idnits 2.17.1 draft-ietf-dane-protocol-18.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 9, 2012) is 4430 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'This' is mentioned on line 654, but not defined ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 2845 (Obsoleted by RFC 8945) -- Obsolete informational reference (is this intentional?): RFC 4641 (Obsoleted by RFC 6781) Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Intended status: Standards Track J. Schlyter 5 Expires: September 10, 2012 Kirei AB 6 March 9, 2012 8 The DNS-Based Authentication of Named Entities (DANE) Protocol for 9 Transport Layer Security (TLS) 10 draft-ietf-dane-protocol-18 12 Abstract 14 Encrypted communication on the Internet often uses Transport Level 15 Security (TLS), which depends on third parties to certify the keys 16 used. This document improves on that situation by enabling the 17 administrator of a domain name to certify the keys used in that 18 domain's TLS servers. This requires matching improvements in TLS 19 client software, but no change in TLS server software. 21 Status of this Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on September 10, 2012. 38 Copyright Notice 40 Copyright (c) 2012 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 1.1. Background of the Problem . . . . . . . . . . . . . . . . 4 57 1.2. Securing the Association with a Server's Certificate . . . 5 58 1.3. Method For Securing Certificate Associations . . . . . . . 6 59 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 60 2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 7 61 2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 7 62 2.1.1. The Certificate Usage Field . . . . . . . . . . . . . 7 63 2.1.2. The Selector Field . . . . . . . . . . . . . . . . . . 8 64 2.1.3. The Matching Type Field . . . . . . . . . . . . . . . 9 65 2.1.4. The Certificate Association Data Field . . . . . . . . 9 66 2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 9 67 2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 10 68 3. Domain Names for TLS Certificate Associations . . . . . . . . 10 69 4. Use of TLSA Records in TLS . . . . . . . . . . . . . . . . . . 11 70 5. TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 12 71 6. Mandatory-to-Implement Features . . . . . . . . . . . . . . . 14 72 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 73 7.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 14 74 7.2. TLSA Usages . . . . . . . . . . . . . . . . . . . . . . . 14 75 7.3. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 15 76 7.4. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 15 77 8. Security Considerations . . . . . . . . . . . . . . . . . . . 16 78 8.1. DNS Caching . . . . . . . . . . . . . . . . . . . . . . . 17 79 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18 80 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 81 10.1. Normative References . . . . . . . . . . . . . . . . . . . 18 82 10.2. Informative References . . . . . . . . . . . . . . . . . . 19 83 Appendix A. Operational Considerations for Deploying TLSA 84 Records . . . . . . . . . . . . . . . . . . . . . . . 19 85 A.1. Creating TLSA Records . . . . . . . . . . . . . . . . . . 20 86 A.1.1. Ambiguities and Corner Cases When TLS Clients 87 Build Trust Chains . . . . . . . . . . . . . . . . . . 20 88 A.1.2. Choosing a Selector Type . . . . . . . . . . . . . . . 21 89 A.2. Provisioning TLSA Records in DNS . . . . . . . . . . . . . 23 90 A.2.1. Provisioning TLSA Records with Aliases . . . . . . . . 23 91 A.3. Securing the Last Hop . . . . . . . . . . . . . . . . . . 25 92 A.4. Handling Certificate Rollover . . . . . . . . . . . . . . 26 93 Appendix B. Pseudocode for Using TLSA . . . . . . . . . . . . . . 26 94 B.1. Helper Functions . . . . . . . . . . . . . . . . . . . . . 26 95 B.2. Main TLSA Pseudo Code . . . . . . . . . . . . . . . . . . 28 97 Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 30 98 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 31 100 1. Introduction 102 1.1. Background of the Problem 104 Applications that communicate over the Internet often need to prevent 105 eavesdropping, tampering, or forgery of their communications. The 106 Transport Layer Security (TLS) protocol provides this kind of 107 communications privacy over the Internet, using encryption. 109 The security properties of encryption systems depend strongly on the 110 keys that they use. If secret keys are revealed, or if published 111 keys can be replaced by bogus keys, these systems provide little or 112 no security. 114 TLS uses certificates to bind keys and names. A certificate combines 115 a published key with other information such as the name of the 116 service that the key is used by, and this combination is digitally 117 signed by another key. Having a certificate for a key is only 118 helpful if you trust the other key that signed the certificate. If 119 that other key was itself revealed or substituted, then its signature 120 is worthless in proving anything about the first key. 122 On the Internet, this problem has been solved for years by entities 123 called "Certification Authorities" (CAs). CAs protect their secret 124 key vigorously, while supplying their public key to the software 125 vendors who build TLS clients. They then sign certificates, and 126 supply those to TLS servers. TLS client software uses a set of these 127 CA keys as "trust anchors" to validate the signatures on certificates 128 that the client receives from TLS servers. Client software typically 129 allows any CA to usefully sign any other certificate. 131 This solution has gradually broken down because some CAs have become 132 untrustworthy. A single trusted CA that betrays its trust, either 133 voluntarily or by providing less-than-vigorous protection for its 134 secrets and capabilities, can compromise any other certificate that 135 TLS uses by signing a replacement certificate that contains a bogus 136 key. Several real-world occurrances that have exploited such CAs for 137 subversion of major web sites (presumably to abet wiretapping and 138 large-scale fraud) have brought TLS's CA model into disrepute. 140 The DNS Security Extensions (DNSSEC) provides a similar model that 141 involves trusted keys signing the information for untrusted keys. 142 However, DNSSEC provides three significant improvements. Keys are 143 tied to names in the Domain Name System (DNS), rather than to 144 arbitrary identifying strings; this is more convenient for Internet 145 protocols. Signed keys for any domain are accessible online through 146 a straightforward query using the standard DNSSEC protocol, so there 147 is no problem distributing the signed keys. Most significantly, the 148 keys associated with a domain name can only be signed by a key 149 associated with the parent of that domain name; for example, the keys 150 for "example.com" can only be signed by the keys for "com", and the 151 keys for "com" can only be signed by the DNS root. This prevents an 152 untrustworthy signer from compromising anyone's keys except those in 153 their own subdomains. Like TLS, DNSSEC relies on public keys that 154 come built into the DNSSEC client software, but these keys come only 155 from a single root domain rather than from a multiplicity of CAs. 157 1.2. Securing the Association with a Server's Certificate 159 A TLS client begins a connection by exchanging messages with a TLS 160 server. It looks up the server's name using the DNS to get Internet 161 Protocol (IP) address associated with the name. It then begins a 162 connection to a client-chosen port at that address, and sends an 163 initial message there. However, the client does not yet know whether 164 an adversary is intercepting and/or altering its communication before 165 it reaches the TLS server. It does not even know whether the real 166 TLS server associated with that domain name has ever received its 167 initial messages. 169 The first response from the server in TLS may contain a certificate. 170 In order for the TLS client to authenticate that it is talking to the 171 expected TLS server, the client must validate that this certificate 172 is associated with the domain name used by the client to get to the 173 server. Currently, the client must extract the domain name from the 174 certificate and must successfully validate the certificate, including 175 chaining to a trust anchor. 177 There is a different way to authenticate the association of the 178 server's certificate with the intended domain name without trusting 179 an external CA. Given that the DNS administrator for a domain name 180 is authorized to give identifying information about the zone, it 181 makes sense to allow that administrator to also make an authoritative 182 binding between the domain name and a certificate that might be used 183 by a host at that domain name. The easiest way to do this is to use 184 the DNS, securing the binding with DNSSEC. 186 There are many use cases for such functionality. [RFC6394] lists the 187 ones that the DNS RRtype in this document are meant to apply. 188 [RFC6394] also lists many requirements, most of which this document 189 is believed to meet. Section 5 covers the applicability of this 190 document to the use cases in detail. 192 This document applies to both TLS [RFC5246] and DTLS [RFC6347]. In 193 order to make the document more readable, it mostly only talks about 194 "TLS", but in all cases, it means "TLS or DTLS". This document only 195 relates to securely associating certificates for TLS and DTLS with 196 host names; other security protocols and other forms of 197 identification of TLS servers (such as IP addresses) are handled in 198 other documents. For example, keys for IPsec are covered in 199 [RFC4025] and keys for SSH are covered in [RFC4255]. 201 1.3. Method For Securing Certificate Associations 203 A certificate association is formed from a piece of information 204 identifying a certificate (such as the contents of the certificate or 205 a trust anchor to which the certificate chains) and the domain name 206 where the data is found. This document only applies to PKIX 207 [RFC5280] certificates, not certificates of other formats. 209 A DNS query can return multiple certificate associations, such as in 210 the case of different server software on a single host using 211 different certificates, or in the case that a server is changing from 212 one certificate to another. 214 This document defines a secure method to associate the certificate 215 that is obtained from the TLS server with a domain name using DNS; 216 the DNS information needs to be be protected by DNSSEC. Because the 217 certificate association was retrieved based on a DNS query, the 218 domain name in the query is by definition associated with the 219 certificate. 221 DNSSEC, which is defined in RFCs 4033, 4034, and 4035 ([RFC4033], 222 [RFC4034], and [RFC4035]), uses cryptographic keys and digital 223 signatures to provide authentication of DNS data. Information that 224 is retrieved from the DNS and that is validated using DNSSEC is 225 thereby proved to be the authoritative data. The DNSSEC signature 226 MUST be validated on all responses that use DNSSEC in order to assure 227 the proof of origin of the data. This document does not specify how 228 DNSSEC validation occurs because there are many different proposals 229 for how a client might get validated DNSSEC results. 231 This document only relates to securely getting the DNS information 232 for the certificate association using DNSSEC; other secure DNS 233 mechanisms are out of scope. 235 1.4. Terminology 237 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 238 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 239 document are to be interpreted as described in RFC 2119 [RFC2119]. 241 This document also makes use of standard PKIX, DNSSEC, and TLS 242 terminology. See [RFC5280], [RFC4033], and [RFC5246] respectively, 243 for these terms. In addition, terms related to TLS-protected 244 application services and DNS names are taken from [RFC6125]. 246 2. The TLSA Resource Record 248 The TLSA DNS resource record (RR) is used to associate a certificate 249 with the domain name where the record is found. The semantics of how 250 the TLSA RR is interpreted are given later in this document. 252 The type value for the TLSA RR type is TBD. 254 The TLSA RR is class independent. 256 The TLSA RR has no special TTL requirements. 258 2.1. TLSA RDATA Wire Format 260 The RDATA for a TLSA RR consists of a one octet usage type field, a 261 one octet selector field, a one octet matching type field and the 262 certificate association data field. 264 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 265 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 266 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 267 | Usage | Selector | Matching Type | / 268 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / 269 / / 270 / Certificate Association Data / 271 / / 272 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 274 2.1.1. The Certificate Usage Field 276 A one-octet value, called "certificate usage" or just "usage", 277 specifying the provided association that will be used to match the 278 target certificate from the TLS handshake. This value is defined in 279 a new IANA registry (see Section 7.2) in order to make it easier to 280 add additional certificate usages in the future. The usages defined 281 in this document are: 283 0 -- Certificate usage 0 is used to specify a CA certificate, or 284 the public key of such a certificate, that must be found in any of 285 the PKIX certification paths for the end entity certificate given 286 by the server in TLS. This usage is sometimes referred to as "CA 287 constraint" because it limits which CA can be used to issue 288 certificates for a given service on a host. The target 289 certificate MUST pass PKIX certification path validation and a CA 290 certificate that matches the TLSA record MUST be included as part 291 of a valid certification path. 293 1 -- Certificate usage 1 is used to specify an end entity 294 certificate, or the public key of such a certificate, that must be 295 matched with the end entity certificate given by the server in 296 TLS. This usage is sometimes referred to as "service certificate 297 constraint" because it limits which end entity certificate may be 298 used by a given service on a host. The target certificate MUST 299 pass PKIX certification path validation and MUST match the TLSA 300 record. 302 2 -- Certificate usage 2 is used to specify a certificate, or the 303 public key of such a certificate, that must be used as the trust 304 anchor when validating the end entity certificate given by the 305 server in TLS. This usage is sometimes referred to as "trust 306 anchor assertion" and allows a domain name administrator to 307 specify a new trust anchor, for example if the domain issues its 308 own certificates under its own CA that is not expected to be in 309 the end users' collection of trust anchors. The target 310 certificate MUST pass PKIX certification path validation, with any 311 certificate matching the TLSA record considered to be a trust 312 anchor for this certification path validation. 314 3 -- Certificate usage 3 is used to specify a certificate, or the 315 public key of such a certificate, that must match the end entity 316 certificate given by the server in TLS. This usage is sometimes 317 referred to as "domain-issued certificate" because it allows for a 318 domain name administrator to issue certificates for a domain 319 without involving a third-party CA. The target certificate MUST 320 match the TLSA record. The difference between certificate usage 1 321 and certificate usage 3 is that certificate usage 1 requires that 322 the certificate pass PKIX validation, but PKIX validation is not 323 tested for certificate usage 3. 325 The certificate usages defined in this document explicitly only apply 326 to PKIX-formatted certificates in DER encoding. If TLS allows other 327 formats later, or if extensions to this RRtype are made that accept 328 other formats for certificates, those certificates will need their 329 own certificate usage values. 331 2.1.2. The Selector Field 333 A one-octet value, called "selector", specifying which part of the 334 TLS certificate presented by the server will be matched against the 335 association data. This value is defined in a new IANA registry (see 336 Section 7.3. The selectors defined in this document are: 338 0 -- Full certificate 340 1 -- SubjectPublicKeyInfo 342 2.1.3. The Matching Type Field 344 A one-octet value, called "matching type", specifying how the 345 certificate association is presented. This value is defined in a new 346 IANA registry (see Section 7.4). The types defined in this document 347 are: 349 0 -- Exact match on selected content 351 1 -- SHA-256 hash of selected content [RFC6234] 353 2 -- SHA-512 hash of selected content [RFC6234] 355 If the TLSA record's matching type is a hash, the record SHOULD use 356 the same hash algorithm that was used in the signature in the 357 certificate. This will assist clients that support a small number of 358 hash algorithms. 360 2.1.4. The Certificate Association Data Field 362 The "certificate association data" to be matched. This field 363 contains the data to be matched. These bytes are either raw data 364 (that is, the full certificate or its SubjectPublicKeyInfo, depending 365 on the selector) for matching type 0, or the hash of the raw data for 366 matching types 1 and 2. The data refers to the certificate in the 367 association, not to the TLS ASN.1 Certificate object. 369 2.2. TLSA RR Presentation Format 371 The presentation format of the RDATA portion is as follows: 373 o The certificate usage field MUST be represented as an unsigned 374 decimal integer. 376 o The selector field MUST be represented as an unsigned decimal 377 integer. 379 o The matching type field MUST be represented as an unsigned decimal 380 integer. 382 o The certificate association data field MUST be represented as a 383 string of hexadecimal characters. Whitespace is allowed within 384 the string of hexadecimal characters. 386 2.3. TLSA RR Examples 388 An example of a hashed (SHA-256) association of a PKIX CA 389 certificate: 391 _443._tcp.www.example.com. IN TLSA ( 392 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9 393 7983a1d16e8a410e4561cb106618e971 ) 395 An example of a hashed (SHA-512) subject public key association of a 396 PKIX end entity certificate: 398 _443._tcp.www.example.com. IN TLSA ( 399 1 1 2 92003ba34942dc74152e2f2c408d29ec 400 a5a520e7f2e06bb944f4dca346baf63c 401 1b177615d466f6c4b71c216a50292bd5 402 8c9ebdd2f74e38fe51ffd48c43326cbc ) 404 An example of a full certificate association of a PKIX end entity 405 certificate: 407 _443._tcp.www.example.com. IN TLSA ( 408 3 0 0 30820307308201efa003020102020... ) 410 3. Domain Names for TLS Certificate Associations 412 Unless there is a protocol-specific specification that is different 413 than this one, TLSA resource records are stored at a prefixed DNS 414 domain name. The prefix is prepared in the following manner: 416 1. The decimal representation of the port number on which a TLS- 417 based service is assumed to exist is prepended with an underscore 418 character ("_") to become the left-most label in the prepared 419 domain name. This number has no leading zeros. 421 2. The protocol name of the transport on which a TLS-based service 422 is assumed to exist is prepended with an underscore character 423 ("_") to become the second left-most label in the prepared domain 424 name. The transport names defined for this protocol are "tcp", 425 "udp" and "sctp". 427 3. The domain name is appended to the result of step 2 to complete 428 the prepared domain name. 430 For example, to request a TLSA resource record for an HTTP server 431 running TLS on port 443 at "www.example.com", you would use 432 "_443._tcp.www.example.com" in the request. To request a TLSA 433 resource record for an SMTP server running the STARTTLS protocol on 434 port 25 at "mail.example.com", you would use 435 "_25._tcp.mail.example.com". 437 4. Use of TLSA Records in TLS 439 Section 2.1 of this document defines the mandatory matching rules for 440 the data from the TLSA certificate associations and the certificates 441 received from the TLS server. 443 The TLS session that is to be set up MUST be for the specific port 444 number and transport name that was given in the TLSA query. 446 Some specifications for applications that run under TLS, such as 447 [RFC2818] for HTTP, require the server's certificate to have a domain 448 name that matches the host name expected by the client. Some 449 specifications such as [RFC6125] detail how to match the identity 450 given in a PKIX certificate with those expected by the user. 452 An implementation of this protocol makes a DNS query for TLSA 453 records, validates these records using DNSSEC, and uses the resulting 454 TLSA records and validation status to modify its responses to the TLS 455 server. 457 If a host is using TLSA usage type 2 for its certifcate, the 458 corresponding TLS server SHOULD send the certificate that is 459 referenced just like it currently sends intermediate certificates. 461 Determining whether a TLSA RRset can be used depends on the DNSSEC 462 validation state (as defined in [RFC4033]). 464 o A TLSA RRset whose DNSSEC validation state is secure MUST be used 465 as a certificate association for TLS unless a local policy would 466 prohibit the use of the specific certificate association in the 467 secure TLSA RRset. 469 o If the DNSSEC validation state on the response to the request for 470 the TLSA RRset is bogus, this MUST cause TLS not to be started or, 471 if the TLS negotiation is already in progress, MUST cause the 472 connection to be aborted. 474 o A TLSA RRset whose DNSSEC validation state is indeterminate or 475 insecure cannot be used for TLS and MUST be considered unusable. 477 Clients which validate the DNSSEC signatures themselves MUST use 478 standard DNSSEC validation procedures. Clients that rely on another 479 entity to perform the DNSSEC signature validation MUST use a secure 480 mechanism between themselves and the validator. Examples of secure 481 transports to other hosts include TSIG [RFC2845], SIG(0) [RFC2931], 482 and IPsec [RFC6071]. Note that it is not sufficient to use secure 483 transport to a DNS resolver that does not do DNSSEC signature 484 validation. 486 If a certificate association contains a certificate usage, selector, 487 or matching type that is not understood by the TLS client, that 488 certificate association MUST be considered unusable. If the 489 comparison data for a certificate is malformed, the certificate 490 association MUST be considered unusable. 492 If a certificate association contains a matching type or certificate 493 association data that uses a cryptographic algorithm that is 494 considered too weak for the TLS client's policy, the certificate 495 association MUST be marked as unusable. 497 If an application receives zero usable certificate associations, it 498 processes TLS in the normal fashion without any input from the TLSA 499 records. If an application receives one or more usable certificate 500 associations, it attempts to match each certificate association with 501 the TLS server's end entity certificate until a successful match is 502 found. 504 5. TLSA and DANE Use Cases and Requirements 506 The different types of certificate associations defined in TLSA are 507 matched with various sections of [RFC6394]. The use cases from 508 Section 3 of [RFC6394] are covered in this document as follows: 510 3.1 CA Constraints -- Implemented using certificate usage 0. 512 3.2 Certificate Constraints -- Implemented using certificate usage 513 1. 515 3.3 Trust Anchor Assertion and Domain-Issued Certificates -- 516 Implemented using certificate usages 2 and 3, respectively. 518 The requirements from Section 4 of [RFC6394] are covered in this 519 document as follows: 521 Multiple Ports -- The TLSA records for different application 522 services running on a single host can be distinguished through the 523 service name and port number prefixed to the host name (see 524 Section 3). 526 No Downgrade -- Section 4 specifies the conditions under which a 527 client can process and act upon TLSA records. Specifically, if 528 the DNSSEC status for the TLSA resource record set is determined 529 to be bogus, the TLS connection (if started) will fail. 531 Encapsulation -- Covered in the TLSA response semantics. 533 Predictability -- The appendixes of this specification provide 534 operational considerations and implementation guidance in order to 535 enable application developers to form a consistent interpretation 536 of the recommended DANE client behavior. 538 Opportunistic Security -- If a client conformant to this 539 specification can reliably determine the presence of a TLSA 540 record, it will attempt to use this information. Conversely, if a 541 client can reliably determine the absence of any TLSA record, it 542 will fall back to processing TLS in the normal fashion. This is 543 discussed in Section 4. 545 Combination -- Multiple TLSA records can be published for a given 546 host name, thus enabling the client to construct multiple TLSA 547 certificate associations that reflect different DANE assertions. 548 No support is provided to combine two TLSA certificate 549 associations in a single operation. 551 Roll-over -- TLSA records are processed in the normal manner within 552 the scope of DNS protocol, including the TTL expiration of the 553 records. This ensures that clients will not latch onto assertions 554 made by expired TLSA records, and will be able to transition from 555 using one DANE public key or certificate usage type to another. 557 Simple Key Management -- The SubjectPublicKeyInfo selector in the 558 TLSA record provides a mode that enables a domain holder to only 559 have to maintain a single long-lived public/private key pair 560 without the need to manage certificates. Appendix A outlines the 561 usefulness and the potential downsides to using this mode. 563 Minimal Dependencies -- This specification relies on DNSSEC to 564 protect the origin authenticity and integrity of the TLSA resource 565 record set. Additionally, if DNSSEC validation is not performed 566 on the system that wishes to use TLSA certificate bindings, this 567 specification requires that the "last mile" be over a secure 568 transport. There are no other deployment dependencies for this 569 approach. 571 Minimal Options -- The operating modes map precisely to the DANE use 572 cases and requirements. DNSSEC use is mandatory in that this 573 specification encourages applications to use TLSA records that are 574 only shown to be validated. 576 Wild Cards -- Covered in a limited manner in the TLSA request 577 syntax; see Appendix A. 579 Redirection -- Covered in the TLSA request syntax; see Appendix A. 581 6. Mandatory-to-Implement Features 583 TLS clients conforming to this specification MUST be able to 584 correctly interpret TLSA records with certificate usages 0, 1, 2, and 585 3. TLS clients conforming to this specification MUST be able to 586 compare a certificate association with a certificate from the TLS 587 handshake using selectors type 0 and 1, and matching type 0 (no hash 588 used) and matching type 1 (SHA-256), and SHOULD be able to make such 589 comparisons with matching type 2 (SHA-512). 591 At the time this is written, it is expected that there will be a new 592 family of hash algorithms called SHA-3 within the next few years. It 593 is expected that some of the SHA-3 algorithms will be mandatory 594 and/or recommended for TLSA records after the algorithms are fully 595 defined. At that time, this specification will be updated. 597 7. IANA Considerations 599 In the following sections, "RFC Required" was chosen for TLSA usages 600 and "Specification Required" for selectors and matching types because 601 of the amount of detail that is likely to be needed for implementers 602 to correctly implement new usages as compared to new selectors and 603 matching types. 605 7.1. TLSA RRtype 607 This document uses a new DNS RR type, TLSA, whose value is TBD. A 608 separate request for the RR type will be submitted to the expert 609 reviewer, and future versions of this document will have that value 610 instead of TBD. 612 7.2. TLSA Usages 614 This document creates a new registry, "Certificate Usages for TLSA 615 Resource Records". The registry policy is "RFC Required". The 616 initial entries in the registry are: 618 Value Short description Reference 619 ---------------------------------------------------------- 620 0 CA constraint [This] 621 1 Service certificate constraint [This] 622 2 Trust anchor assertion [This] 623 3 Domain-issued certificate [This] 624 4-254 Unassigned 625 255 Private use 627 Applications to the registry can request specific values that have 628 yet to be assigned. 630 7.3. TLSA Selectors 632 This document creates a new registry, "Selectors for TLSA Resource 633 Records". The registry policy is "Specification Required". The 634 initial entries in the registry are: 636 Value Short description Reference 637 ---------------------------------------------------------- 638 0 Full Certificate [This] 639 1 SubjectPublicKeyInfo [This] 640 2-254 Unassigned 641 255 Private use 643 Applications to the registry can request specific values that have 644 yet to be assigned. 646 7.4. TLSA Matching Types 648 This document creates a new registry, "Matching Types for TLSA 649 Resource Records". The registry policy is "Specification Required". 650 The initial entries in the registry are: 652 Value Short description Reference 653 -------------------------------------------------------- 654 0 No hash used [This] 655 1 SHA-256 RFC 6234 656 2 SHA-512 RFC 6234 657 3-254 Unassigned 658 255 Private use 660 Applications to the registry can request specific values that have 661 yet to be assigned. 663 8. Security Considerations 665 The security of the DNS RRtype described in this document relies on 666 the security of DNSSEC as used by the client requesting A/AAAA and 667 TLSA records. 669 A DNS administrator who goes rogue and changes both the A/AAAA and 670 TLSA records for a domain name can cause the user to go to an 671 unauthorized server that will appear authorized, unless the client 672 performs PKIX certification path validation and rejects the 673 certificate. That administrator could probably get a certificate 674 issued anyway, so this is not an additional threat. 676 If the authentication mechanism for adding or changing TLSA data in a 677 zone is weaker than the authentication mechanism for changing the 678 A/AAAA records, a man-in-the-middle who can redirect traffic to their 679 site may be able to impersonate the attacked host in TLS if they can 680 use the weaker authentication mechanism. A better design for 681 authenticating DNS would be to have the same level of authentication 682 used for all DNS additions and changes for a particular domain name. 684 SSL proxies can sometimes act as a man-in-the-middle for TLS clients. 685 In these scenarios, the clients add a new trust anchor whose private 686 key is kept on the SSL proxy; the proxy intercepts TLS requests, 687 creates a new TLS session with the intended host, and sets up a TLS 688 session with the client using a certificate that chains to the trust 689 anchor installed in the client by the proxy. In such environments, 690 using TLSA records will prevent the SSL proxy from functioning as 691 expected because the TLS client will get a certificate association 692 from the DNS that will not match the certificate that the SSL proxy 693 uses with the client. The client, seeing the proxy's new certificate 694 for the supposed destination will not set up a TLS session. 696 Client treatment of any information included in the certificate trust 697 anchor is a matter of local policy. This specification does not 698 mandate that such information be inspected or validated by the 699 server's domain name administrator. 701 If a server's certificate is revoked, or if an intermediate CA in a 702 chain between the end entity and a trust anchor has its certificate 703 revoked, a TLSA record with a certificate type of 2 that matches the 704 revoked certificate would in essence override the revocation because 705 the client would treat that revoked certificate as a trust anchor and 706 thus not check its revocation status. Because of this, domain 707 administrators need to be responsible for being sure that the key or 708 certificate used in TLSA records with a certificate type of 2 are in 709 fact able to be used as reliable trust anchors. 711 Certificates that are delivered in TLSA with usage type 2 712 fundamentally change the way the TLS server's end entity certificate 713 is evaluated. For example, the server's certificate might chain to 714 an existing CA through an intermediate CA that has certain policy 715 restrictions, and the certificate would not pass those restrictions 716 and thus normally be rejected. That intermediate CA could issue 717 itself a new certificate without the policy restrictions and tell its 718 customers to use that certificate with usage type 2. This in essence 719 allows an intermediate CA to be come a trust anchor for certificates 720 that the end user might have expected to chain to an existing trust 721 anchor. 723 If an administrator wishes to stop using a TLSA record, the 724 administrator can simply remove it from the DNS. Normal clients will 725 stop using the TLSA record after the TTL has expired. Replay attacks 726 against the TLSA record are not possible after the expiration date on 727 the RRsig of the TLSA record that was removed. 729 The client's full trust of a certificate retrieved from a TLSA record 730 with a certificate usage type of 2 or 3 may be a matter of local 731 policy. While such trust is limited to the specific domain nane for 732 which the TLSA query was made, local policy may deny the trust or 733 further restrict the conditions under which that trust is permitted. 735 8.1. DNS Caching 737 Implementations of this protocol rely heavily on the DNS, and are 738 thus prone to security attacks based on the deliberate mis- 739 association of TLSA records and DNS names. Implementations need to 740 be cautious in assuming the continuing validity of an assocation 741 between a TLSA record and a DNS name. 743 In particular, implementations SHOULD rely on their DNS resolver for 744 confirmation of an association between a TLSA record and a DNS name, 745 rather than caching the result of previous domain name lookups. Many 746 platforms already can cache domain name lookups locally when 747 appropriate, and they SHOULD be configured to do so. It is proper 748 for these lookups to be cached, however, only when the TTL (Time To 749 Live) information reported by the DNS makes it likely that the cached 750 information will remain useful. 752 If implementations cache the results of domain name lookups in order 753 to achieve a performance improvement, they MUST observe the TTL 754 information reported by DNS. Implementations that fail to follow 755 this rule could be spoofed or have access denied when a previously- 756 accessed server's TLSA record changes, such as during a certificate 757 rollover. 759 9. Acknowledgements 761 Many of the ideas in this document have been discussed over many 762 years. More recently, the ideas have been discussed by the authors 763 and others in a more focused fashion. In particular, some of the 764 ideas and words here originated with Paul Vixie, Dan Kaminsky, Jeff 765 Hodges, Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam 766 Langley, Ben Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit, 767 Ondrej Sury, Richard Barnes, Jim Schaad, Stephen Farrell, Suresh 768 Krishnaswamy, Peter Palfrader, Pieter Lexis, Wouter Wijngaards and 769 John Gilmore. 771 This document has also been greatly helped by many active 772 participants of the DANE Working Group. 774 10. References 776 10.1. Normative References 778 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 779 Requirement Levels", BCP 14, RFC 2119, March 1997. 781 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 782 Rose, "DNS Security Introduction and Requirements", 783 RFC 4033, March 2005. 785 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 786 Rose, "Resource Records for the DNS Security Extensions", 787 RFC 4034, March 2005. 789 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 790 Rose, "Protocol Modifications for the DNS Security 791 Extensions", RFC 4035, March 2005. 793 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 794 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 796 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 797 Housley, R., and W. Polk, "Internet X.509 Public Key 798 Infrastructure Certificate and Certificate Revocation List 799 (CRL) Profile", RFC 5280, May 2008. 801 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 802 Verification of Domain-Based Application Service Identity 803 within Internet Public Key Infrastructure Using X.509 804 (PKIX) Certificates in the Context of Transport Layer 805 Security (TLS)", RFC 6125, March 2011. 807 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 808 Security Version 1.2", RFC 6347, January 2012. 810 10.2. Informative References 812 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 813 specifying the location of services (DNS SRV)", RFC 2782, 814 February 2000. 816 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 818 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. 819 Wellington, "Secret Key Transaction Authentication for DNS 820 (TSIG)", RFC 2845, May 2000. 822 [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( 823 SIG(0)s)", RFC 2931, September 2000. 825 [RFC4025] Richardson, M., "A Method for Storing IPsec Keying 826 Material in DNS", RFC 4025, March 2005. 828 [RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely 829 Publish Secure Shell (SSH) Key Fingerprints", RFC 4255, 830 January 2006. 832 [RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices", 833 RFC 4641, September 2006. 835 [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: 836 Extension Definitions", RFC 6066, January 2011. 838 [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and 839 Internet Key Exchange (IKE) Document Roadmap", RFC 6071, 840 February 2011. 842 [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms 843 (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. 845 [RFC6394] Barnes, R., "Use Cases and Requirements for DNS-Based 846 Authentication of Named Entities (DANE)", RFC 6394, 847 October 2011. 849 Appendix A. Operational Considerations for Deploying TLSA Records 850 A.1. Creating TLSA Records 852 When creating TLSA records care must be taken to avoid 853 misconfigurations. Section 4 of this document states that a TLSA 854 RRset whose validation state is secure MUST be used. This means that 855 the existence of such a RRset effectively disables other forms of 856 name and path validation. A misconfigured TLSA RRset will 857 effectively disable access to the TLS server for all conforming 858 clients, and this document does not provide any means of making a 859 gradual transition to using TLSA. 861 When creating TLSA records with certificate usage type 0 (CA 862 Certificate) or type 2 (Trust Anchor), one needs to understand the 863 implications when choosing between selector type 0 (full certificate) 864 and 1 (SubjectPublicKeyInfo). A careful choice is required because 865 different methods for building trust chains are used by different TLS 866 clients. The following outlines the cases that one should be aware 867 of and discusses the implications of the choice of selector type. 869 Certificate usage 2 is not affected by the different types of chain 870 building when the end entity certificate is the same as the trust 871 anchor certificate. 873 A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains 875 TLS clients may implement their own chain-building code rather than 876 rely on the chain presented by the TLS server. This means that, 877 except for the end entity certificate, any certificate presented in 878 the suggested chain might or might not be present in the final chain 879 built by the client. 881 Certificates that the client can use to replace certificates from 882 original chain include: 884 o Client's trust anchors 886 o Certificates cached locally 888 o Certificates retrieved from a URI listed in an Authority 889 Information Access X.509v3 extension 891 CAs frequently reissue certificates with different validity period, 892 signature algorithm (such as an different hash algorithm in the 893 signature algorithm), CA key pair (such as for a cross-certificate), 894 or PKIX extensions where the public key and subject remain the same. 895 These reissued certificates are the certificates TLS client can use 896 in place of an original certificate. 898 Clients are known to exchange or remove certificates that could cause 899 TLSA association that rely on the full certificate to fail. For 900 example: 902 o The client considers the signature algorithm of a certificate to 903 no longer be sufficiently secure 905 o The client might not have an associated root certificate in its 906 trust store and instead uses a cross-certificate with an identical 907 subject and public key. 909 A.1.2. Choosing a Selector Type 911 In this section, "false-negative failure" means that a client will 912 not accept the TLSA association for certificate designated by DNS 913 administrator. Also, "false-positive acceptance" means that the 914 client accepts a TLSA association for a certificate that is not 915 designated by the DNS administrator. 917 A.1.2.1. Selector Type 0 (Full Certificate) 919 The "Full certificate" selector provides the most precise 920 specification of a TLS certificate association, capturing all fields 921 of the PKIX certificate. For a DNS administrator, the best course to 922 avoid false-negative failures in the client when using this selector 923 are: 925 o If a CA issued a replacement certificate, don't associate to CA 926 certificates that have a signature algorithm with a hash that is 927 considered weak (such as MD2 and MD5). 929 o Determine how common client applications process the TLSA 930 association using a fresh client installation, that is, with the 931 local certificate cache empty. 933 A.1.2.2. Selector Type 1 (SubjectPublicKeyInfo) 935 A SubjectPublicKeyInfo selector gives greater flexibility in avoiding 936 some false-negative failures caused by trust-chain-building 937 algorithms used in clients. 939 One specific use-case should be noted: creating a TLSA association to 940 CA certificate I1 that directly signed end entity certificate S1 of 941 the server. The case can be illustrated by following graph: 943 +----+ +----+ 944 | I1 | | I2 | 945 +----+ +----+ 946 | | 947 v v 948 +----+ +----+ 949 | S1 | | S1 | 950 +----+ +----+ 951 Certificate chain sent by A different validation path 952 server in TLS handshake built by the TLS client 954 I2 is a reissued version of CA certificate I1 (that is, it has a 955 different hash in its signature algorithm). 957 In the above scenario, both certificates I1 and I2 that sign S1 need 958 to have identical SubjectPublicKeyInfos because the key used to sign 959 S1 is fixed. An association to SubjectPublicKeyInfo (selector type 960 1) will always succeed in such a case, but an association with a full 961 certificate (selector type 0) might not work due to a false-negative 962 failure. 964 The attack surface is a bit broader compared to "full certificate" 965 selector: the DNS administrator might unintentionally specify an 966 association that would lead to false-positive acceptance. 968 o The administrator must know or trust that the CA does not engage 969 in bad practices, such as not sharing key of I1 for unrelated CA 970 certificates leading to trust-chain redirect. If possible, the 971 administrator should review all CA certificates that have the same 972 SPKI. 974 o The administrator should understand whether some PKIX extension 975 may adversely affect security of the association. If possible, 976 administrators should review all CA certificates that share the 977 SubjectPublicKeyInfo. 979 o The administrator should understand that any CA could, in the 980 future, issue a certificate that contains the same 981 SubjectPublicKeyInfo. Therefore, new chains can crop up in the 982 future without any warning. 984 Using the SubjectPublicKeyInfo selector for association with a 985 certificate in a chain above I1 needs to be decided on a case-by-case 986 basis: there are too many possibilities based on the issuing CA's 987 practices. Unless the full implications of such an association are 988 understood by the administrator, using selector type 0 is a better 989 option from a security perspective. 991 A.2. Provisioning TLSA Records in DNS 993 A.2.1. Provisioning TLSA Records with Aliases 995 The TLSA resource record is not special in the DNS; it acts exactly 996 like any other RRtype where the queried name has one or more labels 997 prefixed to the base name, such as the SRV RRtype [RFC2782]. This 998 affects the way that the TLSA resource record is used when aliasing 999 in the DNS. 1001 Note that the IETF sometimes adds new types of aliasing in the DNS. 1002 If that happens in the future, those aliases might affect TLSA 1003 records, hopefully in a good way. 1005 A.2.1.1. Provisioning TLSA Records with CNAME Records 1007 Using CNAME to alias in DNS only aliases from the exact name given, 1008 not any zones below the given name. For example, assume that a zone 1009 file has only the following: 1011 sub1.example.com. IN CNAME sub2.example.com. 1013 In this case, a request for the A record at "bottom.sub1.example.com" 1014 would not return any records because the CNAME given only aliases the 1015 name given. Assume, instead, the zone file has the following: 1017 sub3.example.com. IN CNAME sub4.example.com. 1018 bottom.sub3.example.com. IN CNAME bottom.sub4.example.com. 1020 In this case, a request for the A record at bottom.sub3.example.com 1021 would in fact return whatever value for the A record exists at 1022 bottom.sub4.example.com. 1024 Application implementations and full-service resolvers request DNS 1025 records using libraries that automatically follow CNAME (and DNAME) 1026 aliasing. This allows hosts to put TLSA records in their own zones 1027 or to use CNAME to do redirection. 1029 If the owner of the original domain wants a TLSA record for the same, 1030 they simply enter it under the defined prefix: 1032 ; No TLSA record in target domain 1033 ; 1034 sub5.example.com. IN CNAME sub6.example.com. 1035 _443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab... 1036 sub6.example.com. IN A 192.0.2.1 1037 sub6.example.com. IN AAAA 2001:db8::1 1038 If the owner of the original domain wants to have the target domain 1039 host the TLSA record, the original domain uses a CNAME record: 1041 ; TLSA record for original domain has CNAME to target domain 1042 ; 1043 sub5.example.com. IN CNAME sub6.example.com. 1044 _443._tcp.sub5.example.com. IN CNAME _443._tcp.sub6.example.com. 1045 sub6.example.com. IN A 192.0.2.1 1046 sub6.example.com. IN AAAA 2001:db8::1 1047 _443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4... 1049 Note that it is acceptable for both the original domain and the 1050 target domain to have TLSA records, but the two records are 1051 unrelated. Consider the following: 1053 ; TLSA record in both the original and target domain 1054 ; 1055 sub5.example.com. IN CNAME sub6.example.com. 1056 _443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab... 1057 sub6.example.com. IN A 192.0.2.1 1058 sub6.example.com. IN AAAA 2001:db8::1 1059 _443._tcp.sub6.example.com. IN TLSA 1 1 1 ac49d9ba4570ac49... 1061 In this example, someone looking for the TLSA record for 1062 sub5.example.com would always get the record whose value starts 1063 "308202c5308201ab"; the TLSA record whose value starts 1064 "ac49d9ba4570ac49" would only be sought by someone who is looking for 1065 the TLSA record for sub6.example.com, and never for sub5.example.com. 1066 One should note that deploying different certificates for multiple 1067 services located at a shared TLS listener often requires the use of 1068 TLS SNI (Server Name Indication) [RFC6066]. 1070 Note that these methods use the normal method for DNS aliasing using 1071 CNAME: the DNS client requests the record type that they actually 1072 want. 1074 A.2.1.2. Provisioning TLSA Records with DNAME Records 1076 Using DNAME records allows a zone owner to alias an entire subtree of 1077 names below the name that has the DNAME. This allows the wholesale 1078 aliasing of prefixed records such as those used by TLSA, SRV, and so 1079 on without aliasing the name itself. However, because DNAME can only 1080 be used for subtrees of a base name, it is rarely used to alias 1081 individual hosts that might also be running TLS. 1083 ; TLSA record in target domain, visible in original domain via DNAME 1084 ; 1085 sub5.example.com. IN CNAME sub6.example.com. 1086 _tcp.sub5.example.com. IN DNAME _tcp.sub6.example.com. 1087 sub6.example.com. IN A 192.0.2.1 1088 sub6.example.com. IN AAAA 2001:db8::1 1089 _443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4... 1091 A.2.1.3. Provisioning TLSA Records with Wildcards 1093 Wildcards are generally not terribly useful for RRtypes that require 1094 prefixing because you can only wildcard at a layer below the host 1095 name. For example, if you want to have the same TLSA record for 1096 every TCP port for www.example.com, you might have 1098 *._tcp.www.example.com. IN TLSA 1 1 1 5c1502a6549c423b... 1100 This is possibly useful in some scenarios where the same service is 1101 offered on many ports. 1103 A.3. Securing the Last Hop 1105 As described in Section 4, an application processing TLSA records 1106 must know the DNSSEC validity of those records. There are many ways 1107 for the application to securely find this out, and this specification 1108 does not mandate any single method. 1110 Some common methods for an application to know the DNSSEC validity of 1111 TLSA records include: 1113 o The application can have its own DNS resolver and DNSSEC 1114 validation stack. 1116 o The application can communicate through a trusted channel (such as 1117 requests to the operating system under which the application is 1118 running) to a local DNS resolver that does DNSSEC validation. 1120 o The application can communicate through a secured channel (such as 1121 requests running over TLS, IPsec, TSIG or SIG(0)) to a non-local 1122 DNS resolver that does DNSSEC validation. 1124 o The application can communicate through a secured channel (such as 1125 requests running over TLS, IPsec, TSIG or SIG(0)) to a non-local 1126 DNS resolver that does not do DNSSEC validation, but gets 1127 responses through a secured channel from a different DNS resolver 1128 that does DNSSEC validation. 1130 A.4. Handling Certificate Rollover 1132 Certificate rollover is handled in much the same was as for rolling 1133 DNSSEC zone signing keys using the pre-publish key rollover method 1134 [RFC4641]. Suppose example.com has a single TLSA record for a TLS 1135 service on TCP port 990: 1137 _990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015... 1139 To start the rollover process, obtain or generate the new certificate 1140 or SubjectPublicKeyInfo to be used after the rollover and generate 1141 the new TLSA record. Add that record alongside the old one: 1143 _990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015... 1144 _990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30... 1146 After the new records have propagated to the authoritative 1147 nameservers and the TTL of the old record has expired, switch to the 1148 new certificate on the TLS server. Once this has occurred, the old 1149 TLSA record can be removed: 1151 _990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30... 1153 This completes the certificate rollover. 1155 Appendix B. Pseudocode for Using TLSA 1157 This appendix describes the interactions given earlier in this 1158 specification in pseudocode format. This appendix is non-normative. 1159 If the steps below disagree with the text earlier in the document, 1160 the steps earlier in the document should be considered correct and 1161 this text incorrect. 1163 Note that this pseudocode is more strict than the normative text. 1164 For instance, it forces an order on the evaluation of criteria which 1165 is not mandatory from the normative text. 1167 B.1. Helper Functions 1169 // implement the function for exiting 1170 function Finish (F) = { 1171 if (F == ABORT_TLS) { 1172 abort the TLS handshake or prevent TLS from starting 1173 exit 1174 } 1175 if (F == NO_TLSA) { 1176 fall back to non-TLSA certificate validation 1177 exit 1178 } 1180 if (F == ACCEPT) { 1181 accept the TLS connection 1182 exit 1183 } 1185 // unreachable 1186 } 1188 // implement the selector function 1189 function Select (S, X) = { 1190 // Full certificate 1191 if (S == 0) { 1192 return X in DER encoding 1193 } 1195 // SubjectPublicKeyInfo 1196 if (S == 1) { 1197 return X.SubjectPublicKeyInfo in DER encoding 1198 } 1200 // unreachable 1201 } 1203 // implement the matching function 1204 function Match (M, X, Y) { 1205 // Exact match on selected content 1206 if (M == 0) { 1207 return (X == Y) 1208 } 1210 // SHA-256 hash of selected content 1211 if (M == 1) { 1212 return (SHA-256(X) == Y) 1213 } 1215 // SHA-512 hash of selected content 1216 if (M == 2) { 1217 return (SHA-512(X) == Y) 1218 } 1220 // unreachable 1221 } 1223 B.2. Main TLSA Pseudo Code 1225 TLS connect using [transport] to [name] on [port] and receiving end 1226 entity cert C for the TLS server: 1228 (TLSArecords, ValState) = DNSSECValidatedLookup( 1229 domainname=_[port]._[transport].[name], RRtype=TLSA) 1231 // check for states that would change processing 1232 if (ValState == BOGUS) { 1233 Finish(ABORT_TLS) 1234 } 1235 if ((ValState == INDETERMINATE) or (ValState == INSECURE)) { 1236 Finish(NO_TLSA) 1237 } 1238 // if here, ValState must be SECURE 1240 for each R in TLSArecords { 1241 // unusable records include unknown certUsage, unknown 1242 // selectorType, unknown matchingType, erroneous RDATA, and 1243 // prohibited by local policy 1244 if (R is unusable) { 1245 remove R from TLSArecords 1246 } 1247 } 1248 if (length(TLSArecords) == 0) { 1249 Finish(NO_TLSA) 1250 } 1252 // A TLS client might have multiple trust anchors that it might use 1253 // when validating the TLS server's end entity certificate. Also, 1254 // there can be multiple PKIX certification paths for the 1255 // certificates given by the server in TLS. Thus, there are 1256 // possibly many chains that might need to be tested during 1257 // PKIX path validation. 1259 for each R in TLSArecords { 1261 // pass PKIX certificate validation and chain through a CA cert 1262 // that comes from TLSA 1263 if (R.certUsage == 0) { 1264 for each PKIX certification path H { 1265 if (C passes PKIX certification path validation in H) { 1266 for each D in H { 1267 if ((D is a CA certificate) and 1268 Match(R.matchingType, Select(R.selectorType, D), 1269 R.cert)) { 1271 Finish(ACCEPT) 1272 } 1273 } 1274 } 1275 } 1276 } 1278 // pass PKIX certificate validation and match EE cert from TLSA 1279 if (R.certUsage == 1) { 1280 for each PKIX certification path H { 1281 if ((C passes PKIX certificate validation in H) and 1282 Match(R.matchingType, Select(R.selectorType, C), 1283 R.cert)) { 1284 Finish(ACCEPT) 1285 } 1286 } 1287 } 1289 // pass PKIX certification validation using TLSA record as the 1290 // trust anchor 1291 if (R.certUsage == 2) { 1292 for each PKIX certification path H that has R as the 1293 trust anchor { 1294 if (C passes PKIX certification validation in H) and 1295 Match(R.matchingType, Select(R.selectorType, C), 1296 R.cert)) { 1297 Finish(ACCEPT) 1298 } 1299 } 1300 } 1302 // match the TLSA record and the TLS certificate 1303 if (R.certUsage == 3) { 1304 if Match(R.matchingType, Select(R.selectorType, C), R.cert) 1305 Finish(ACCEPT) 1306 } 1307 } 1309 } 1311 // if here, then none of the TLSA records ended in "Finish(ACCEPT)" 1312 // so abort TLS 1313 Finish(ABORT_TLS) 1315 Appendix C. Examples 1317 The following are examples of self-signed certificates that have been 1318 been generated with various selectors and matching types. They were 1319 generated with one piece of software, and validated by an individual 1320 using other tools. 1322 S = Selector 1323 M = Matching Type 1325 S M Association Data 1326 0 0 30820454308202BC020900AB58D24E77AD2AF6300D06092A86 1327 4886F70D0101050500306C310B3009060355040613024E4C31163014 1328 0603550408130D4E6F6F72642D486F6C6C616E643112301006035504 1329 071309416D7374657264616D310C300A060355040A13034F53333123 1330 30210603550403131A64616E652E6B6965762E70726163746963756D 1331 2E6F73332E6E6C301E170D3132303131363136353730335A170D3232 1332 303131333136353730335A306C310B3009060355040613024E4C3116 1333 30140603550408130D4E6F6F72642D486F6C6C616E64311230100603 1334 5504071309416D7374657264616D310C300A060355040A13034F5333 1335 312330210603550403131A64616E652E6B6965762E70726163746963 1336 756D2E6F73332E6E6C308201A2300D06092A864886F70D0101010500 1337 0382018F003082018A0282018100E62C84A5AFE59F0A2A6B250DEE68 1338 7AC8C5C604F57D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B 1339 6AD5DEA0C8771C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE 1340 281A68230B24B9DA1A98DCBE51195B60E42FD7517C328D983E26A827 1341 C877AB914EE4C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D5 1342 8C389CC3D6D8C20662E19CF768F32441B7F7D14AEA8966CE7C32A172 1343 2AB38623D008029A9E4702883F8B977A1A1E5292BF8AD72239D40393 1344 37B86A3AC60FA001290452177BF1798609A05A130F033457A5212629 1345 FBDDB8E70E2A9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D 1346 4BD77DFA34035563C126AA2C3328B900E7990AC9787F01DA82F74C3D 1347 4B6674CCECE1FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE775 1348 6213BD3D60831175BE290442B4AFC5AE6F46B769855A067C1097E617 1349 962529E166F22AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A44 1350 9C8D0D31BC683C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2 1351 DDFF6B4CAC050203010001300D06092A864886F70D01010505000382 1352 0181002B2ABE063E9C86AC4A1F7835372091079C8276A9C2C5D1EC57 1353 64DE523FDDABDEAB3FD34E6FE6CBA054580A6785A663595D90132B93 1354 D473929E81FA0887D2FFF78A81C7D014B97778AB6AC9E5E690F6F5A9 1355 E92BB5FBAB71B857AE69B6E18BDCCB0BA6FCD9D4B084A34F3635148C 1356 495D48FE635903B888EC1DEB2610548EDD48D63F86513A4562469831 1357 48C0D5DB82D73A4C350A42BB661D763430FC6C8E5F9D13EA1B76AA52 1358 A4C358E5EA04000F794618303AB6CEEA4E9A8E9C74D73C1B0B7BAF16 1359 DEDE7696B5E2F206F777100F5727E1684D4132F5E692F47AF6756EA8 1360 B421000BE031B5D8F0220E436B51FB154FE9595333C13A2403F9DE08 1361 E5DDC5A22FD6182E339593E26374450220BC14F3E40FF33F084526B0 1362 9C34250702E8A352B332CCCB0F9DE2CF2B338823B92AFC61C0B6B8AB 1363 DB5AF718ED8DDA97C298E46B82A01B14814868CFA4F2C36268BFFF4A 1364 591F42658BF75918902D3E426DFE1D5FF0FC6A212071F6DA8BD833FE 1365 2E560D87775E8EE9333C05B6FB8EB56589D910DB5EA903 1367 0 1 EFDDF0D915C7BDC5782C0881E1B2A95AD099FBDD06D7B1F779 1368 82D9364338D955 1370 0 2 81EE7F6C0ECC6B09B7785A9418F54432DE630DD54DC6EE9E3C 1371 49DE547708D236D4C413C3E97E44F969E635958AA410495844127C04 1372 883503E5B024CF7A8F6A94 1374 1 0 308201A2300D06092A864886F70D01010105000382018F0030 1375 82018A0282018100E62C84A5AFE59F0A2A6B250DEE687AC8C5C604F5 1376 7D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B6AD5DEA0C877 1377 1C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE281A68230B24 1378 B9DA1A98DCBE51195B60E42FD7517C328D983E26A827C877AB914EE4 1379 C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D58C389CC3D6D8 1380 C20662E19CF768F32441B7F7D14AEA8966CE7C32A1722AB38623D008 1381 029A9E4702883F8B977A1A1E5292BF8AD72239D4039337B86A3AC60F 1382 A001290452177BF1798609A05A130F033457A5212629FBDDB8E70E2A 1383 9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D4BD77DFA3403 1384 5563C126AA2C3328B900E7990AC9787F01DA82F74C3D4B6674CCECE1 1385 FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE7756213BD3D6083 1386 1175BE290442B4AFC5AE6F46B769855A067C1097E617962529E166F2 1387 2AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A449C8D0D31BC68 1388 3C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2DDFF6B4CAC05 1389 0203010001 1391 1 1 8755CDAA8FE24EF16CC0F2C918063185E433FAAF1415664911 1392 D9E30A924138C4 1394 1 2 D43165B4CDF8F8660AECCCC5344D9D9AE45FFD7E6AAB7AB9EE 1395 C169B58E11F227ED90C17330CC17B5CCEF0390066008C720CEC6AAE5 1396 33A934B3A2D7E232C94AB4 1398 Authors' Addresses 1400 Paul Hoffman 1401 VPN Consortium 1403 Email: paul.hoffman@vpnc.org 1404 Jakob Schlyter 1405 Kirei AB 1407 Email: jakob@kirei.se