idnits 2.17.1 draft-ietf-dane-protocol-23.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 14, 2012) is 4305 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'This' is mentioned on line 740, but not defined ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) -- Possible downref: Non-RFC (?) normative reference: ref. 'STD13' -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 2845 (Obsoleted by RFC 8945) -- Obsolete informational reference (is this intentional?): RFC 4641 (Obsoleted by RFC 6781) Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Intended status: Standards Track J. Schlyter 5 Expires: December 16, 2012 Kirei AB 6 June 14, 2012 8 The DNS-Based Authentication of Named Entities (DANE) Transport Layer 9 Security (TLS) Protocol: TLSA 10 draft-ietf-dane-protocol-23 12 Abstract 14 Encrypted communication on the Internet often uses Transport Level 15 Security (TLS), which depends on third parties to certify the keys 16 used. This document improves on that situation by enabling the 17 administrators of domain names to specify the keys used in that 18 domain's TLS servers. This requires matching improvements in TLS 19 client software, but no change in TLS server software. 21 Status of this Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on December 16, 2012. 38 Copyright Notice 40 Copyright (c) 2012 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 1.1. Background and Motivation . . . . . . . . . . . . . . . . 4 57 1.2. Securing the Association of a Domain Name with a 58 Server's Certificate . . . . . . . . . . . . . . . . . . . 5 59 1.3. Method For Securing Certificate Associations . . . . . . . 6 60 1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 61 2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 7 62 2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 8 63 2.1.1. The Certificate Usage Field . . . . . . . . . . . . . 8 64 2.1.2. The Selector Field . . . . . . . . . . . . . . . . . . 9 65 2.1.3. The Matching Type Field . . . . . . . . . . . . . . . 10 66 2.1.4. The Certificate Association Data Field . . . . . . . . 10 67 2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 10 68 2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 11 69 3. Domain Names for TLSA Certificate Associations . . . . . . . . 11 70 4. Use of TLSA Records in TLS . . . . . . . . . . . . . . . . . . 12 71 4.1. Usable Certificate Associations . . . . . . . . . . . . . 12 72 5. TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 14 73 6. Mandatory-to-Implement Features . . . . . . . . . . . . . . . 15 74 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 75 7.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 16 76 7.2. TLSA Certificate Usages . . . . . . . . . . . . . . . . . 16 77 7.3. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 16 78 7.4. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 17 79 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 80 8.1. Comparing DANE to Public CAs . . . . . . . . . . . . . . . 19 81 8.1.1. Risk of Key Compromise . . . . . . . . . . . . . . . . 19 82 8.1.2. Impact of Key Compromise . . . . . . . . . . . . . . . 20 83 8.1.3. Detection of Key Compromise . . . . . . . . . . . . . 21 84 8.1.4. Spoofing Hostnames . . . . . . . . . . . . . . . . . . 21 85 8.2. DNS Caching . . . . . . . . . . . . . . . . . . . . . . . 21 86 8.3. External DNSSEC Validators . . . . . . . . . . . . . . . . 22 87 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 88 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 89 10.1. Normative References . . . . . . . . . . . . . . . . . . . 23 90 10.2. Informative References . . . . . . . . . . . . . . . . . . 23 91 Appendix A. Operational Considerations for Deploying TLSA 92 Records . . . . . . . . . . . . . . . . . . . . . . . 25 93 A.1. Creating TLSA Records . . . . . . . . . . . . . . . . . . 25 94 A.1.1. Ambiguities and Corner Cases When TLS Clients 95 Build Trust Chains . . . . . . . . . . . . . . . . . . 25 97 A.1.2. Choosing a Selector Type . . . . . . . . . . . . . . . 26 98 A.2. Provisioning TLSA Records in DNS . . . . . . . . . . . . . 28 99 A.2.1. Provisioning TLSA Records with Aliases . . . . . . . . 28 100 A.3. Securing the Last Hop . . . . . . . . . . . . . . . . . . 30 101 A.4. Handling Certificate Rollover . . . . . . . . . . . . . . 31 102 Appendix B. Pseudocode for Using TLSA . . . . . . . . . . . . . . 31 103 B.1. Helper Functions . . . . . . . . . . . . . . . . . . . . . 32 104 B.2. Main TLSA Pseudo Code . . . . . . . . . . . . . . . . . . 33 105 Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 35 106 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37 108 1. Introduction 110 1.1. Background and Motivation 112 Applications that communicate over the Internet often need to prevent 113 eavesdropping, tampering, or forgery of their communications. The 114 Transport Layer Security (TLS) protocol provides this kind of 115 communications security over the Internet, using channel encryption. 117 The security properties of encryption systems depend strongly on the 118 keys that they use. If secret keys are revealed, or if public keys 119 can be replaced by fake keys (that is, a key not corresponding to the 120 entity identified in the certificate), these systems provide little 121 or no security. 123 TLS uses certificates to bind keys and names. A certificate combines 124 a published key with other information such as the name of the 125 service that uses the key, and this combination is digitally signed 126 by another key. Having a key in a certificate is only helpful if one 127 trusts the other key that signed the certificate. If that other key 128 was itself revealed or substituted, then its signature is worthless 129 in proving anything about the first key. 131 On the Internet, this problem has been solved for years by entities 132 called "Certification Authorities" (CAs). CAs protect their secret 133 key vigorously, while supplying their public key to the software 134 vendors who build TLS clients. They then sign certificates, and 135 supply those to TLS servers. TLS client software uses a set of these 136 CA keys as "trust anchors" to validate the signatures on certificates 137 that the client receives from TLS servers. Client software typically 138 allows any CA to usefully sign any other certificate. 140 The public CA model upon which TLS has depended is fundamentally 141 vulnerable because it allows any of these CAs to issue a certificate 142 for any domain name. A single trusted CA that betrays its trust, 143 either voluntarily or by providing less-than-vigorous protection for 144 its secrets and capabilities, can undermine the security offered by 145 any certificates employed with TLS. This problem arises because a 146 compromised CA can issue a replacement certificate that contains a 147 fake key. Recent experiences with compromises of CAs or their 148 trusted partners have led to very serious security problems, such as 149 the governments of multiple countries attempting to wiretap and/or 150 subvert major TLS-protected web sites trusted by millions of users. 152 The DNS Security Extensions (DNSSEC) provides a similar model that 153 involves trusted keys signing the information for untrusted keys. 154 However, DNSSEC provides three significant improvements. Keys are 155 tied to names in the Domain Name System (DNS), rather than to 156 arbitrary identifying strings; this is more convenient for Internet 157 protocols. Signed keys for any domain are accessible online through 158 a straightforward query using the standard DNSSEC protocol, so there 159 is no problem distributing the signed keys. Most significantly, the 160 keys associated with a domain name can only be signed by a key 161 associated with the parent of that domain name; for example, the keys 162 for "example.com" can only be signed by the keys for "com", and the 163 keys for "com" can only be signed by the DNS root. This prevents an 164 untrustworthy signer from compromising anyone's keys except those in 165 their own subdomains. Like TLS, DNSSEC relies on public keys that 166 come built into the DNSSEC client software, but these keys come only 167 from a single root domain rather than from a multiplicity of CAs. 169 DNS-Based Authentication of Named Entities (DANE) offers the option 170 to use the DNSSEC infrastructure to store and sign keys and 171 certificates that are used by TLS. DANE is envisioned as a 172 preferable basis for binding public keys to DNS names, because the 173 entities that vouch for the binding of public key data to DNS names 174 are the same entities responsible for managing the DNS names in 175 question. While the resulting system still has residual security 176 vulnerabilities, it restricts the scope of assertions that can be 177 made by any entity, consistent with the naming scope imposed by the 178 DNS hierarchy. As a result, DANE embodies the security "principle of 179 least privilege" that is lacking in the current public CA model. 181 1.2. Securing the Association of a Domain Name with a Server's 182 Certificate 184 A TLS client begins a connection by exchanging messages with a TLS 185 server. For many application protocols, it looks up the server's 186 name using the DNS to get an Internet Protocol (IP) address 187 associated with the name. It then begins a connection to a 188 particular port at that address, and sends an initial message there. 189 However, the client does not yet know whether an adversary is 190 intercepting and/or altering its communication before it reaches the 191 TLS server. It does not even know whether the real TLS server 192 associated with that domain name has ever received its initial 193 messages. 195 The first response from the server in TLS may contain a certificate. 196 In order for the TLS client to authenticate that it is talking to the 197 expected TLS server, the client must validate that this certificate 198 is associated with the domain name used by the client to get to the 199 server. Currently, the client must extract the domain name from the 200 certificate and must successfully validate the certificate, including 201 chaining to a trust anchor. 203 There is a different way to authenticate the association of the 204 server's certificate with the intended domain name without trusting 205 an external CA. Given that the DNS administrator for a domain name 206 is authorized to give identifying information about the zone, it 207 makes sense to allow that administrator to also make an authoritative 208 binding between the domain name and a certificate that might be used 209 by a host at that domain name. The easiest way to do this is to use 210 the DNS, securing the binding with DNSSEC. 212 There are many use cases for such functionality. [RFC6394] lists the 213 ones to which the DNS RRtype in this document apply. [RFC6394] also 214 lists many requirements, most of which this document is believed to 215 meet. Section 5 covers the applicability of this document to the use 216 cases in detail. The protocol in this document can generally be 217 referred to as the "DANE TLSA" protocol. ("TLSA" does not stand for 218 anything; it is just the name of the RRtype.) 220 This document applies to both TLS [RFC5246] and DTLS [RFC6347]. In 221 order to make the document more readable, it mostly only talks about 222 "TLS", but in all cases, it means "TLS or DTLS". Although the 223 references in this paragraph are to TLS and DTLS version 1.2, the 224 DANE TLSA protocol can also be used with earlier versions of TLS and 225 DTLS. 227 This document only relates to securely associating certificates for 228 TLS and DTLS with host names; retrieving certificates from DNS for 229 other protocols is handled in other documents. For example, keys for 230 IPsec are covered in [RFC4025] and keys for SSH are covered in 231 [RFC4255]. 233 1.3. Method For Securing Certificate Associations 235 A certificate association is formed from a piece of information 236 identifying a certificate and the domain name where the server 237 application runs. The combination of a trust anchor and a domain 238 name can also be a certificate association. 240 A DNS query can return multiple certificate associations, such as in 241 the case of a server that is changing from one certificate to another 242 (described in more detail in Appendix A.4). 244 This document only applies to PKIX [RFC5280] certificates, not 245 certificates of other formats. 247 This document defines a secure method to associate the certificate 248 that is obtained from the TLS server with a domain name using DNS; 249 the DNS information needs to be be protected by DNSSEC. Because the 250 certificate association was retrieved based on a DNS query, the 251 domain name in the query is by definition associated with the 252 certificate. Note that this document does not cover how to associate 253 certificates with domain names for application protocols that depend 254 on SRV, NAPTR, and similar DNS resource records. It is expected that 255 future documents will cover methods for making those associations, 256 and those documents may or may not need to update this one. 258 DNSSEC, which is defined in [RFC4033], [RFC4034], and [RFC4035], uses 259 cryptographic keys and digital signatures to provide authentication 260 of DNS data. Information that is retrieved from the DNS and that is 261 validated using DNSSEC is thereby proved to be the authoritative 262 data. The DNSSEC signature needs to be validated on all responses 263 that use DNSSEC in order to assure the proof of origin of the data. 265 This document does not specify how DNSSEC validation occurs because 266 there are many different proposals for how a client might get 267 validated DNSSEC results, such as from a DNSSEC-aware resolver that 268 is coded in the application, from a trusted DNSSEC resolver on the 269 machine on which the application is running, or from a trusted DNSSEC 270 resolver with which the application is communicating over an 271 authenticated and integrity-protected channel or network. This is 272 described in more detail in Section 7 of [RFC4033]. 274 This document only relates to getting the DNS information for the 275 certificate association securely using DNSSEC; other secure DNS 276 mechanisms are out of scope. 278 1.4. Terminology 280 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 281 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 282 document are to be interpreted as described in RFC 2119 [RFC2119]. 284 This document also makes use of standard PKIX, DNSSEC, TLS, and DNS 285 terminology. See [RFC5280], [RFC4033], [RFC5246], and [STD13] 286 respectively, for these terms. In addition, terms related to TLS- 287 protected application services and DNS names are taken from 288 [RFC6125]. 290 2. The TLSA Resource Record 292 The TLSA DNS resource record (RR) is used to associate a TLS server 293 certificate or public key with the domain name where the record is 294 found, thus forming a "TLSA certificate association". The semantics 295 of how the TLSA RR is interpreted are given later in this document. 297 The type value for the TLSA RR type is defined in Section 7.1. 299 The TLSA RR is class independent. 301 The TLSA RR has no special TTL requirements. 303 2.1. TLSA RDATA Wire Format 305 The RDATA for a TLSA RR consists of a one octet certificate usage 306 field, a one octet selector field, a one octet matching type field 307 and the certificate association data field. 309 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 310 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 311 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 312 | Cert. Usage | Selector | Matching Type | / 313 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / 314 / / 315 / Certificate Association Data / 316 / / 317 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 319 2.1.1. The Certificate Usage Field 321 A one-octet value, called "certificate usage", specifies the provided 322 association that will be used to match the certificate presented in 323 the TLS handshake. This value is defined in a new IANA registry (see 324 Section 7.2) in order to make it easier to add additional certificate 325 usages in the future. The certificate usages defined in this 326 document are: 328 0 -- Certificate usage 0 is used to specify a CA certificate, or 329 the public key of such a certificate, that MUST be found in any of 330 the PKIX certification paths for the end entity certificate given 331 by the server in TLS. This certificate usage is sometimes 332 referred to as "CA constraint" because it limits which CA can be 333 used to issue certificates for a given service on a host. The 334 presented certificate MUST pass PKIX certification path validation 335 and a CA certificate that matches the TLSA record MUST be included 336 as part of a valid certification path. Because this certificate 337 usage allows both trust anchors and CA certificates, the 338 certificate might or might not have the basicConstraints extension 339 present. 341 1 -- Certificate usage 1 is used to specify an end entity 342 certificate, or the public key of such a certificate, that MUST be 343 matched with the end entity certificate given by the server in 344 TLS. This certificate usage is sometimes referred to as "service 345 certificate constraint" because it limits which end entity 346 certificate can be used by a given service on a host. The target 347 certificate MUST pass PKIX certification path validation and MUST 348 match the TLSA record. 350 2 -- Certificate usage 2 is used to specify a certificate, or the 351 public key of such a certificate, that MUST be used as the trust 352 anchor when validating the end entity certificate given by the 353 server in TLS. This certificate usage is sometimes referred to as 354 "trust anchor assertion" and allows a domain name administrator to 355 specify a new trust anchor. For example, if the domain issues its 356 own certificates under its own CA that is not expected to be in 357 the end users' collection of trust anchors. The target 358 certificate MUST pass PKIX certification path validation, with any 359 certificate matching the TLSA record considered to be a trust 360 anchor for this certification path validation. 362 3 -- Certificate usage 3 is used to specify a certificate, or the 363 public key of such a certificate, that MUST match the end entity 364 certificate given by the server in TLS. This certificate usage is 365 sometimes referred to as "domain-issued certificate" because it 366 allows for a domain name administrator to issue certificates for a 367 domain without involving a third-party CA. The target certificate 368 MUST match the TLSA record. The difference between certificate 369 usage 1 and certificate usage 3 is that certificate usage 1 370 requires that the certificate pass PKIX validation, but PKIX 371 validation is not tested for certificate usage 3. 373 The certificate usages defined in this document explicitly only apply 374 to PKIX-formatted certificates in DER encoding [X.690]. If TLS 375 allows other formats later, or if extensions to this RRtype are made 376 that accept other formats for certificates, those certificates will 377 need their own certificate usage values. 379 2.1.2. The Selector Field 381 A one-octet value, called "selector", specifies which part of the TLS 382 certificate presented by the server will be matched against the 383 association data. This value is defined in a new IANA registry (see 384 Section 7.3. The selectors defined in this document are: 386 0 -- Full certificate; the Certificate binary structure defined in 387 [RFC5280] 389 1 -- SubjectPublicKeyInfo; DER-encoded binary structure defined in 390 [RFC5280] 392 (Note that the use of "selector" in this document is completely 393 unrelated to the use of "selector" in DKIM [RFC6376].) 395 2.1.3. The Matching Type Field 397 A one-octet value, called "matching type", specifies how the 398 certificate association is presented. This value is defined in a new 399 IANA registry (see Section 7.4). The types defined in this document 400 are: 402 0 -- Exact match on selected content 404 1 -- SHA-256 hash of selected content [RFC6234] 406 2 -- SHA-512 hash of selected content [RFC6234] 408 If the TLSA record's matching type is a hash, having the record use 409 the same hash algorithm that was used in the signature in the 410 certificate (if possible) will assist clients that support a small 411 number of hash algorithms. 413 2.1.4. The Certificate Association Data Field 415 The "certificate association data" to be matched. These bytes are 416 either raw data (that is, the full certificate or its 417 SubjectPublicKeyInfo, depending on the selector) for matching type 0, 418 or the hash of the raw data for matching types 1 and 2. The data 419 refers to the certificate in the association, not to the TLS ASN.1 420 Certificate object. 422 2.2. TLSA RR Presentation Format 424 The presentation format of the RDATA portion (as defined in 425 [RFC1035]) is as follows: 427 o The certificate usage field MUST be represented as an 8-bit 428 unsigned integer. 430 o The selector field MUST be represented as an 8-bit unsigned 431 integer. 433 o The matching type field MUST be represented as an 8-bit unsigned 434 integer. 436 o The certificate association data field MUST be represented as a 437 string of hexadecimal characters. Whitespace is allowed within 438 the string of hexadecimal characters, as described in [RFC1035]. 440 2.3. TLSA RR Examples 442 In the following examples, the domain name is formed using the rules 443 in Section 3. 445 An example of a hashed (SHA-256) association of a PKIX CA 446 certificate: 448 _443._tcp.www.example.com. IN TLSA ( 449 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9 450 7983a1d16e8a410e4561cb106618e971 ) 452 An example of a hashed (SHA-512) subject public key association of a 453 PKIX end entity certificate: 455 _443._tcp.www.example.com. IN TLSA ( 456 1 1 2 92003ba34942dc74152e2f2c408d29ec 457 a5a520e7f2e06bb944f4dca346baf63c 458 1b177615d466f6c4b71c216a50292bd5 459 8c9ebdd2f74e38fe51ffd48c43326cbc ) 461 An example of a full certificate association of a PKIX end entity 462 certificate: 464 _443._tcp.www.example.com. IN TLSA ( 465 3 0 0 30820307308201efa003020102020... ) 467 3. Domain Names for TLSA Certificate Associations 469 Unless there is a protocol-specific specification that is different 470 than this one, TLSA resource records are stored at a prefixed DNS 471 domain name. The prefix is prepared in the following manner: 473 1. The decimal representation of the port number on which a TLS- 474 based service is assumed to exist is prepended with an underscore 475 character ("_") to become the left-most label in the prepared 476 domain name. This number has no leading zeros. 478 2. The protocol name of the transport on which a TLS-based service 479 is assumed to exist is prepended with an underscore character 480 ("_") to become the second left-most label in the prepared domain 481 name. The transport names defined for this protocol are "tcp", 482 "udp" and "sctp". 484 3. The base domain name is appended to the result of step 2 to 485 complete the prepared domain name. The base domain name is the 486 fully-qualified DNS domain name [RFC1035] of the TLS server, with 487 the additional restriction that every label MUST meet the rules 488 of [RFC0952]. The latter restriction means that, if the query is 489 for an internationalized domain name, it MUST use the A-label 490 form as defined in [RFC5890]. 492 For example, to request a TLSA resource record for an HTTP server 493 running TLS on port 443 at "www.example.com", 494 "_443._tcp.www.example.com" is used in the request. To request a 495 TLSA resource record for an SMTP server running the STARTTLS protocol 496 on port 25 at "mail.example.com", "_25._tcp.mail.example.com" is 497 used. 499 4. Use of TLSA Records in TLS 501 Section 2.1 of this document defines the mandatory matching rules for 502 the data from the TLSA certificate associations and the certificates 503 received from the TLS server. 505 The TLS session that is to be set up MUST be for the specific port 506 number and transport name that was given in the TLSA query. 508 Some specifications for applications that run over TLS, such as 509 [RFC2818] for HTTP, require the server's certificate to have a domain 510 name that matches the host name expected by the client. Some 511 specifications such as [RFC6125] detail how to match the identity 512 given in a PKIX certificate with those expected by the user. 514 If a TLSA record has certificate usage 2, the corresponding TLS 515 server SHOULD send the certificate that is referenced just like it 516 currently sends intermediate certificates. 518 4.1. Usable Certificate Associations 520 An implementation of this protocol makes a DNS query for TLSA 521 records, validates these records using DNSSEC, and uses the resulting 522 TLSA records and validation status to modify its responses to the TLS 523 server. 525 Determining whether a TLSA RRset can be used MUST be based on the 526 DNSSEC validation state (as defined in [RFC4033]). 528 o A TLSA RRset whose DNSSEC validation state is secure MUST be used 529 as a certificate association for TLS unless a local policy would 530 prohibit the use of the specific certificate association in the 531 secure TLSA RRset. 533 o If the DNSSEC validation state on the response to the request for 534 the TLSA RRset is bogus, this MUST cause TLS not to be started or, 535 if the TLS negotiation is already in progress, MUST cause the 536 connection to be aborted. 538 o A TLSA RRset whose DNSSEC validation state is indeterminate or 539 insecure cannot be used for TLS and MUST be considered unusable. 541 Clients which validate the DNSSEC signatures themselves MUST use 542 standard DNSSEC validation procedures. Clients that rely on another 543 entity to perform the DNSSEC signature validation MUST use a secure 544 mechanism between themselves and the validator. Examples of secure 545 transports to other hosts include TSIG [RFC2845], SIG(0) [RFC2931], 546 and IPsec [RFC6071]. Note that it is not sufficient to use secure 547 transport to a DNS resolver that does not do DNSSEC signature 548 validation. See Section 8.3 for more security considerations related 549 to external validators. 551 If a certificate association contains a certificate usage, selector, 552 or matching type that is not understood by the TLS client, that 553 certificate association MUST be considered unusable. If the 554 comparison data for a certificate is malformed, the certificate 555 association MUST be considered unusable. 557 If a certificate association contains a matching type or certificate 558 association data that uses a cryptographic algorithm that is 559 considered too weak for the TLS client's policy, the certificate 560 association MUST be considered unusable. 562 If an application receives zero usable certificate associations from 563 a DNS request or from its cache, it processes TLS in the normal 564 fashion without any input from the TLSA records. If an application 565 receives one or more usable certificate associations, it attempts to 566 match each certificate association with the TLS server's end entity 567 certificate until a successful match is found. During the TLS 568 handshake, if none of the certificate associations matches the 569 certificate given by the TLS server, the TLS client MUST abort the 570 handshake. 572 An attacker who is able to divert a user to a server under his 573 control is also likely to be able to block DNS requests from the user 574 or DNS responses being sent to the user. Thus, in order to achieve 575 any security benefit from certificate usage 0 or 1, an application 576 that sends a request for TLSA records needs to get either a valid 577 signed response containing TLSA records or verification that the 578 domain is insecure or indeterminate. If a request for a TLSA record 579 does not meet one of those two criteria but the application continues 580 with the TLS handshake anyway, the application has gotten no benefit 581 from TLSA and SHOULD NOT make any internal or external indication 582 that TLSA was applied. If an application has a configuration setting 583 that has turned on TLSA use, or has any indication that TLSA is in 584 use (regardless of whether or not this is configurable), that 585 application either MUST NOT start a TLS connection or it MUST abort a 586 TLS handshake if both of the two criteria above are not met. 588 The application can perform the TLSA lookup before initiating the TLS 589 handshake, or do it during the TLS handshake: the choice is up to the 590 client. 592 5. TLSA and DANE Use Cases and Requirements 594 The different types of certificate associations defined in TLSA are 595 matched with various sections of [RFC6394]. The use cases from 596 Section 3 of [RFC6394] are covered in this document as follows: 598 3.1 CA Constraints -- Implemented using certificate usage 0. 600 3.2 Certificate Constraints -- Implemented using certificate usage 601 1. 603 3.3 Trust Anchor Assertion and Domain-Issued Certificates -- 604 Implemented using certificate usages 2 and 3, respectively. 606 The requirements from Section 4 of [RFC6394] are covered in this 607 document as follows: 609 Multiple Ports -- The TLSA records for different application 610 services running on a single host can be distinguished through the 611 service name and port number prefixed to the host name (see 612 Section 3). 614 No Downgrade -- Section 4 specifies the conditions under which a 615 client can process and act upon TLSA records. Specifically, if 616 the DNSSEC status for the TLSA resource record set is determined 617 to be bogus, the TLS connection (if started) will fail. 619 Encapsulation -- Covered in the TLSA response semantics. 621 Predictability -- The appendices of this specification provide 622 operational considerations and implementation guidance in order to 623 enable application developers to form a consistent interpretation 624 of the recommended client behavior. 626 Opportunistic Security -- If a client conformant to this 627 specification can reliably determine the presence of a TLSA 628 record, it will attempt to use this information. Conversely, if a 629 client can reliably determine the absence of any TLSA record, it 630 will fall back to processing TLS in the normal fashion. This is 631 discussed in Section 4. 633 Combination -- Multiple TLSA records can be published for a given 634 host name, thus enabling the client to construct multiple TLSA 635 certificate associations that reflect different assertions. No 636 support is provided to combine two TLSA certificate associations 637 in a single operation. 639 Roll-over -- TLSA records are processed in the normal manner within 640 the scope of DNS protocol, including the TTL expiration of the 641 records. This ensures that clients will not latch onto assertions 642 made by expired TLSA records, and will be able to transition from 643 using one public key or certificate usage to another. 645 Simple Key Management -- The SubjectPublicKeyInfo selector in the 646 TLSA record provides a mode that enables a domain holder to only 647 have to maintain a single long-lived public/private key pair 648 without the need to manage certificates. Appendix A outlines the 649 usefulness and the potential downsides to using this mode. 651 Minimal Dependencies -- This specification relies on DNSSEC to 652 protect the origin authenticity and integrity of the TLSA resource 653 record set. Additionally, if DNSSEC validation is not performed 654 on the system that wishes to use TLSA certificate bindings, this 655 specification requires that the "last mile" be over a secure 656 transport. There are no other deployment dependencies for this 657 approach. 659 Minimal Options -- The operating modes map precisely to the DANE use 660 cases and requirements. DNSSEC use is mandatory in that this 661 specification encourages applications to use only those TLSA 662 records that are shown to be validated. 664 Wild Cards -- Covered in a limited manner in the TLSA request 665 syntax; see Appendix A. 667 Redirection -- Covered in the TLSA request syntax; see Appendix A. 669 6. Mandatory-to-Implement Features 671 TLS clients conforming to this specification MUST be able to 672 correctly interpret TLSA records with certificate usages 0, 1, 2, and 673 3. TLS clients conforming to this specification MUST be able to 674 compare a certificate association with a certificate from the TLS 675 handshake using selector types 0 and 1, and matching type 0 (no hash 676 used) and matching type 1 (SHA-256), and SHOULD be able to make such 677 comparisons with matching type 2 (SHA-512). 679 7. IANA Considerations 681 IANA is requested to make the assignments in this section. IANA 682 might also consider making a "DANE" section in the main IANA registry 683 to help developers find related registries that might be created in 684 the future. 686 In the following sections, "RFC Required" was chosen for TLSA 687 certificate usages and "Specification Required" for selectors and 688 matching types because of the amount of detail that is likely to be 689 needed for implementers to correctly implement new certificate usages 690 as compared to new selectors and matching types. 692 7.1. TLSA RRtype 694 This document uses a new DNS RR type, TLSA, whose value (52) was 695 allocated by IANA from the Resource Record (RR) TYPEs subregistry of 696 the Domain Name System (DNS) Parameters registry. 698 7.2. TLSA Certificate Usages 700 This document creates a new registry, "Certificate Usages for TLSA 701 Resource Records". The registry policy is "RFC Required". The 702 initial entries in the registry are: 704 Value Short description Reference 705 ---------------------------------------------------------- 706 0 CA constraint [This] 707 1 Service certificate constraint [This] 708 2 Trust anchor assertion [This] 709 3 Domain-issued certificate [This] 710 4-254 Unassigned 711 255 Private use 713 Applications to the registry can request specific values that have 714 yet to be assigned. 716 7.3. TLSA Selectors 718 This document creates a new registry, "Selectors for TLSA Resource 719 Records". The registry policy is "Specification Required". The 720 initial entries in the registry are: 722 Value Short description Reference 723 ---------------------------------------------------------- 724 0 Full Certificate [This] 725 1 SubjectPublicKeyInfo [This] 726 2-254 Unassigned 727 255 Private use 729 Applications to the registry can request specific values that have 730 yet to be assigned. 732 7.4. TLSA Matching Types 734 This document creates a new registry, "Matching Types for TLSA 735 Resource Records". The registry policy is "Specification Required". 736 The initial entries in the registry are: 738 Value Short description Reference 739 -------------------------------------------------------- 740 0 No hash used [This] 741 1 SHA-256 RFC 6234 742 2 SHA-512 RFC 6234 743 3-254 Unassigned 744 255 Private use 746 Applications to the registry can request specific values that have 747 yet to be assigned. 749 8. Security Considerations 751 The security of the DNS RRtype described in this document relies on 752 the security of DNSSEC to verify that the TLSA record has not been 753 altered. 755 A DNS administrator who goes rogue and changes both the A, AAAA, 756 and/or TLSA records for a domain name can cause the client to go to 757 an unauthorized server that will appear authorized, unless the client 758 performs PKIX certification path validation and rejects the 759 certificate. That administrator could probably get a certificate 760 issued by some CA anyway, so this is not an additional threat. 762 If the authentication mechanism for adding or changing TLSA data in a 763 zone is weaker than the authentication mechanism for changing the A 764 and/or AAAA records, a man-in-the-middle who can redirect traffic to 765 their site may be able to impersonate the attacked host in TLS if 766 they can use the weaker authentication mechanism. A better design 767 for authenticating DNS would be to have the same level of 768 authentication used for all DNS additions and changes for a 769 particular domain name. 771 SSL proxies can sometimes act as a man-in-the-middle for TLS clients. 772 In these scenarios, the clients add a new trust anchor whose private 773 key is kept on the SSL proxy; the proxy intercepts TLS requests, 774 creates a new TLS session with the intended host, and sets up a TLS 775 session with the client using a certificate that chains to the trust 776 anchor installed in the client by the proxy. In such environments, 777 using TLSA records will prevent the SSL proxy from functioning as 778 expected because the TLS client will get a certificate association 779 from the DNS that will not match the certificate that the SSL proxy 780 uses with the client. The client, seeing the proxy's new certificate 781 for the supposed destination will not set up a TLS session. 783 Client treatment of any information included in the trust anchor is a 784 matter of local policy. This specification does not mandate that 785 such information be inspected or validated by the server's domain 786 name administrator. 788 If a server's certificate is revoked, or if an intermediate CA in a 789 chain between the server and a trust anchor has its certificate 790 revoked, a TLSA record with a certificate usage of 2 that matches the 791 revoked certificate would in essence override the revocation because 792 the client would treat that revoked certificate as a trust anchor and 793 thus not check its revocation status. Because of this, domain 794 administrators need to be responsible for being sure that the key or 795 certificate used in TLSA records with a certificate usage of 2 are in 796 fact able to be used as reliable trust anchors. 798 Certificates that are delivered in TLSA with certificate usage 2 799 fundamentally change the way the TLS server's end entity certificate 800 is evaluated. For example, the server's certificate might chain to 801 an existing CA through an intermediate CA that has certain policy 802 restrictions, and the certificate would not pass those restrictions 803 and thus normally be rejected. That intermediate CA could issue 804 itself a new certificate without the policy restrictions and tell its 805 customers to use that certificate with certificate usage 2. This in 806 essence allows an intermediate CA to become a trust anchor for 807 certificates that the end user might have expected to chain to an 808 existing trust anchor. 810 If an administrator wishes to stop using a TLSA record, the 811 administrator can simply remove it from the DNS. Normal clients will 812 stop using the TLSA record after the TTL has expired. Replay attacks 813 against the TLSA record are not possible after the expiration date on 814 the RRsig of the TLSA record that was removed. 816 Generators of TLSA records should be aware that the client's full 817 trust of a certificate association retrieved from a TLSA record may 818 be a matter of local policy. While such trust is limited to the 819 specific domain name, protocol, and port for which the TLSA query was 820 made, local policy may decline to accept the certificate (for reasons 821 such as weak cryptography), as is also the case with PKIX trust 822 anchors. 824 8.1. Comparing DANE to Public CAs 826 As stated above, the security of the DNS RRtype described in this 827 document relies on the security of DNSSEC to verify that the TLSA 828 record has not been altered. This section describes where the 829 security of public CAs and the security of TLSA are similar and 830 different. This section applies equally to other security-related 831 DNS RRtypes such as keys for IPsec and SSH. 833 DNSSEC forms certificates (the binding of an identity to a key) by 834 combining a DNSKEY, DS, or DLV resource record with an associated 835 RRSIG record. These records then form a signing chain extending from 836 the client's trust anchors to the RR of interest. 838 Although the DNSSEC protocol does not enforce it, DNSKEYs are often 839 marked with a SEP flag indicating whether the key is a Zone Signing 840 Key (ZSK) or a Key Signing Key (KSK). ZSKs protect records in the 841 zone (including DS and DLV records), and KSKs protect ZSK DNSKEY 842 records. This allows KSKs to be stored offline. 844 The TLSA RRtype allows keys from the DNSSEC PKI hierarchy to 845 authenticate keys wrapped in PKIX certificates for a particular host 846 name, protocol, and port. 848 With the exception of the DLV RRtype, all of these certificates 849 constrain the keys they identify to names that are within the zone 850 signing the certificate. In order for a domain's DLV resource 851 records to be honored, the domain must be configured as a DLV domain, 852 and the domain's DNSKEYs must be configured as trust anchors or be 853 authentic [RFC5074]. 855 8.1.1. Risk of Key Compromise 857 The risk that a given certificate that has a valid signing chain is 858 fake is related to the number of keys that can contribute to the 859 validation of the certificate, the quality of protection each private 860 key receives, the value of each key to an attacker, and the value of 861 falsifying the certificate. 863 DNSSEC allows any set of domains to be configured as trust anchors 864 and/or DLVs, but most clients are likely to use the root zone as its 865 only trust anchor. Also, because a given DNSKEY can only sign 866 resource records for that zone, the number of private keys capable of 867 compromising a given TLSA resource record is limited to the number of 868 zones between the TLSA resource record and the nearest trust anchor, 869 plus any configured DLV domains. Typically, this will be six keys, 870 half of which will be KSKs. 872 PKIX only describes how to validate a certificate based on a client- 873 chosen set of trust anchors, but says nothing about how many trust 874 anchors to use or how they should be constrained. As currently 875 deployed, most PKIX clients use a large number of trust anchors 876 provided with the client or operating system software. These trust 877 anchors are selected carefully, but with a desire for broad 878 interoperability. The trust anchors and CA certificates for public 879 CAs rarely have name constraints applied. 881 A combination of technical protections, process controls, and 882 personnel experience contribute to the quality of security that keys 883 receive. 885 o The security surrounding DNSSEC DNSKEYs varies significantly. The 886 KSK/ZSK split allows the KSK to be stored offline and protected 887 more carefully than the ZSK, but not all domains do so. The 888 security applied to a zone's DNSKEYs should be proportional to the 889 value of the domain, but that is difficult to estimate. For 890 example, the root DNSKEY has protections and controls comparable 891 to or exceeding that of public CAs. On the other end of the 892 spectrum, small domains might provide no more protection to their 893 keys than they do to their other data. 895 o The security surrounding public CAs also varies. However, due to 896 financial incentives and standards imposed by clients for 897 acceptance into their trust anchor stores, CAs generally employ 898 security experts and protect their keys carefully, though highly- 899 public compromises have occurred. 901 8.1.2. Impact of Key Compromise 903 The impact of a key compromise differs significantly between the two 904 models. 906 o DNSKEYs are inherently limited in what they can sign, so a 907 compromise of the DNSKEY for "example.com" provides no avenue of 908 attack against "example.org". Even the impact of a compromise of 909 .com's DNSKEY, while considerable, would be limited to .com 910 domains. Only the compromise of the root DNSKEY would have the 911 equivalent impact of an unconstrained public CA. 913 o Public CAs are not typically constrained in what names they can 914 sign, and therefore a compromise of even one CA allows the 915 attacker to generate a certificate for any name in the DNS. A 916 domain holder can get a certificate from any willing CA, or even 917 multiple CAs simultaneously, making it impossible for a client to 918 determine whether the certificate it is validating is legitimate 919 or fraudulent. 921 Because a TLSA certificate association is constrained to its 922 associated name, protocol, and port, the PKIX certificate is 923 similarly constrained, even if its public CAs signing the certificate 924 (if any) are not. 926 8.1.3. Detection of Key Compromise 928 If a key is compromised, rapid and reliable detection is important in 929 order to limit the impact of the compromise. In this regard, neither 930 model prevents an attacker from near-invisibly attacking their 931 victim, provided that the necessary keys are compromised. 933 If a public CA is compromised, only the victim will see the 934 fraudulent certificate, as there is typically no publicly-accessible 935 directory of all the certificates issued by a CA that can be 936 inspected. DNS resource records are typically published publicly. 937 However, the attacker could also allow the uncompromised records to 938 be published to the Internet as usual but provide a compromised DNS 939 view to the victim to achieve the same effect. 941 8.1.4. Spoofing Hostnames 943 Some CAs implement technical controls to ensure that certificates are 944 not issued to domains with names similar to popular & prone-to-attack 945 domains. Of course, an attacker can attempt to circumvent this 946 restriction by finding a CA willing to issue the certificate anyway. 947 However, by using DNSSEC and TLSA, the attacker can circumvent this 948 check completely. 950 8.2. DNS Caching 952 Implementations of this protocol rely heavily on the DNS, and are 953 thus prone to security attacks based on the deliberate mis- 954 association of TLSA records and DNS names. Implementations need to 955 be cautious in assuming the continuing validity of an association 956 between a TLSA record and a DNS name. 958 In particular, implementations SHOULD rely on their DNS resolver for 959 confirmation of an association between a TLSA record and a DNS name, 960 rather than caching the result of previous domain name lookups. Many 961 platforms already can cache domain name lookups locally when 962 appropriate, and they SHOULD be configured to do so. It is proper 963 for these lookups to be cached, however, only when the TTL (Time To 964 Live) information reported by the DNS makes it likely that the cached 965 information will remain useful. 967 If implementations cache the results of domain name lookups in order 968 to achieve a performance improvement, they MUST observe the TTL 969 information reported by DNS. Implementations that fail to follow 970 this rule could be spoofed or have access denied when a previously- 971 accessed server's TLSA record changes, such as during a certificate 972 rollover. 974 8.3. External DNSSEC Validators 976 Due to a lack of DNSSEC support in the most commonly-deployed stub 977 resolvers today, some ISPs have begun checking DNSSEC in the 978 recursive resolvers they provide to their customers, setting the AD 979 flag as appropriate. DNSSEC-aware clients could use that data, 980 ignoring the fact that the DNSSEC data has been validated externally. 981 Because there is typically no authentication of the recursive 982 resolver or integrity protection of the the data and AD flag between 983 the client and the recursive resolver, this can be trivially spoofed 984 by an attacker. 986 However, even with secure communications between a host and the 987 external validating resolver, there is a risk that the external 988 validator could become compromised. Nothing prevents a compromised 989 external DNSSEC validator from claiming that all the records it 990 provides are secure, even if the data is falsified, unless the client 991 checks the DNSSEC data itself (rendering the the external validator 992 unnecessary). 994 For this reason, DNSSEC validation is best performed on-host, even 995 when a secure path to an external validator is available. 997 9. Acknowledgements 999 Many of the ideas in this document have been discussed over many 1000 years. More recently, the ideas have been discussed by the authors 1001 and others in a more focused fashion. In particular, some of the 1002 ideas and words here originated with Paul Vixie, Dan Kaminsky, Jeff 1003 Hodges, Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam 1004 Langley, Ben Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit, 1005 Ondrej Sury, Richard Barnes, Jim Schaad, Stephen Farrell, Suresh 1006 Krishnaswamy, Peter Palfrader, Pieter Lexis, Wouter Wijngaards, John 1007 Gilmore, and Murray Kucherawy. 1009 This document has also been greatly helped by many active 1010 participants of the DANE Working Group. 1012 10. References 1014 10.1. Normative References 1016 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1017 Requirement Levels", BCP 14, RFC 2119, March 1997. 1019 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1020 Rose, "DNS Security Introduction and Requirements", 1021 RFC 4033, March 2005. 1023 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1024 Rose, "Resource Records for the DNS Security Extensions", 1025 RFC 4034, March 2005. 1027 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1028 Rose, "Protocol Modifications for the DNS Security 1029 Extensions", RFC 4035, March 2005. 1031 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1032 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1034 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1035 Housley, R., and W. Polk, "Internet X.509 Public Key 1036 Infrastructure Certificate and Certificate Revocation List 1037 (CRL) Profile", RFC 5280, May 2008. 1039 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 1040 Verification of Domain-Based Application Service Identity 1041 within Internet Public Key Infrastructure Using X.509 1042 (PKIX) Certificates in the Context of Transport Layer 1043 Security (TLS)", RFC 6125, March 2011. 1045 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 1046 Security Version 1.2", RFC 6347, January 2012. 1048 [STD13] Mockapetris, P., "Domain Name System", STD 13, 1049 November 1987. 1051 10.2. Informative References 1053 [RFC0952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet 1054 host table specification", RFC 952, October 1985. 1056 [RFC1035] Mockapetris, P., "Domain names - implementation and 1057 specification", STD 13, RFC 1035, November 1987. 1059 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 1060 specifying the location of services (DNS SRV)", RFC 2782, 1061 February 2000. 1063 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 1065 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. 1066 Wellington, "Secret Key Transaction Authentication for DNS 1067 (TSIG)", RFC 2845, May 2000. 1069 [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( 1070 SIG(0)s)", RFC 2931, September 2000. 1072 [RFC4025] Richardson, M., "A Method for Storing IPsec Keying 1073 Material in DNS", RFC 4025, March 2005. 1075 [RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely 1076 Publish Secure Shell (SSH) Key Fingerprints", RFC 4255, 1077 January 2006. 1079 [RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices", 1080 RFC 4641, September 2006. 1082 [RFC5074] Weiler, S., "DNSSEC Lookaside Validation (DLV)", RFC 5074, 1083 November 2007. 1085 [RFC5890] Klensin, J., "Internationalized Domain Names for 1086 Applications (IDNA): Definitions and Document Framework", 1087 RFC 5890, August 2010. 1089 [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: 1090 Extension Definitions", RFC 6066, January 2011. 1092 [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and 1093 Internet Key Exchange (IKE) Document Roadmap", RFC 6071, 1094 February 2011. 1096 [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms 1097 (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. 1099 [RFC6376] Crocker, D., Hansen, T., and M. Kucherawy, "DomainKeys 1100 Identified Mail (DKIM) Signatures", RFC 6376, 1101 September 2011. 1103 [RFC6394] Barnes, R., "Use Cases and Requirements for DNS-Based 1104 Authentication of Named Entities (DANE)", RFC 6394, 1105 October 2011. 1107 [X.690] "Recommendation ITU-T X.690 (2002) | ISO/IEC 8825-1:2002, 1108 Information technology - ASN.1 encoding rules: 1109 Specification of Basic Encoding Rules (BER), Canonical 1110 Encoding Rules (CER) and Distinguished Encoding Rules 1111 (DER)", 2002. 1113 Appendix A. Operational Considerations for Deploying TLSA Records 1115 A.1. Creating TLSA Records 1117 When creating TLSA records, care must be taken to avoid 1118 misconfigurations. Section 4 of this document states that a TLSA 1119 RRset whose validation state is secure MUST be used. This means that 1120 the existence of such a RRset effectively disables other forms of 1121 name and path validation. A misconfigured TLSA RRset will 1122 effectively disable access to the TLS server for all conforming 1123 clients, and this document does not provide any means of making a 1124 gradual transition to using TLSA. 1126 When creating TLSA records with certificate usage 0 (CA Certificate) 1127 or usage 2 (Trust Anchor), one needs to understand the implications 1128 when choosing between selector type 0 (full certificate) and 1 1129 (SubjectPublicKeyInfo). A careful choice is required because 1130 different methods for building trust chains are used by different TLS 1131 clients. The following outlines the cases that one ought to be aware 1132 of and discusses the implications of the choice of selector type. 1134 Certificate usage 2 is not affected by the different types of chain 1135 building when the end entity certificate is the same as the trust 1136 anchor certificate. 1138 A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains 1140 TLS clients can implement their own chain-building code rather than 1141 rely on the chain presented by the TLS server. This means that, 1142 except for the end entity certificate, any certificate presented in 1143 the suggested chain might or might not be present in the final chain 1144 built by the client. 1146 Certificates that the client can use to replace certificates from the 1147 original chain include: 1149 o Client's trust anchors 1150 o Certificates cached locally 1152 o Certificates retrieved from a URI listed in an Authority 1153 Information Access X.509v3 extension 1155 CAs frequently reissue certificates with different validity periods, 1156 signature algorithms (such as an different hash algorithm in the 1157 signature algorithm), CA key pairs (such as for a cross-certificate), 1158 or PKIX extensions where the public key and subject remain the same. 1159 These reissued certificates are the certificates TLS client can use 1160 in place of an original certificate. 1162 Clients are known to exchange or remove certificates that could cause 1163 TLSA certificate associations that rely on the full certificate to 1164 fail. For example: 1166 o The client considers the signature algorithm of a certificate to 1167 no longer be sufficiently secure 1169 o The client might not have an associated root certificate in its 1170 trust store and instead uses a cross-certificate with an identical 1171 subject and public key. 1173 A.1.2. Choosing a Selector Type 1175 In this section, "false-negative failure" means that a client will 1176 not accept the TLSA certificate association for a certificate 1177 designated by DNS administrator. Also, "false-positive acceptance" 1178 means that the client accepts a TLSA association for a certificate 1179 that is not designated by the DNS administrator. 1181 A.1.2.1. Selector Type 0 (Full Certificate) 1183 The "Full certificate" selector provides the most precise 1184 specification of a TLSA certificate association, capturing all fields 1185 of the PKIX certificate. For a DNS administrator, the best course to 1186 avoid false-negative failures in the client when using this selector 1187 is: 1189 1. If a CA issued a replacement certificate, don't associate to CA 1190 certificates that have a signature algorithm with a hash that is 1191 considered weak by local policy. 1193 2. Determine how common client applications process the TLSA 1194 certificate association using a fresh client installation, that 1195 is, with the local certificate cache empty. 1197 A.1.2.2. Selector Type 1 (SubjectPublicKeyInfo) 1199 A SubjectPublicKeyInfo selector gives greater flexibility in avoiding 1200 some false-negative failures caused by trust-chain-building 1201 algorithms used in clients. 1203 One specific use-case ought to be noted: creating a TLSA certificate 1204 association to CA certificate I1 that directly signed end entity 1205 certificate S1 of the server. The case can be illustrated by 1206 following graph: 1208 +----+ +----+ 1209 | I1 | | I2 | 1210 +----+ +----+ 1211 | | 1212 v v 1213 +----+ +----+ 1214 | S1 | | S1 | 1215 +----+ +----+ 1216 Certificate chain sent by A different validation path 1217 server in TLS handshake built by the TLS client 1219 I2 is a reissued version of CA certificate I1 (that is, it has a 1220 different hash in its signature algorithm). 1222 In the above scenario, both certificates I1 and I2 that sign S1 need 1223 to have identical SubjectPublicKeyInfos because the key used to sign 1224 S1 is fixed. An association to SubjectPublicKeyInfo (selector type 1225 1) will always succeed in such a case, but an association with a full 1226 certificate (selector type 0) might not work due to a false-negative 1227 failure. 1229 The attack surface is a bit broader compared to "full certificate" 1230 selector: the DNS administrator might unintentionally specify an 1231 association that would lead to false-positive acceptance. 1233 o The administrator must know or trust that the CA does not engage 1234 in bad practices, such as not sharing the key of I1 for unrelated 1235 CA certificates leading to trust-chain redirect. If possible, the 1236 administrator ought to review all CA certificates that have the 1237 same SPKI. 1239 o The administrator ought to understand whether some PKIX extension 1240 may adversely affect security of the association. If possible, 1241 administrators ought to review all CA certificates that share the 1242 SubjectPublicKeyInfo. 1244 o The administrator ought to understand that any CA could, in the 1245 future, issue a certificate that contains the same 1246 SubjectPublicKeyInfo. Therefore, new chains can crop up in the 1247 future without any warning. 1249 Using the SubjectPublicKeyInfo selector for association with a 1250 certificate in a chain above I1 needs to be decided on a case-by-case 1251 basis: there are too many possibilities based on the issuing CA's 1252 practices. Unless the full implications of such an association are 1253 understood by the administrator, using selector type 0 is a better 1254 option from a security perspective. 1256 A.2. Provisioning TLSA Records in DNS 1258 A.2.1. Provisioning TLSA Records with Aliases 1260 The TLSA resource record is not special in the DNS; it acts exactly 1261 like any other RRtype where the queried name has one or more labels 1262 prefixed to the base name, such as the SRV RRtype [RFC2782]. This 1263 affects the way that the TLSA resource record is used when aliasing 1264 in the DNS. 1266 Note that the IETF sometimes adds new types of aliasing in the DNS. 1267 If that happens in the future, those aliases might affect TLSA 1268 records, hopefully in a good way. 1270 A.2.1.1. Provisioning TLSA Records with CNAME Records 1272 Using CNAME to alias in DNS only aliases from the exact name given, 1273 not any zones below the given name. For example, assume that a zone 1274 file has only the following: 1276 sub1.example.com. IN CNAME sub2.example.com. 1278 In this case, a request for the A record at "bottom.sub1.example.com" 1279 would not return any records because the CNAME given only aliases the 1280 name given. Assume, instead, the zone file has the following: 1282 sub3.example.com. IN CNAME sub4.example.com. 1283 bottom.sub3.example.com. IN CNAME bottom.sub4.example.com. 1285 In this case, a request for the A record at bottom.sub3.example.com 1286 would in fact return whatever value for the A record exists at 1287 bottom.sub4.example.com. 1289 Application implementations and full-service resolvers request DNS 1290 records using libraries that automatically follow CNAME (and DNAME) 1291 aliasing. This allows hosts to put TLSA records in their own zones 1292 or to use CNAME to do redirection. 1294 If the owner of the original domain wants a TLSA record for the same, 1295 they simply enter it under the defined prefix: 1297 ; No TLSA record in target domain 1298 ; 1299 sub5.example.com. IN CNAME sub6.example.com. 1300 _443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab... 1301 sub6.example.com. IN A 192.0.2.1 1302 sub6.example.com. IN AAAA 2001:db8::1 1304 If the owner of the original domain wants to have the target domain 1305 host the TLSA record, the original domain uses a CNAME record: 1307 ; TLSA record for original domain has CNAME to target domain 1308 ; 1309 sub5.example.com. IN CNAME sub6.example.com. 1310 _443._tcp.sub5.example.com. IN CNAME _443._tcp.sub6.example.com. 1311 sub6.example.com. IN A 192.0.2.1 1312 sub6.example.com. IN AAAA 2001:db8::1 1313 _443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4... 1315 Note that it is acceptable for both the original domain and the 1316 target domain to have TLSA records, but the two records are 1317 unrelated. Consider the following: 1319 ; TLSA record in both the original and target domain 1320 ; 1321 sub5.example.com. IN CNAME sub6.example.com. 1322 _443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab... 1323 sub6.example.com. IN A 192.0.2.1 1324 sub6.example.com. IN AAAA 2001:db8::1 1325 _443._tcp.sub6.example.com. IN TLSA 1 1 1 ac49d9ba4570ac49... 1327 In this example, someone looking for the TLSA record for 1328 sub5.example.com would always get the record whose value starts 1329 "308202c5308201ab"; the TLSA record whose value starts 1330 "ac49d9ba4570ac49" would only be sought by someone who is looking for 1331 the TLSA record for sub6.example.com, and never for sub5.example.com. 1332 Note that deploying different certificates for multiple services 1333 located at a shared TLS listener often requires the use of TLS SNI 1334 (Server Name Indication) [RFC6066]. 1336 Note that these methods use the normal method for DNS aliasing using 1337 CNAME: the DNS client requests the record type that they actually 1338 want. 1340 A.2.1.2. Provisioning TLSA Records with DNAME Records 1342 Using DNAME records allows a zone owner to alias an entire subtree of 1343 names below the name that has the DNAME. This allows the wholesale 1344 aliasing of prefixed records such as those used by TLSA, SRV, and so 1345 on without aliasing the name itself. However, because DNAME can only 1346 be used for subtrees of a base name, it is rarely used to alias 1347 individual hosts that might also be running TLS. 1349 ; TLSA record in target domain, visible in original domain via DNAME 1350 ; 1351 sub5.example.com. IN CNAME sub6.example.com. 1352 _tcp.sub5.example.com. IN DNAME _tcp.sub6.example.com. 1353 sub6.example.com. IN A 192.0.2.1 1354 sub6.example.com. IN AAAA 2001:db8::1 1355 _443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4... 1357 A.2.1.3. Provisioning TLSA Records with Wildcards 1359 Wildcards are generally not terribly useful for RRtypes that require 1360 prefixing because one can only wildcard at a layer below the host 1361 name. For example, if one wants to have the same TLSA record for 1362 every TCP port for www.example.com, the result might be: 1364 *._tcp.www.example.com. IN TLSA 1 1 1 5c1502a6549c423b... 1366 This is possibly useful in some scenarios where the same service is 1367 offered on many ports or the same certificate and/or key is used for 1368 all services on a host. Note that the domain being searched for is 1369 not necessarily related to the domain name found in the certificate, 1370 so a certificate with a wildcard in it is not searched for using a 1371 wildcard in the search request. 1373 A.3. Securing the Last Hop 1375 As described in Section 4, an application processing TLSA records 1376 must know the DNSSEC validity of those records. There are many ways 1377 for the application to determine this securely, and this 1378 specification does not mandate any single method. 1380 Some common methods for an application to know the DNSSEC validity of 1381 TLSA records include: 1383 o The application can have its own DNS resolver and DNSSEC 1384 validation stack. 1386 o The application can communicate through a trusted channel (such as 1387 requests to the operating system under which the application is 1388 running) to a local DNS resolver that does DNSSEC validation. 1390 o The application can communicate through a secured channel (such as 1391 requests running over TLS, IPsec, TSIG or SIG(0)) to a non-local 1392 DNS resolver that does DNSSEC validation. 1394 o The application can communicate through a secured channel (such as 1395 requests running over TLS, IPsec, TSIG or SIG(0)) to a non-local 1396 DNS resolver that does not do DNSSEC validation, but gets 1397 responses through a secured channel from a different DNS resolver 1398 that does DNSSEC validation. 1400 A.4. Handling Certificate Rollover 1402 Certificate rollover is handled in much the same was as for rolling 1403 DNSSEC zone signing keys using the pre-publish key rollover method 1404 [RFC4641]. Suppose example.com has a single TLSA record for a TLS 1405 service on TCP port 990: 1407 _990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015... 1409 To start the rollover process, obtain or generate the new certificate 1410 or SubjectPublicKeyInfo to be used after the rollover and generate 1411 the new TLSA record. Add that record alongside the old one: 1413 _990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015... 1414 _990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30... 1416 After the new records have propagated to the authoritative 1417 nameservers and the TTL of the old record has expired, switch to the 1418 new certificate on the TLS server. Once this has occurred, the old 1419 TLSA record can be removed: 1421 _990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30... 1423 This completes the certificate rollover. 1425 Appendix B. Pseudocode for Using TLSA 1427 This appendix describes the interactions given earlier in this 1428 specification in pseudocode format. If the steps below disagree with 1429 the text earlier in the document, the steps earlier in the document 1430 ought to be considered correct and this text incorrect. 1432 Note that this pseudocode is more strict than the normative text. 1433 For instance, it forces an order on the evaluation of criteria which 1434 is not mandatory from the normative text. 1436 B.1. Helper Functions 1438 // implement the function for exiting 1439 function Finish (F) = { 1440 if (F == ABORT_TLS) { 1441 abort the TLS handshake or prevent TLS from starting 1442 exit 1443 } 1445 if (F == NO_TLSA) { 1446 fall back to non-TLSA certificate validation 1447 exit 1448 } 1450 if (F == ACCEPT) { 1451 accept the TLS connection 1452 exit 1453 } 1455 // unreachable 1456 } 1458 // implement the selector function 1459 function Select (S, X) = { 1460 // Full certificate 1461 if (S == 0) { 1462 return X in DER encoding 1463 } 1465 // SubjectPublicKeyInfo 1466 if (S == 1) { 1467 return X.SubjectPublicKeyInfo in DER encoding 1468 } 1470 // unreachable 1471 } 1473 // implement the matching function 1474 function Match (M, X, Y) { 1475 // Exact match on selected content 1476 if (M == 0) { 1477 return (X == Y) 1478 } 1480 // SHA-256 hash of selected content 1481 if (M == 1) { 1482 return (SHA-256(X) == Y) 1484 } 1486 // SHA-512 hash of selected content 1487 if (M == 2) { 1488 return (SHA-512(X) == Y) 1489 } 1491 // unreachable 1492 } 1494 B.2. Main TLSA Pseudo Code 1496 TLS connect using [transport] to [name] on [port] and receiving end 1497 entity cert C for the TLS server: 1499 (TLSArecords, ValState) = DNSSECValidatedLookup( 1500 domainname=_[port]._[transport].[name], RRtype=TLSA) 1502 // check for states that would change processing 1503 if (ValState == BOGUS) { 1504 Finish(ABORT_TLS) 1505 } 1506 if ((ValState == INDETERMINATE) or (ValState == INSECURE)) { 1507 Finish(NO_TLSA) 1508 } 1509 // if here, ValState must be SECURE 1511 for each R in TLSArecords { 1512 // unusable records include unknown certUsage, unknown 1513 // selectorType, unknown matchingType, erroneous RDATA, and 1514 // prohibited by local policy 1515 if (R is unusable) { 1516 remove R from TLSArecords 1517 } 1518 } 1519 if (length(TLSArecords) == 0) { 1520 Finish(NO_TLSA) 1521 } 1523 // A TLS client might have multiple trust anchors that it might use 1524 // when validating the TLS server's end entity certificate. Also, 1525 // there can be multiple PKIX certification paths for the 1526 // certificates given by the server in TLS. Thus, there are 1527 // possibly many chains that might need to be tested during 1528 // PKIX path validation. 1530 for each R in TLSArecords { 1532 // pass PKIX certificate validation and chain through a CA cert 1533 // that comes from TLSA 1534 if (R.certUsage == 0) { 1535 for each PKIX certification path H { 1536 if (C passes PKIX certification path validation in H) { 1537 for each D in H { 1538 if ((D is a CA certificate) and 1539 Match(R.matchingType, Select(R.selectorType, D), 1540 R.cert)) { 1541 Finish(ACCEPT) 1542 } 1543 } 1544 } 1545 } 1546 } 1548 // pass PKIX certificate validation and match EE cert from TLSA 1549 if (R.certUsage == 1) { 1550 for each PKIX certification path H { 1551 if ((C passes PKIX certificate validation in H) and 1552 Match(R.matchingType, Select(R.selectorType, C), 1553 R.cert)) { 1554 Finish(ACCEPT) 1555 } 1556 } 1557 } 1559 // pass PKIX certification validation using TLSA record as the 1560 // trust anchor 1561 if (R.certUsage == 2) { 1562 // the following assert() is merely a formalization of the 1563 // "trust anchor" condition for a certificate D matching R 1564 assert(Match(R.matchingType, Select(R.selectorType, D), R.cert)) 1566 for each PKIX certification path H that has certificate D 1567 matching R as the trust anchor { 1568 if (C passes PKIX validation in H) { 1569 Finish(ACCEPT); 1570 } 1571 } 1572 } 1574 // match the TLSA record and the TLS certificate 1575 if (R.certUsage == 3) { 1576 if Match(R.matchingType, Select(R.selectorType, C), R.cert) 1577 Finish(ACCEPT) 1579 } 1580 } 1582 } 1584 // if here, then none of the TLSA records ended in "Finish(ACCEPT)" 1585 // so abort TLS 1586 Finish(ABORT_TLS) 1588 Appendix C. Examples 1590 The following are examples of self-signed certificates that have been 1591 been generated with various selectors and matching types. They were 1592 generated with one piece of software, and validated by an individual 1593 using other tools. 1595 S = Selector 1596 M = Matching Type 1598 S M Association Data 1599 0 0 30820454308202BC020900AB58D24E77AD2AF6300D06092A86 1600 4886F70D0101050500306C310B3009060355040613024E4C31163014 1601 0603550408130D4E6F6F72642D486F6C6C616E643112301006035504 1602 071309416D7374657264616D310C300A060355040A13034F53333123 1603 30210603550403131A64616E652E6B6965762E70726163746963756D 1604 2E6F73332E6E6C301E170D3132303131363136353730335A170D3232 1605 303131333136353730335A306C310B3009060355040613024E4C3116 1606 30140603550408130D4E6F6F72642D486F6C6C616E64311230100603 1607 5504071309416D7374657264616D310C300A060355040A13034F5333 1608 312330210603550403131A64616E652E6B6965762E70726163746963 1609 756D2E6F73332E6E6C308201A2300D06092A864886F70D0101010500 1610 0382018F003082018A0282018100E62C84A5AFE59F0A2A6B250DEE68 1611 7AC8C5C604F57D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B 1612 6AD5DEA0C8771C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE 1613 281A68230B24B9DA1A98DCBE51195B60E42FD7517C328D983E26A827 1614 C877AB914EE4C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D5 1615 8C389CC3D6D8C20662E19CF768F32441B7F7D14AEA8966CE7C32A172 1616 2AB38623D008029A9E4702883F8B977A1A1E5292BF8AD72239D40393 1617 37B86A3AC60FA001290452177BF1798609A05A130F033457A5212629 1618 FBDDB8E70E2A9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D 1619 4BD77DFA34035563C126AA2C3328B900E7990AC9787F01DA82F74C3D 1620 4B6674CCECE1FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE775 1621 6213BD3D60831175BE290442B4AFC5AE6F46B769855A067C1097E617 1622 962529E166F22AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A44 1623 9C8D0D31BC683C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2 1624 DDFF6B4CAC050203010001300D06092A864886F70D01010505000382 1625 0181002B2ABE063E9C86AC4A1F7835372091079C8276A9C2C5D1EC57 1626 64DE523FDDABDEAB3FD34E6FE6CBA054580A6785A663595D90132B93 1627 D473929E81FA0887D2FFF78A81C7D014B97778AB6AC9E5E690F6F5A9 1628 E92BB5FBAB71B857AE69B6E18BDCCB0BA6FCD9D4B084A34F3635148C 1629 495D48FE635903B888EC1DEB2610548EDD48D63F86513A4562469831 1630 48C0D5DB82D73A4C350A42BB661D763430FC6C8E5F9D13EA1B76AA52 1631 A4C358E5EA04000F794618303AB6CEEA4E9A8E9C74D73C1B0B7BAF16 1632 DEDE7696B5E2F206F777100F5727E1684D4132F5E692F47AF6756EA8 1633 B421000BE031B5D8F0220E436B51FB154FE9595333C13A2403F9DE08 1634 E5DDC5A22FD6182E339593E26374450220BC14F3E40FF33F084526B0 1635 9C34250702E8A352B332CCCB0F9DE2CF2B338823B92AFC61C0B6B8AB 1636 DB5AF718ED8DDA97C298E46B82A01B14814868CFA4F2C36268BFFF4A 1637 591F42658BF75918902D3E426DFE1D5FF0FC6A212071F6DA8BD833FE 1638 2E560D87775E8EE9333C05B6FB8EB56589D910DB5EA903 1640 0 1 EFDDF0D915C7BDC5782C0881E1B2A95AD099FBDD06D7B1F779 1641 82D9364338D955 1643 0 2 81EE7F6C0ECC6B09B7785A9418F54432DE630DD54DC6EE9E3C 1644 49DE547708D236D4C413C3E97E44F969E635958AA410495844127C04 1645 883503E5B024CF7A8F6A94 1647 1 0 308201A2300D06092A864886F70D01010105000382018F0030 1648 82018A0282018100E62C84A5AFE59F0A2A6B250DEE687AC8C5C604F5 1649 7D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B6AD5DEA0C877 1650 1C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE281A68230B24 1651 B9DA1A98DCBE51195B60E42FD7517C328D983E26A827C877AB914EE4 1652 C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D58C389CC3D6D8 1653 C20662E19CF768F32441B7F7D14AEA8966CE7C32A1722AB38623D008 1654 029A9E4702883F8B977A1A1E5292BF8AD72239D4039337B86A3AC60F 1655 A001290452177BF1798609A05A130F033457A5212629FBDDB8E70E2A 1656 9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D4BD77DFA3403 1657 5563C126AA2C3328B900E7990AC9787F01DA82F74C3D4B6674CCECE1 1658 FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE7756213BD3D6083 1659 1175BE290442B4AFC5AE6F46B769855A067C1097E617962529E166F2 1660 2AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A449C8D0D31BC68 1661 3C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2DDFF6B4CAC05 1662 0203010001 1664 1 1 8755CDAA8FE24EF16CC0F2C918063185E433FAAF1415664911 1665 D9E30A924138C4 1667 1 2 D43165B4CDF8F8660AECCCC5344D9D9AE45FFD7E6AAB7AB9EE 1668 C169B58E11F227ED90C17330CC17B5CCEF0390066008C720CEC6AAE5 1669 33A934B3A2D7E232C94AB4 1671 Authors' Addresses 1673 Paul Hoffman 1674 VPN Consortium 1676 Email: paul.hoffman@vpnc.org 1678 Jakob Schlyter 1679 Kirei AB 1681 Email: jakob@kirei.se