificate chain of the updated server. TLSA RRsets should have 1183 TTLs that are short enough to limit unplanned service disruption to 1184 an acceptable duration. For example, TLSA records for SMTP servers 1185 with a TTL of approximately an hour are likely sufficiently short. 1186 For interactive HTTP services, TLSA record TTLs of approximately 5 1187 minutes may be more appropriate. 1189 The signature validity time for TLSA records should also not be too 1190 long. Signed DNSSEC records can be replayed by an MiTM attacker 1191 provided the signatures have not yet expired. Shorter signature 1192 validity intervals allow for faster invalidation of compromised keys. 1194 14. Security Considerations 1196 Application protocols that cannot make use of the existing public CA 1197 PKI (so called non-PKIX protocols), may choose not to implement 1198 certain PKIX-dependent TLSA record types defined in [RFC6698]. If 1199 such records are published despite not being supported by the 1200 application protocol, they are treated as "unusable". When TLS is 1201 opportunistic, the client may proceed to use the server with 1202 mandatory unauthenticated TLS. This is stronger than opportunistic 1203 TLS without DANE, since in that case the client may also proceed with 1204 a plaintext connection. When TLS is not opportunistic, the client 1205 MUST NOT connect to the server. 1207 Therefore, when TLSA records are used with protocols where PKIX does 1208 not apply, the recommended policy is for servers to not publish PKIX- 1209 dependent TLSA records, and for opportunistic TLS clients to use them 1210 to enforce the use of (albeit unauthenticated) TLS, but otherwise 1211 treat them as unusable. Of course, when PKIX validation is supported 1212 by the application protocol, clients SHOULD perform PKIX validation 1213 per [RFC6698]. 1215 15. IANA Considerations 1217 This specification requires no support from IANA. 1219 16. Acknowledgements 1221 The authors would like to thank Phil Pennock for his comments and 1222 advice on this document. 1224 Acknowledgments from Viktor: Thanks to Tony Finch who finally prodded 1225 me into participating in DANE working group discussions. Thanks to 1226 Paul Hoffman who motivated me to produce this memo and provided 1227 feedback on early drafts. Thanks also to Samuel Dukhovni for 1228 editorial assistance. 1230 17. References 1232 17.1. Normative References 1234 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1235 Requirement Levels", BCP 14, RFC 2119, March 1997. 1237 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1238 Rose, "DNS Security Introduction and Requirements", RFC 1239 4033, March 2005. 1241 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1242 Rose, "Resource Records for the DNS Security Extensions", 1243 RFC 4034, March 2005. 1245 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1246 Rose, "Protocol Modifications for the DNS Security 1247 Extensions", RFC 4035, March 2005. 1249 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1250 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1252 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1253 Housley, R., and W. Polk, "Internet X.509 Public Key 1254 Infrastructure Certificate and Certificate Revocation List 1255 (CRL) Profile", RFC 5280, May 2008. 1257 [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: 1258 Extension Definitions", RFC 6066, January 2011. 1260 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 1261 Verification of Domain-Based Application Service Identity 1262 within Internet Public Key Infrastructure Using X.509 1263 (PKIX) Certificates in the Context of Transport Layer 1264 Security (TLS)", RFC 6125, March 2011. 1266 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 1267 Security Version 1.2", RFC 6347, January 2012. 1269 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication 1270 of Named Entities (DANE) Transport Layer Security (TLS) 1271 Protocol: TLSA", RFC 6698, August 2012. 1273 [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify 1274 Conversations about DNS-Based Authentication of Named 1275 Entities (DANE)", RFC 7218, April 2014. 1277 17.2. Informative References 1279 [I-D.dukhovni-opportunistic-security] 1280 Dukhovni, V., "Opportunistic Security: Some Protection 1281 Most of the Time", draft-dukhovni-opportunistic- 1282 security-04 (work in progress), August 2014. 1284 [I-D.ietf-dane-smtp-with-dane] 1285 Dukhovni, V. and W. Hardaker, "SMTP security via 1286 opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-12 1287 (work in progress), August 2014. 1289 [I-D.ietf-dane-srv] 1290 Finch, T., Miller, M., and P. Saint-Andre, "Using DNS- 1291 Based Authentication of Named Entities (DANE) TLSA Records 1292 with SRV Records", draft-ietf-dane-srv-08 (work in 1293 progress), October 2014. 1295 [I-D.ietf-tls-oob-pubkey] 1296 Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., and 1297 T. Kivinen, "Using Raw Public Keys in Transport Layer 1298 Security (TLS) and Datagram Transport Layer Security 1299 (DTLS)", draft-ietf-tls-oob-pubkey-11 (work in progress), 1300 January 2014. 1302 [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate 1303 Transparency", RFC 6962, June 2013. 1305 Authors' Addresses 1306 Viktor Dukhovni 1307 Unaffiliated 1309 Email: ietf-dane@dukhovni.org 1311 Wes Hardaker 1312 Parsons 1313 P.O. Box 382 1314 Davis, CA 95617 1315 US 1317 Email: ietf@hardakers.net