idnits 2.17.1 draft-ietf-dane-smtp-with-dane-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 6, 2014) is 3636 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-16) exists of draft-ietf-dane-ops-00 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) == Outdated reference: A later version (-04) exists of draft-ietf-dane-registry-acronyms-01 == Outdated reference: A later version (-14) exists of draft-ietf-dane-srv-02 Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DANE V. Dukhovni 3 Internet-Draft Two Sigma 4 Intended status: Standards Track W. Hardaker 5 Expires: November 7, 2014 Parsons 6 May 6, 2014 8 SMTP security via opportunistic DANE TLS 9 draft-ietf-dane-smtp-with-dane-09 11 Abstract 13 This memo describes a downgrade-resistant protocol for SMTP transport 14 security between Mail Transfer Agents (MTAs) based on the DNS-Based 15 Authentication of Named Entities (DANE) TLSA DNS record. Adoption of 16 this protocol enables an incremental transition of the Internet email 17 backbone to one using encrypted and authenticated Transport Layer 18 Security (TLS). 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on November 7, 2014. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 55 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.2. Background . . . . . . . . . . . . . . . . . . . . . . . 5 57 1.3. SMTP channel security . . . . . . . . . . . . . . . . . . 6 58 1.3.1. STARTTLS downgrade attack . . . . . . . . . . . . . . 6 59 1.3.2. Insecure server name without DNSSEC . . . . . . . . . 7 60 1.3.3. Sender policy does not scale . . . . . . . . . . . . 7 61 1.3.4. Too many certification authorities . . . . . . . . . 8 62 2. Identifying applicable TLSA records . . . . . . . . . . . . . 8 63 2.1. DNS considerations . . . . . . . . . . . . . . . . . . . 8 64 2.1.1. DNS errors, bogus and indeterminate responses . . . . 8 65 2.1.2. DNS error handling . . . . . . . . . . . . . . . . . 11 66 2.1.3. Stub resolver considerations . . . . . . . . . . . . 11 67 2.2. TLS discovery . . . . . . . . . . . . . . . . . . . . . . 12 68 2.2.1. MX resolution . . . . . . . . . . . . . . . . . . . . 13 69 2.2.2. Non-MX destinations . . . . . . . . . . . . . . . . . 15 70 2.2.3. TLSA record lookup . . . . . . . . . . . . . . . . . 17 71 3. DANE authentication . . . . . . . . . . . . . . . . . . . . . 19 72 3.1. TLSA certificate usages . . . . . . . . . . . . . . . . . 19 73 3.1.1. Certificate usage DANE-EE(3) . . . . . . . . . . . . 20 74 3.1.2. Certificate usage DANE-TA(2) . . . . . . . . . . . . 21 75 3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) . . . . 22 76 3.2. Certificate matching . . . . . . . . . . . . . . . . . . 23 77 3.2.1. DANE-EE(3) name checks . . . . . . . . . . . . . . . 23 78 3.2.2. DANE-TA(2) name checks . . . . . . . . . . . . . . . 23 79 3.2.3. Reference identifier matching . . . . . . . . . . . . 24 80 4. Server key management . . . . . . . . . . . . . . . . . . . . 25 81 5. Digest algorithm agility . . . . . . . . . . . . . . . . . . 26 82 6. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 27 83 7. Note on DANE for Message User Agents . . . . . . . . . . . . 28 84 8. Interoperability considerations . . . . . . . . . . . . . . . 29 85 8.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 29 86 8.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 29 87 9. Operational Considerations . . . . . . . . . . . . . . . . . 30 88 9.1. Client Operational Considerations . . . . . . . . . . . . 30 89 9.2. Publisher Operational Considerations . . . . . . . . . . 30 90 10. Security Considerations . . . . . . . . . . . . . . . . . . . 31 91 11. IANA considerations . . . . . . . . . . . . . . . . . . . . . 31 92 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 93 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 94 13.1. Normative References . . . . . . . . . . . . . . . . . . 32 95 13.2. Informative References . . . . . . . . . . . . . . . . . 33 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 98 1. Introduction 100 This memo specifies a new connection security model for Message 101 Transfer Agents (MTAs). This model is motivated by key features of 102 inter-domain SMTP delivery, in particular the fact that the 103 destination server is selected indirectly via DNS Mail Exchange (MX) 104 records and that neither email addresses nor MX hostnames signal a 105 requirement for either secure or cleartext transport. Therefore, 106 aside from a few manually configured exceptions, SMTP transport 107 security is of necessity opportunistic. 109 This specification uses the presence of DANE TLSA records to securely 110 signal TLS support and to publish the means by which SMTP clients can 111 successfully authenticate legitimate SMTP servers. This becomes 112 "opportunistic DANE TLS" and is resistant to downgrade and MITM 113 attacks. It enables an incremental transition of the email backbone 114 to authenticated TLS delivery, with increased global protection as 115 adoption increases. 117 With opportunistic DANE TLS, traffic from SMTP clients to domains 118 that publish "usable" DANE TLSA records in accordance with this memo 119 is authenticated and encrypted. Traffic from legacy clients or to 120 domains that do not publish TLSA records will continue to be sent in 121 the same manner as before, via manually configured security, (pre- 122 DANE) opportunistic TLS or just cleartext SMTP. 124 Problems with existing use of TLS in MTA to MTA SMTP that motivate 125 this specification are described in Section 1.3. The specification 126 itself follows in Section 2 and Section 3 which describe respectively 127 how to locate and use DANE TLSA records with SMTP. In Section 6, we 128 discuss application of DANE TLS to destinations for which channel 129 integrity and confidentiality are mandatory. In Section 7 we briefly 130 comment on potential applicability of this specification to Message 131 User Agents. 133 1.1. Terminology 135 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 136 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 137 "OPTIONAL" in this document are to be interpreted as described in 138 [RFC2119]. 140 The following terms or concepts are used through the document: 142 Man-in-the-middle or MITM attack: Active modification of network 143 traffic by an adversary able to thereby compromise the 144 confidentiality or integrity of the data. 146 secure, bogus, insecure, indeterminate: DNSSEC validation results, 147 as defined in Section 4.3 of [RFC4035]. 149 Validating Security-Aware Stub Resolver and Non-Validating 150 Security-Aware Stub Resolver: 151 Capabilities of the stub resolver in use as defined in [RFC4033]; 152 note that this specification requires the use of a Security-Aware 153 Stub Resolver; Security-Oblivious stub-resolvers MUST NOT be used. 155 opportunistic DANE TLS: Best-effort use of TLS, resistant to 156 downgrade attacks for destinations with DNSSEC-validated TLSA 157 records. When opportunistic DANE TLS is determined to be 158 unavailable, clients should fall back to opportunistic TLS below. 159 Opportunistic DANE TLS requires support for DNSSEC, DANE and 160 STARTTLS on the client side and STARTTLS plus a DNSSEC published 161 TLSA record on the server side. 163 (pre-DANE) opportunistic TLS: Best-effort use of TLS that is 164 generally vulnerable to DNS forgery and STARTTLS downgrade 165 attacks. When a TLS-encrypted communication channel is not 166 available, message transmission takes place in the clear. MX 167 record indirection generally precludes authentication even when 168 TLS is available. 170 reference identifier: (Special case of [RFC6125] definition). One 171 of the domain names associated by the SMTP client with the 172 destination SMTP server for performing name checks on the server 173 certificate. When name checks are applicable, at least one of the 174 reference identifiers MUST match an [RFC6125] DNS-ID (or if none 175 are present the [RFC6125] CN-ID) of the server certificate (see 176 Section 3.2.3). 178 MX hostname: The RRDATA of an MX record consists of a 16 bit 179 preference followed by a Mail Exchange domain name (see [RFC1035], 180 Section 3.3.9). We will use the term "MX hostname" to refer to 181 the latter, that is, the DNS domain name found after the 182 preference value in an MX record. Thus an "MX hostname" is 183 specifically a reference to a DNS domain name, rather than any 184 host that bears that name. 186 delayed delivery: Email delivery is a multi-hop store & forward 187 process. When an MTA is unable forward a message that may become 188 deliverable later, the message is queued and delivery is retried 189 periodically. Some MTAs may be configured with a fallback next- 190 hop destination that handles messages that the MTA would otherwise 191 queue and retry. In these cases, messages that would otherwise 192 have to be delayed, may be sent to the fallback next-hop 193 destination instead. The fallback destination may itself be 194 subject to opportunistic or mandatory DANE TLS as though it were 195 the original message destination. 197 original next hop destination: The logical destination for mail 198 delivery. By default this is the domain portion of the recipient 199 address, but MTAs may be configured to forward mail for some or 200 all recipients via designated relays. The original next hop 201 destination is, respectively, either the recipient domain or the 202 associated configured relay. 204 MTA: Message Transfer Agent ([RFC5598], Section 4.3.2). 206 MSA: Message Submission Agent ([RFC5598], Section 4.3.1). 208 MUA: Message User Agent ([RFC5598], Section 4.2.1). 210 RR: A DNS Resource Record 212 RRset: A set of DNS Resource Records for a particular class, domain 213 and record type. 215 1.2. Background 217 The Domain Name System Security Extensions (DNSSEC) add data origin 218 authentication, data integrity and data non-existence proofs to the 219 Domain Name System (DNS). DNSSEC is defined in [RFC4033], [RFC4034] 220 and [RFC4035]. 222 As described in the introduction of [RFC6698], TLS authentication via 223 the existing public Certification Authority (CA) PKI suffers from an 224 over-abundance of trusted parties capable of issuing certificates for 225 any domain of their choice. DANE leverages the DNSSEC infrastructure 226 to publish trusted public keys and certificates for use with the 227 Transport Layer Security (TLS) [RFC5246] protocol via a new "TLSA" 228 DNS record type. With DNSSEC each domain can only vouch for the keys 229 of its directly delegated sub-domains. 231 The TLS protocol enables secure TCP communication. In the context of 232 this memo, channel security is assumed to be provided by TLS. Used 233 without authentication, TLS provides only privacy protection against 234 eavesdropping attacks. With authentication, TLS also provides data 235 integrity protection to guard against MITM attacks. 237 1.3. SMTP channel security 239 With HTTPS, Transport Layer Security (TLS) employs X.509 certificates 240 [RFC5280] issued by one of the many Certificate Authorities (CAs) 241 bundled with popular web browsers to allow users to authenticate 242 their "secure" websites. Before we specify a new DANE TLS security 243 model for SMTP, we will explain why a new security model is needed. 244 In the process, we will explain why the familiar HTTPS security model 245 is inadequate to protect inter-domain SMTP traffic. 247 The subsections below outline four key problems with applying 248 traditional PKI to SMTP that are addressed by this specification. 249 Since SMTP channel security policy is not explicitly specified in 250 either the recipient address or the MX record, a new signaling 251 mechanism is required to indicate when channel security is possible 252 and should be used. The publication of TLSA records allows server 253 operators to securely signal to SMTP clients that TLS is available 254 and should be used. DANE TLSA makes it possible to simultaneously 255 discover which destination domains support secure delivery via TLS 256 and how to verify the authenticity of the associated SMTP services, 257 providing a path forward to ubiquitous SMTP channel security. 259 1.3.1. STARTTLS downgrade attack 261 The Simple Mail Transfer Protocol (SMTP) [RFC5321] is a single-hop 262 protocol in a multi-hop store & forward email delivery process. SMTP 263 envelope recipient addresses are not transport addresses and are 264 security-agnostic. Unlike the Hypertext Transfer Protocol (HTTP) and 265 its corresponding secured version, HTTPS, where the use of TLS is 266 signaled via the URI scheme, email recipient addresses do not 267 directly signal transport security policy. Indeed, no such signaling 268 could work well with SMTP since TLS encryption of SMTP protects email 269 traffic on a hop-by-hop basis while email addresses could only 270 express end-to-end policy. 272 With no mechanism available to signal transport security policy, SMTP 273 relays employ a best-effort "opportunistic" security model for TLS. 274 A single SMTP server TCP listening endpoint can serve both TLS and 275 non-TLS clients; the use of TLS is negotiated via the SMTP STARTTLS 276 command ([RFC3207]). The server signals TLS support to the client 277 over a cleartext SMTP connection, and, if the client also supports 278 TLS, it may negotiate a TLS encrypted channel to use for email 279 transmission. The server's indication of TLS support can be easily 280 suppressed by an MITM attacker. Thus pre-DANE SMTP TLS security can 281 be subverted by simply downgrading a connection to cleartext. No TLS 282 security feature, such as the use of PKIX, can prevent this. The 283 attacker can simply disable TLS. 285 1.3.2. Insecure server name without DNSSEC 287 With SMTP, DNS Mail Exchange (MX) records abstract the next-hop 288 transport endpoint and allow administrators to specify a set of 289 target servers to which SMTP traffic should be directed for a given 290 domain. 292 A PKIX TLS client is vulnerable to MITM attacks unless it verifies 293 that the server's certificate binds the public key to a name that 294 matches one of the client's reference identifiers. A natural choice 295 of reference identifier is the server's domain name. However, with 296 SMTP, server names are obtained indirectly via MX records. Without 297 DNSSEC, the MX lookup is vulnerable to MITM and DNS cache poisoning 298 attacks. Active attackers can forge DNS replies with fake MX records 299 and can redirect email to servers with names of their choice. 300 Therefore, secure verification of SMTP TLS certificates matching the 301 server name is not possible without DNSSEC. 303 One might try to harden TLS for SMTP against DNS attacks by using the 304 envelope recipient domain as a reference identifier and requiring 305 each SMTP server to possess a trusted certificate for the envelope 306 recipient domain rather than the MX hostname. Unfortunately, this is 307 impractical as email for many domains is handled by third parties 308 that are not in a position to obtain certificates for all the domains 309 they serve. Deployment of the Server Name Indication (SNI) extension 310 to TLS (see [RFC6066] Section 3) is no panacea, since SNI key 311 management is operationally challenging except when the email service 312 provider is also the domain's registrar and its certificate issuer; 313 this is rarely the case for email. 315 Since the recipient domain name cannot be used as the SMTP server 316 reference identifier, and neither can the MX hostname without DNSSEC, 317 large-scale deployment of authenticated TLS for SMTP requires that 318 the DNS be secure. 320 Since SMTP security depends critically on DNSSEC, it is important to 321 point out that consequently SMTP with DANE is the most conservative 322 possible trust model. It trusts only what must be trusted and no 323 more. Adding any other trusted actors to the mix can only reduce 324 SMTP security. A sender may choose to further harden DNSSEC for 325 selected high-value receiving domains, by configuring explicit trust 326 anchors for those domains instead of relying on the chain of trust 327 from the root domain. Detailed discussion of DNSSEC security 328 practices is out of scope for this document. 330 1.3.3. Sender policy does not scale 331 Sending systems are in some cases explicitly configured to use TLS 332 for mail sent to selected peer domains. This requires sending MTAs 333 to be configured with appropriate subject names or certificate 334 content digests to expect in the presented server certificates. 335 Because of the heavy administrative burden, such statically 336 configured SMTP secure channels are used rarely (generally only 337 between domains that make bilateral arrangements with their business 338 partners). Internet email, on the other hand, requires regularly 339 contacting new domains for which security configurations cannot be 340 established in advance. 342 The abstraction of the SMTP transport endpoint via DNS MX records, 343 often across organization boundaries, limits the use of public CA PKI 344 with SMTP to a small set of sender-configured peer domains. With 345 little opportunity to use TLS authentication, sending MTAs are rarely 346 configured with a comprehensive list of trusted CAs. SMTP services 347 that support STARTTLS often deploy X.509 certificates that are self- 348 signed or issued by a private CA. 350 1.3.4. Too many certification authorities 352 Even if it were generally possible to determine a secure server name, 353 the SMTP client would still need to verify that the server's 354 certificate chain is issued by a trusted Certification Authority (a 355 trust anchor). MTAs are not interactive applications where a human 356 operator can make a decision (wisely or otherwise) to selectively 357 disable TLS security policy when certificate chain verification 358 fails. With no user to "click OK", the MTAs list of public CA trust 359 anchors would need to be comprehensive in order to avoid bouncing 360 mail addressed to sites that employ unknown Certification 361 Authorities. 363 On the other hand, each trusted CA can issue certificates for any 364 domain. If even one of the configured CAs is compromised or operated 365 by an adversary, it can subvert TLS security for all destinations. 366 Any set of CAs is simultaneously both overly inclusive and not 367 inclusive enough. 369 2. Identifying applicable TLSA records 371 2.1. DNS considerations 373 2.1.1. DNS errors, bogus and indeterminate responses 374 An SMTP client that implements opportunistic DANE TLS per this 375 specification depends critically on the integrity of DNSSEC lookups, 376 as discussed in Section 1.3. This section lists the DNS resolver 377 requirements needed to avoid downgrade attacks when using 378 opportunistic DANE TLS. 380 A DNS lookup may signal an error or return a definitive answer. A 381 security-aware resolver must be used for this specification. 382 Security-aware resolvers will indicate the security status of a DNS 383 RRset with one of four possible values defined in Section 4.3 of 384 [RFC4035]: "secure", "insecure", "bogus" and "indeterminate". In 385 [RFC4035] the meaning of the "indeterminate" security status is: 387 An RRset for which the resolver is not able to determine whether 388 the RRset should be signed, as the resolver is not able to obtain 389 the necessary DNSSEC RRs. This can occur when the security-aware 390 resolver is not able to contact security-aware name servers for 391 the relevant zones. 393 Note, the "indeterminate" security status has a conflicting 394 definition in section 5 of [RFC4033]. 396 There is no trust anchor that would indicate that a specific 397 portion of the tree is secure. 399 SMTP clients following this specification SHOULD NOT distinguish 400 between "insecure" and "indeterminate" in the [RFC4033] sense. Both 401 "insecure" and RFC4033 "indeterminate" are handled identically: in 402 either case unvalidated data for the query domain is all that is and 403 can be available, and authentication using the data is impossible. 404 In what follows, when we say "insecure", we include also DNS results 405 for domains that lie in a portion of the DNS tree for which there is 406 no applicable trust anchor. With the DNS root zone signed, we expect 407 that validating resolvers used by Internet-facing MTAs will be 408 configured with trust anchor data for the root zone. Therefore, 409 RFC4033-style "indeterminate" domains should be rare in practice. 410 From here on, when we say "indeterminate", it is exclusively in the 411 sense of [RFC4035]. 413 As noted in section 4.3 of [RFC4035], a security-aware DNS resolver 414 MUST be able to determine whether a given non-error DNS response is 415 "secure", "insecure", "bogus" or "indeterminate". It is expected 416 that most security-aware stub resolvers will not signal an 417 "indeterminate" security status in the RFC4035-sense to the 418 application, and will signal a "bogus" or error result instead. If a 419 resolver does signal an RFC4035 "indeterminate" security status, this 420 MUST be treated by the SMTP client as though a "bogus" or error 421 result had been returned. 423 An MTA making use of a non-validating security-aware stub resolver 424 MAY use the stub resolver's ability, if available, to signal DNSSEC 425 validation status based on information the stub resolver has learned 426 from an upstream validating recursive resolver. In accordance with 427 section 4.9.3 of [RFC4035]: 429 ... a security-aware stub resolver MUST NOT place any reliance on 430 signature validation allegedly performed on its behalf, except 431 when the security-aware stub resolver obtained the data in question 432 from a trusted security-aware recursive name server via a secure 433 channel. 435 To avoid much repetition in the text below, we will pause to explain 436 the handling of "bogus" or "indeterminate" DNSSEC query responses. 437 These are not necessarily the result of a malicious actor; they can, 438 for example, occur when network packets are corrupted or lost in 439 transit. Therefore, "bogus" or "indeterminate" replies are equated 440 in this memo with lookup failure. 442 There is an important non-failure condition we need to highlight in 443 addition to the obvious case of the DNS client obtaining a non-empty 444 "secure" or "insecure" RRset of the requested type. Namely, it is 445 not an error when either "secure" or "insecure" non-existence is 446 determined for the requested data. When a DNSSEC response with a 447 validation status that is either "secure" or "insecure" reports 448 either no records of the requested type or non-existence of the query 449 domain, the response is not a DNS error condition. The DNS client 450 has not been left without an answer; it has learned that records of 451 the requested type do not exist. 453 Security-aware stub resolvers will, of course, also signal DNS lookup 454 errors in other cases, for example when processing a "ServFail" 455 RCODE, which will not have an associated DNSSEC status. All lookup 456 errors are treated the same way by this specification, regardless of 457 whether they are from a "bogus" or "indeterminate" DNSSEC status or 458 from a more generic DNS error: the information that was requested 459 cannot be obtained by the security-aware resolver at this time. A 460 lookup error is thus a failure to obtain the relevant RRset if it 461 exists, or to determine that no such RRset exists when it does not. 463 In contrast to a "bogus" or an "indeterminate" response, an 464 "insecure" DNSSEC response is not an error, rather it indicates that 465 the target DNS zone is either securely opted out of DNSSEC validation 466 or is not connected with the DNSSEC trust anchors being used. 467 Insecure results will leave the SMTP client with degraded channel 468 security, but do not stand in the way of message delivery. See 469 section Section 2.2 for further details. 471 2.1.2. DNS error handling 473 When a DNS lookup failure (error or "bogus" or "indeterminate" as 474 defined above) prevents an SMTP client from determining which SMTP 475 server or servers it should connect to, message delivery MUST be 476 delayed. This naturally includes, for example, the case when a 477 "bogus" or "indeterminate" response is encountered during MX 478 resolution. When multiple MX hostnames are obtained from a 479 successful MX lookup, but a later DNS lookup failure prevents network 480 address resolution for a given MX hostname, delivery may proceed via 481 any remaining MX hosts. 483 When a particular SMTP server is securely identified as the delivery 484 destination, a set of DNS lookups (Section 2.2) MUST be performed to 485 locate any related TLSA records. If any DNS queries used to locate 486 TLSA records fail (be it due to "bogus" or "indeterminate" records, 487 timeouts, malformed replies, ServFails, etc.), then the SMTP client 488 MUST treat that server as unreachable and MUST NOT deliver the 489 message via that server. If no servers are reachable, delivery is 490 delayed. 492 In what follows, we will only describe what happens when all relevant 493 DNS queries succeed. If any DNS failure occurs, the SMTP client MUST 494 behave as described in this section, by skipping the problem SMTP 495 server, or the problem destination. Queries for candidate TLSA 496 records are explicitly part of "all relevant DNS queries" and SMTP 497 clients MUST NOT continue to connect to an SMTP server or destination 498 whose TLSA record lookup fails. 500 2.1.3. Stub resolver considerations 502 A note about DNAME aliases: a query for a domain name whose ancestor 503 domain is a DNAME alias returns the DNAME RR for the ancestor domain, 504 along with a CNAME that maps the query domain to the corresponding 505 sub-domain of the target domain of the DNAME alias [RFC6672]. 506 Therefore, whenever we speak of CNAME aliases, we implicitly allow 507 for the possibility that the alias in question is the result of an 508 ancestor domain DNAME record. Consequently, no explicit support for 509 DNAME records is needed in SMTP software, it is sufficient to process 510 the resulting CNAME aliases. DNAME records only require special 511 processing in the validating stub-resolver library that checks the 512 integrity of the combined DNAME + CNAME reply. When DNSSEC 513 validation is handled by a local caching resolver, rather than the 514 MTA itself, even that part of the DNAME support logic is outside the 515 MTA. 517 When a stub resolver returns a response containing a CNAME alias that 518 does not also contain the corresponding query results for the target 519 of the alias, the SMTP client will need to repeat the query at the 520 target of the alias, and should do so recursively up to some 521 configured or implementation-dependent recursion limit. If at any 522 stage of CNAME expansion an error is detected, the lookup of the 523 original requested records MUST be considered to have failed. 525 Whether a chain of CNAME records was returned in a single stub 526 resolver response or via explicit recursion by the SMTP client, if at 527 any stage of recursive expansion an "insecure" CNAME record is 528 encountered, then it and all subsequent results (in particular, the 529 final result) MUST be considered "insecure" regardless of whether any 530 earlier CNAME records leading to the "insecure" record were "secure". 532 Note, a security-aware non-validating stub resolver may return to the 533 SMTP client an "insecure" reply received from a validating recursive 534 resolver that contains a CNAME record along with additional answers 535 recursively obtained starting at the target of the CNAME. In this 536 all that one can say is that some record in the set of records 537 returned is "insecure", but it is possible that the initial CNAME 538 record and a subset of the subsequent records are "secure". 540 If the SMTP client needs to determine the security status of the DNS 541 zone containing the initial CNAME record, it may need to issue an a 542 separate query of type "CNAME" that returns only the initial CNAME 543 record. In particular in Section 2.2.2 when insecure A or AAAA 544 records are found for an SMTP server via a CNAME alias, it may be 545 necessary to perform an additional CNAME query to determine whether 546 the DNS zone in which the alias is published is signed. 548 2.2. TLS discovery 550 As noted previously (in Section 1.3.1), opportunistic TLS with SMTP 551 servers that advertise TLS support via STARTTLS is subject to an MITM 552 downgrade attack. Also some SMTP servers that are not, in fact, TLS 553 capable erroneously advertise STARTTLS by default and clients need to 554 be prepared to retry cleartext delivery after STARTTLS fails. In 555 contrast, DNSSEC validated TLSA records MUST NOT be published for 556 servers that do not support TLS. Clients can safely interpret their 557 presence as a commitment by the server operator to implement TLS and 558 STARTTLS. 560 This memo defines four actions to be taken after the search for a 561 TLSA record returns secure usable results, secure unusable results, 562 insecure or no results or an error signal. The term "usable" in this 563 context is in the sense of Section 4.1 of [RFC6698]. Specifically, 564 if the DNS lookup for a TLSA record returns: 566 A secure TLSA RRset with at least one usable record: A connection to 567 the MTA MUST be made using authenticated and encrypted TLS, using 568 the techniques discussed in the rest of this document. Failure to 569 establish an authenticated TLS connection MUST result in falling 570 back to the next SMTP server or delayed delivery. 572 A Secure non-empty TLSA RRset where all the records are unusable: A 573 connection to the MTA MUST be made via TLS, but authentication is 574 not required. Failure to establish an encrypted TLS connection 575 MUST result in falling back to the next SMTP server or delayed 576 delivery. 578 An insecure TLSA RRset or DNSSEC validated proof-of-non-existent TLSA 579 records: 580 A connection to the MTA SHOULD be made using (pre-DANE) 581 opportunistic TLS, this includes using cleartext delivery when the 582 remote SMTP server does not appear to support TLS. The MTA MAY 583 retry in cleartext when delivery via TLS fails either during the 584 handshake or even during data transfer. 586 Any lookup error: Lookup errors, including "bogus" and 587 "indeterminate", as explained in Section 2.1.1 MUST result in 588 falling back to the next SMTP server or delayed delivery. 590 An SMTP client MAY be configured to require DANE verified delivery 591 for some destinations. We will call such a configuration "mandatory 592 DANE TLS". With mandatory DANE TLS, delivery proceeds only when 593 "secure" TLSA records are used to establish an encrypted and 594 authenticated TLS channel with the SMTP server. 596 When the original next-hop destination is an address literal, rather 597 than a DNS domain, DANE TLS does not apply. Delivery proceeds using 598 any relevant security policy configured by the MTA administrator. 599 Similarly, when an MX RRset incorrectly lists a network address in 600 lieu of an MX hostname, if the MTA chooses to connect to the network 601 address DANE TLSA does not apply for such a connection. 603 In the subsections that follow we explain how to locate the SMTP 604 servers and the associated TLSA records for a given next-hop 605 destination domain. We also explain which name or names are to be 606 used in identity checks of the SMTP server certificate. 608 2.2.1. MX resolution 610 In this section we consider next-hop domains that are subject to MX 611 resolution and have MX records. The TLSA records and the associated 612 base domain are derived separately for each MX hostname that is used 613 to attempt message delivery. DANE TLS can authenticate message 614 delivery to the intended next-hop domain only when the MX records are 615 obtained securely via a DNSSEC validated lookup. 617 MX records MUST be sorted by preference; an MX hostname with a worse 618 (numerically higher) MX preference that has TLSA records MUST NOT 619 preempt an MX hostname with a better (numerically lower) preference 620 that has no TLSA records. In other words, prevention of delivery 621 loops by obeying MX preferences MUST take precedence over channel 622 security considerations. Even with two equal-preference MX records, 623 an MTA is not obligated to choose the MX hostname that offers more 624 security. Domains that want secure inbound mail delivery need to 625 ensure that all their SMTP servers and MX records are configured 626 accordingly. 628 In the language of [RFC5321] Section 5.1, the original next-hop 629 domain is the "initial name". If the MX lookup of the initial name 630 results in a CNAME alias, the MTA replaces the initial name with the 631 resulting name and performs a new lookup with the new name. MTAs 632 typically support recursion in CNAME expansion, so this replacement 633 is performed repeatedly until the ultimate non-CNAME domain is found. 635 If the MX RRset (or any CNAME leading to it) is "insecure" (see 636 Section 2.1.1), DANE TLS need not apply, and delivery MAY proceed via 637 pre-DANE opportunistic TLS. That said, the protocol in this memo is 638 an "opportunistic security" protocol, meaning that it strives to 639 communicate with each peer as securely as possible, while maintaining 640 broad interoperability. Therefore, the SMTP client MAY proceed to 641 use DANE TLS (as described in Section 2.2.2 below) even with MX hosts 642 obtained via an "insecure" MX RRset. For example, when a hosting 643 provider has a signed DNS zone and publishes TLSA records for its 644 SMTP servers, hosted domains that are not signed may still benefit 645 from the provider's TLSA records. Deliveries via the provider's SMTP 646 servers will not be subject to active attacks when sending SMTP 647 clients elect to make use of the provider's TLSA records. 649 When the MX records are not (DNSSEC) signed, an active attacker can 650 redirect SMTP clients to MX hosts of his choice. Such redirection is 651 tamper-evident when SMTP servers found via "insecure" MX records are 652 recorded as the next-hop relay in the MTA delivery logs in their 653 original (rather than CNAME expanded) form. Sending MTAs SHOULD log 654 unexpanded MX hostnames when these result from insecure MX lookups. 655 Any successful authentication via an insecurely determined MX host 656 MUST NOT be misrepresented in the mail logs as secure delivery to the 657 intended next-hop domain. When DANE TLS is mandatory (xref 658 target="madatory"/>) for a given destination, delivery MUST be 659 delayed when the MX RRset is not "secure". 661 Otherwise, assuming no DNS errors (Section 2.1.1), the MX RRset is 662 "secure", and the SMTP client MUST treat each MX hostname as a 663 separate non-MX destination for opportunistic DANE TLS as described 664 in Section 2.2.2. When, for a given MX hostname, no TLSA records are 665 found, or only "insecure" TLSA records are found, DANE TLSA is not 666 applicable with the SMTP server in question and delivery proceeds to 667 that host as with pre-DANE opportunistic TLS. To avoid downgrade 668 attacks, any errors during TLSA lookups MUST, as explained in 669 Section 2.1.1, cause the SMTP server in question to be treated as 670 unreachable. 672 2.2.2. Non-MX destinations 674 This section describes the algorithm used to locate the TLSA records 675 and associated TLSA base domain for an input domain not subject to MX 676 resolution. Such domains include: 678 o Each MX hostname used in a message delivery attempt for an 679 original next-hop destination domain subject to MX resolution. 680 Note, MTAs are not obligated to support CNAME expansion of MX 681 hostnames. 683 o Any administrator configured relay hostname, not subject to MX 684 resolution. This frequently involves configuration set by the MTA 685 administrator to handle some or all mail. 687 o A next-hop destination domain subject to MX resolution that has no 688 MX records. In this case the domain's name is implicitly also its 689 sole SMTP server name. 691 Note that DNS queries with type TLSA are mishandled by load balancing 692 nameservers that serve the MX hostnames of some large email 693 providers. The DNS zones served by these nameservers are not signed 694 and contain no TLSA records, but queries for TLSA records fail, 695 rather than returning the non-existence of the requested TLSA 696 records. 698 To avoid problems delivering mail to domains whose SMTP servers are 699 served by the problem nameservers the SMTP client MUST perform any A 700 and/or AAAA queries for the destination before attempting to locate 701 the associated TLSA records. This lookup is needed in any case to 702 determine whether the destination domain is reachable and the DNSSEC 703 validation status of the chain of CNAME queries required to reach the 704 ultimate address records. 706 If no address records are found, the destination is unreachable. If 707 address records are found, but the DNSSEC validation status of the 708 first query response is "insecure" (see Section 2.1.3), the SMTP 709 client SHOULD NOT proceed to search for any associated TLSA records. 710 With the problem domains, TLSA queries will lead to DNS lookup errors 711 and cause messages to be consistently delayed and ultimately returned 712 to the sender. We don't expect to find any "secure" TLSA records 713 associated with a TLSA base domain that lies in an unsigned DNS zone. 714 Therefore, skipping TLSA lookups in this case will also reduce 715 latency with no detrimental impact on security. 717 If the A and/or AAAA lookup of the "initial name" yields a CNAME, we 718 replace it with the resulting name as if it were the initial name and 719 perform a lookup again using the new name. This replacement is 720 performed recursively. 722 We consider the following cases for handling a DNS response for an A 723 or AAAA DNS lookup: 725 Not found: When the DNS queries for A and/or AAAA records yield 726 neither a list of addresses nor a CNAME (or CNAME expansion is not 727 supported) the destination is unreachable. 729 Non-CNAME: The answer is not a CNAME alias. If the address RRset 730 is "secure", TLSA lookups are performed as described in 731 Section 2.2.3 with the initial name as the candidate TLSA base 732 domain. If no "secure" TLSA records are found, DANE TLS is not 733 applicable and mail delivery proceeds with pre-DANE opportunistic 734 TLS (which, being best-effort, degrades to cleartext delivery when 735 STARTTLS is not available or the TLS handshake fails). 737 Insecure CNAME: The input domain is a CNAME alias, but the ultimate 738 network address RRset is "insecure" (see Section 2.1.1). If the 739 initial CNAME response is also "insecure", DANE TLS does not 740 apply. Otherwise, this case is treated just like the non-CNAME 741 case above, where a search is performed for a TLSA record with the 742 original input domain as the candidate TLSA base domain. 744 Secure CNAME: The input domain is a CNAME alias, and the ultimate 745 network address RRset is "secure" (see Section 2.1.1). Two 746 candidate TLSA base domains are tried: the fully CNAME-expanded 747 initial name and, failing that, then the initial name itself. 749 In summary, if it is possible to securely obtain the full, CNAME- 750 expanded, DNSSEC-validated address records for the input domain, then 751 that name is the preferred TLSA base domain. Otherwise, the 752 unexpanded input-MX domain is the candidate TLSA base domain. When 753 no "secure" TLSA records are found at either the CNAME-expanded or 754 unexpanded domain, then DANE TLS does not apply for mail delivery via 755 the input domain in question. And, as always, errors, bogus or 756 indeterminate results for any query in the process MUST result in 757 delaying or abandoning delivery. 759 2.2.3. TLSA record lookup 761 Each candidate TLSA base domain (the original or fully CNAME-expanded 762 name of a non-MX destination or a particular MX hostname of an MX 763 destination) is in turn prefixed with service labels of the form 764 "_._tcp". The resulting domain name is used to issue a DNSSEC 765 query with the query type set to TLSA ([RFC6698] Section 7.1). 767 For SMTP, the destination TCP port is typically 25, but this may be 768 different with custom routes specified by the MTA administrator in 769 which case the SMTP client MUST use the appropriate number in the 770 "_" prefix in place of "_25". If, for example, the candidate 771 base domain is "mx.example.com", and the SMTP connection is to port 772 25, the TLSA RRset is obtained via a DNSSEC query of the form: 774 _25._tcp.mx.example.com. IN TLSA ? 776 The query response may be a CNAME, or the actual TLSA RRset. If the 777 response is a CNAME, the SMTP client (through the use of its 778 security-aware stub resolver) restarts the TLSA query at the target 779 domain, following CNAMEs as appropriate and keeping track of whether 780 the entire chain is "secure". If any "insecure" records are 781 encountered, or the TLSA records don't exist, the next candidate TLSA 782 base is tried instead. 784 If the ultimate response is a "secure" TLSA RRset, then the candidate 785 TLSA base domain will be the actual TLSA base domain and the TLSA 786 RRset will constitute the TLSA records for the destination. If none 787 of the candidate TLSA base domains yield "secure" TLSA records then 788 delivery MAY proceed via pre-DANE opportunistic TLS. SMTP clients 789 MAY elect to use "insecure" TLSA records to avoid STARTTLS downgrades 790 or even to skip SMTP servers that fail authentication, but MUST NOT 791 misrepresent authentication success as either a secure connection to 792 the SMTP server or as a secure delivery to the intended next-hop 793 domain. 795 TLSA record publishers may leverage CNAMEs to reference a single 796 authoritative TLSA RRset specifying a common Certification Authority 797 or a common end entity certificate to be used with multiple TLS 798 services. Such CNAME expansion does not change the SMTP client's 799 notion of the TLSA base domain; thus, when _25._tcp.mx.example.com is 800 a CNAME, the base domain remains mx.example.com and this is still the 801 reference identifier used together with the next-hop domain in peer 802 certificate name checks. 804 Note, shared end entity certificate associations expose the 805 publishing domain to substitution attacks, where an MITM attacker can 806 reroute traffic to a different server that shares the same end entity 807 certificate. Such shared end entity records SHOULD be avoided unless 808 the servers in question are functionally equivalent (an active 809 attacker gains nothing by diverting client traffic from one such 810 server to another). 812 For example, given the DNSSEC validated records below: 814 example.com. IN MX 0 mx1.example.com. 815 example.com. IN MX 0 mx2.example.com. 816 _25._tcp.mx1.example.com. IN CNAME tlsa211._dane.example.com. 817 _25._tcp.mx2.example.com. IN CNAME tlsa211._dane.example.com. 818 tlsa211._dane.example.com. IN TLSA 2 1 1 e3b0c44298fc1c149a... 820 The SMTP servers mx1.example.com and mx2.example.com will be expected 821 to have certificates issued under a common trust anchor, but each MX 822 hostname's TLSA base domain remains unchanged despite the above CNAME 823 records. Correspondingly, each SMTP server will be associated with a 824 pair of reference identifiers consisting of its hostname plus the 825 next-hop domain "example.com". 827 If, during TLSA resolution (including possible CNAME indirection), at 828 least one "secure" TLSA record is found (even if not usable because 829 it is unsupported by the implementation or support is 830 administratively disabled), then the corresponding host has signaled 831 its commitment to implement TLS. The SMTP client MUST NOT deliver 832 mail via the corresponding host unless a TLS session is negotiated 833 via STARTTLS. This is required to avoid MITM STARTTLS downgrade 834 attacks. 836 As noted previously (in Section Section 2.2.2), when no "secure" TLSA 837 records are found at the fully CNAME-expanded name, the original 838 unexpanded name MUST be tried instead. This supports customers of 839 hosting providers where the provider's zone cannot be validated with 840 DNSSEC, but the customer has shared appropriate key material with the 841 hosting provider to enable TLS via SNI. Intermediate names that 842 arise during CNAME expansion that are neither the original, nor the 843 final name, are never candidate TLSA base domains, even if "secure". 845 3. DANE authentication 847 This section describes which TLSA records are applicable to SMTP 848 opportunistic DANE TLS and how to apply such records to authenticate 849 the SMTP server. With opportunistic DANE TLS, both the TLS support 850 implied by the presence of DANE TLSA records and the verification 851 parameters necessary to authenticate the TLS peer are obtained 852 together. In contrast to protocols where channel security policy is 853 set exclusively by the client, authentication via this protocol is 854 expected to be less prone to connection failure caused by 855 incompatible configuration of the client and server. 857 3.1. TLSA certificate usages 859 The DANE TLSA specification [RFC6698] defines multiple TLSA RR types 860 via combinations of 3 numeric parameters. The numeric values of 861 these parameters were later given symbolic names in 862 [I-D.ietf-dane-registry-acronyms]. The rest of the TLSA record is 863 the "certificate association data field", which specifies the full or 864 digest value of a certificate or public key. The parameters are: 866 The TLSA Certificate Usage field: Section 2.1.1 of [RFC6698] 867 specifies 4 values: PKIX-TA(0), PKIX-EE(1), DANE-TA(2), and DANE- 868 EE(3). There is an additional private-use value: PrivCert(255). 869 All other values are reserved for use by future specifications. 871 The selector field: Section 2.1.2 of [RFC6698] specifies 2 values: 872 Cert(0), SPKI(1). There is an additional private-use value: 873 PrivSel(255). All other values are reserved for use by future 874 specifications. 876 The matching type field: Section 2.1.3 of [RFC6698] specifies 3 877 values: Full(0), SHA2-256(1), SHA2-512(2). There is an additional 878 private-use value: PrivMatch(255). All other values are reserved 879 for use by future specifications. 881 We may think of TLSA Certificate Usage values 0 through 3 as a 882 combination of two one-bit flags. The low bit chooses between trust 883 anchor (TA) and end entity (EE) certificates. The high bit chooses 884 between public PKI issued and domain-issued certificates. 886 The selector field specifies whether the TLSA RR matches the whole 887 certificate: Cert(0), or just its subjectPublicKeyInfo: SPKI(1). The 888 subjectPublicKeyInfo is an ASN.1 DER encoding of the certificate's 889 algorithm id, any parameters and the public key data. 891 The matching type field specifies how the TLSA RR Certificate 892 Association Data field is to be compared with the certificate or 893 public key. A value of Full(0) means an exact match: the full DER 894 encoding of the certificate or public key is given in the TLSA RR. A 895 value of SHA2-256(1) means that the association data matches the 896 SHA2-256 digest of the certificate or public key, and likewise 897 SHA2-512(2) means a SHA2-512 digest is used. 899 Since opportunistic DANE TLS will be used by non-interactive MTAs, 900 with no user to "press OK" when authentication fails, reliability of 901 peer authentication is paramount. Server operators are advised to 902 publish TLSA records that are least likely to fail authentication due 903 to interoperability or operational problems. Because DANE TLS relies 904 on coordinated changes to DNS and SMTP server settings, the best 905 choice of records to publish will depend on site-specific practices. 907 The certificate usage element of a TLSA record plays a critical role 908 in determining how the corresponding certificate association data 909 field is used to authenticate server's certificate chain. The next 910 two subsections explain the process for certificate usages DANE-EE(3) 911 and DANE-TA(2). The third subsection briefly explains why 912 certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable with 913 opportunistic DANE TLS. 915 In summary, we recommend the use of either "DANE-EE(3) SPKI(1) 916 SHA2-256(1)" or "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records 917 depending on site needs. Other combinations of TLSA parameters are 918 either explicitly unsupported, or offer little to recommend them over 919 these two. 921 The mandatory to support digest algorithm in [RFC6698] is 922 SHA2-256(1). When the server's TLSA RRset includes records with a 923 matching type indicating a digest record (i.e., a value other than 924 Full(0)), a TLSA record with a SHA2-256(1) matching type SHOULD be 925 provided along with any other digest published, since some SMTP 926 clients may support only SHA2-256(1). If at some point the SHA2-256 927 digest algorithm is tarnished by new cryptanalytic attacks, 928 publishers will need to include an appropriate stronger digest in 929 their TLSA records, initially along with, and ultimately in place of, 930 SHA2-256. 932 3.1.1. Certificate usage DANE-EE(3) 934 Authentication via certificate usage DANE-EE(3) TLSA records involves 935 simply checking that the server's leaf certificate matches the TLSA 936 record. In particular the binding of the server public key to its 937 name is based entirely on the TLSA record association. The server 938 MUST be considered authenticated even if none of the names in the 939 certificate match the client's reference identity for the server. 941 Similarly, the expiration date of the server certificate MUST be 942 ignored, the validity period of the TLSA record key binding is 943 determined by the validity interval of the TLSA record DNSSEC 944 signature. 946 With DANE-EE(3) servers need not employ SNI (may ignore the client's 947 SNI message) even when the server is known under independent names 948 that would otherwise require separate certificates. It is instead 949 sufficient for the TLSA RRsets for all the domains in question to 950 match the server's default certificate. Of course with SMTP servers 951 it is simpler still to publish the same MX hostname for all the 952 hosted domains. 954 For domains where it is practical to make coordinated changes in DNS 955 TLSA records during SMTP server key rotation, it is often best to 956 publish end-entity DANE-EE(3) certificate associations. DANE-EE(3) 957 certificates don't suddenly stop working when leaf or intermediate 958 certificates expire, and don't fail when the server operator neglects 959 to configure all the required issuer certificates in the server 960 certificate chain. 962 TLSA records published for SMTP servers SHOULD, in most cases, be 963 "DANE-EE(3) SPKI(1) SHA2-256(1)" records. Since all DANE 964 implementations are required to support SHA2-256, this record type 965 works for all clients and need not change across certificate renewals 966 with the same key. 968 3.1.2. Certificate usage DANE-TA(2) 970 Some domains may prefer to avoid the operational complexity of 971 publishing unique TLSA RRs for each TLS service. If the domain 972 employs a common issuing Certification Authority to create 973 certificates for multiple TLS services, it may be simpler to publish 974 the issuing authority as a trust anchor (TA) for the certificate 975 chains of all relevant services. The TLSA query domain (TLSA base 976 domain with port and protocol prefix labels) for each service issued 977 by the same TA may then be set to a CNAME alias that points to a 978 common TLSA RRset that matches the TA. For example: 980 example.com. IN MX 0 mx1.example.com. 981 example.com. IN MX 0 mx2.example.com. 982 _25._tcp.mx1.example.com. IN CNAME tlsa211._dane.example.com. 983 _25._tcp.mx2.example.com. IN CNAME tlsa211._dane.example.com. 984 tlsa211._dane.example.com. IN TLSA 2 1 1 e3b0c44298fc1c14.... 986 With usage DANE-TA(2) the server certificates will need to have names 987 that match one of the client's reference identifiers (see [RFC6125]). 988 The server MAY employ SNI to select the appropriate certificate to 989 present to the client. 991 SMTP servers that rely on certificate usage DANE-TA(2) TLSA records 992 for TLS authentication MUST include the TA certificate as part of the 993 certificate chain presented in the TLS handshake server certificate 994 message even when it is a self-signed root certificate. At this 995 time, many SMTP servers are not configured with a comprehensive list 996 of trust anchors, nor are they expected to at any point in the 997 future. Some MTAs will ignore all locally trusted certificates when 998 processing usage DANE-TA(2) TLSA records. Thus even when the TA 999 happens to be a public Certification Authority known to the SMTP 1000 client, authentication is likely to fail unless the TA certificate is 1001 included in the TLS server certificate message. 1003 TLSA records with selector Full(0) are discouraged. While these 1004 potentially obviate the need to transmit the TA certificate in the 1005 TLS server certificate message, client implementations may not be 1006 able to augment the server certificate chain with the data obtained 1007 from DNS, especially when the TLSA record supplies a bare key 1008 (selector SPKI(1)). Since the server will need to transmit the TA 1009 certificate in any case, server operators SHOULD publish TLSA records 1010 with a selector other than Full(0) and avoid potential 1011 interoperability issues with large TLSA records containing full 1012 certificates or keys. 1014 TLSA Publishers employing DANE-TA(2) records SHOULD publish records 1015 with a selector of Cert(0). Such TLSA records are associated with 1016 the whole trust anchor certificate, not just with the trust anchor 1017 public key. In particular, the SMTP client SHOULD then apply any 1018 relevant constraints from the trust anchor certificate, such as, for 1019 example, path length constraints. 1021 While a selector of SPKI(1) may also be employed, the resulting TLSA 1022 record will not specify the full trust anchor certificate content, 1023 and elements of the trust anchor certificate other than the public 1024 key become mutable. This may, for example, allow a subsidiary CA to 1025 issue a chain that violates the trust anchor's path length or name 1026 constraints. 1028 3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) 1030 As noted in the introduction, SMTP clients cannot, without relying on 1031 DNSSEC for secure MX records and DANE for STARTTLS support signaling, 1032 perform server identity verification or prevent STARTTLS downgrade 1033 attacks. The use of PKIX CAs offers no added security since an 1034 attacker capable of compromising DNSSEC is free to replace any PKIX- 1035 TA(0) or PKIX-EE(1) TLSA records with records bearing any convenient 1036 non-PKIX certificate usage. 1038 SMTP servers SHOULD NOT publish TLSA RRs with certificate usage PKIX- 1039 TA(0) or PKIX-EE(1). SMTP clients cannot be expected to be 1040 configured with a suitably complete set of trusted public CAs. 1041 Lacking a complete set of public CAs, clients would not be able to 1042 verify the certificates of SMTP servers whose issuing root CAs are 1043 not trusted by the client. 1045 Opportunistic DANE TLS needs to interoperate without bilateral 1046 coordination of security settings between client and server systems. 1047 Therefore, parameter choices that are fragile in the absence of 1048 bilateral coordination are unsupported. Nothing is lost since the 1049 PKIX certificate usages cannot aid SMTP TLS security, they can only 1050 impede SMTP TLS interoperability. 1052 SMTP client treatment of TLSA RRs with certificate usages PKIX-TA(0) 1053 or PKIX-EE(1) is undefined. SMTP clients should generally treat such 1054 TLSA records as unusable. 1056 3.2. Certificate matching 1058 When at least one usable "secure" TLSA record is found, the SMTP 1059 client MUST use TLSA records to authenticate the SMTP server. 1060 Messages MUST NOT be delivered via the SMTP server if authentication 1061 fails, otherwise the SMTP client is vulnerable to MITM attacks. 1063 3.2.1. DANE-EE(3) name checks 1065 The SMTP client MUST NOT perform certificate name checks with 1066 certificate usage DANE-EE(3), see Section 3.1.1 above. 1068 3.2.2. DANE-TA(2) name checks 1070 To match a server via a TLSA record with certificate usage DANE- 1071 TA(2), the client MUST perform name checks to ensure that it has 1072 reached the correct server. In all DANE-TA(2) cases the SMTP client 1073 MUST include the TLSA base domain as one of the valid reference 1074 identifiers for matching the server certificate. 1076 TLSA records for MX hostnames: If the TLSA base domain was obtained 1077 indirectly via a "secure" MX lookup (including any CNAME-expanded 1078 name of an MX hostname), then the original next-hop domain used in 1079 the MX lookup MUST be included as as a second reference 1080 identifier. The CNAME-expanded original next-hop domain MUST be 1081 included as a third reference identifier if different from the 1082 original next-hop domain. When the client MTA is employing DANE 1083 TLS security despite "insecure" MX redirection the MX hostname is 1084 the only reference identifier. 1086 TLSA records for Non-MX hostnames: If MX records were not used 1087 (e.g., if none exist) and the TLSA base domain is the CNAME- 1088 expanded original next-hop domain, then the original next-hop 1089 domain MUST be included as a second reference identifier. 1091 Accepting certificates with the original next-hop domain in addition 1092 to the MX hostname allows a domain with multiple MX hostnames to 1093 field a single certificate bearing a single domain name (i.e., the 1094 email domain) across all the SMTP servers. This also aids 1095 interoperability with pre-DANE SMTP clients that are configured to 1096 look for the email domain name in server certificates. For example, 1097 with "secure" DNS records as below: 1099 exchange.example.org. IN CNAME mail.example.org. 1100 mail.example.org. IN CNAME example.com. 1101 example.com. IN MX 10 mx10.example.com. 1102 example.com. IN MX 15 mx15.example.com. 1103 example.com. IN MX 20 mx20.example.com. 1104 ; 1105 mx10.example.com. IN A 192.0.2.10 1106 _25._tcp.mx10.example.com. IN TLSA 2 0 1 ... 1107 ; 1108 mx15.example.com. IN CNAME mxbackup.example.com. 1109 mxbackup.example.com. IN A 192.0.2.15 1110 ; _25._tcp.mxbackup.example.com. IN TLSA ? (NXDOMAIN) 1111 _25._tcp.mx15.example.com. IN TLSA 2 0 1 ... 1112 ; 1113 mx20.example.com. IN CNAME mxbackup.example.net. 1114 mxbackup.example.net. IN A 198.51.100.20 1115 _25._tcp.mxbackup.example.net. IN TLSA 2 0 1 ... 1117 Certificate name checks for delivery of mail to exchange.example.org 1118 via any of the associated SMTP servers MUST accept at least the names 1119 "exchange.example.org" and "example.com", which are respectively the 1120 original and fully expanded next-hop domain. When the SMTP server is 1121 mx10.example.com, name checks MUST accept the TLSA base domain 1122 "mx10.example.com". If, despite the fact that MX hostnames are 1123 required to not be aliases, the MTA supports delivery via 1124 "mx15.example.com" or "mx20.example.com" then name checks MUST accept 1125 the respective TLSA base domains "mx15.example.com" and 1126 "mxbackup.example.net". 1128 3.2.3. Reference identifier matching 1129 When name checks are applicable (certificate usage DANE-TA(2)), if 1130 the server certificate contains a Subject Alternative Name extension 1131 ([RFC5280]), with at least one DNS-ID ([RFC6125]) then only the DNS- 1132 IDs are matched against the client's reference identifiers. The CN- 1133 ID ([RFC6125]) is only considered when no DNS-IDs are present. The 1134 server certificate is considered matched when one of its presented 1135 identifiers ([RFC5280]) matches any of the client's reference 1136 identifiers. 1138 Wildcards are valid in either DNS-IDs or the CN-ID when applicable. 1139 The wildcard character must be entire first label of the DNS-ID or 1140 CN-ID. Thus, "*.example.com" is valid, while "smtp*.example.com" and 1141 "*smtp.example.com" are not. SMTP clients MUST support wildcards 1142 that match the first label of the reference identifier, with the 1143 remaining labels matching verbatim. For example, the DNS-ID 1144 "*.example.com" matches the reference identifier "mx1.example.com". 1145 SMTP clients MAY, subject to local policy allow wildcards to match 1146 multiple reference identifier labels, but servers cannot expect broad 1147 support for such a policy. Therefore any wildcards in server 1148 certificates SHOULD match exactly one label in either the TLSA base 1149 domain or the next-hop domain. 1151 4. Server key management 1153 Two TLSA records MUST be published before employing a new EE or TA 1154 public key or certificate, one matching the currently deployed key 1155 and the other matching the new key scheduled to replace it. Once 1156 sufficient time has elapsed for all DNS caches to expire the previous 1157 TLSA RRset and related signature RRsets, servers may be configured to 1158 use the new EE private key and associated public key certificate or 1159 may employ certificates signed by the new trust anchor. 1161 Once the new public key or certificate is in use, the TLSA RR that 1162 matches the retired key can be removed from DNS, leaving only RRs 1163 that match keys or certificates in active use. 1165 As described in Section 3.1.2, when server certificates are validated 1166 via a DANE-TA(2) trust anchor, and CNAME records are employed to 1167 store the TA association data at a single location, the 1168 responsibility of updating the TLSA RRset shifts to the operator of 1169 the trust anchor. Before a new trust anchor is used to sign any new 1170 server certificates, its certificate (digest) is added to the 1171 relevant TLSA RRset. After enough time elapses for the original TLSA 1172 RRset to age out of DNS caches, the new trust anchor can start 1173 issuing new server certificates. Once all certificates issued under 1174 the previous trust anchor have expired, its associated RRs can be 1175 removed from the TLSA RRset. 1177 In the DANE-TA(2) key management model server operators do not 1178 generally need to update DNS TLSA records after initially creating a 1179 CNAME record that references the centrally operated DANE-TA(2) RRset. 1180 If a particular server's key is compromised, its TLSA CNAME SHOULD be 1181 replaced with a DANE-EE(3) association until the certificate for the 1182 compromised key expires, at which point it can return to using CNAME 1183 record. If the central trust anchor is compromised, all servers need 1184 to be issued new keys by a new TA, and a shared DANE-TA(2) TLSA RRset 1185 needs to be published containing just the new TA. SMTP servers 1186 cannot expect broad SMTP client CRL or OCSP support. 1188 5. Digest algorithm agility 1190 While [RFC6698] specifies multiple digest algorithms, it does not 1191 specify a protocol by which the SMTP client and TLSA record publisher 1192 can agree on the strongest shared algorithm. Such a protocol would 1193 allow the client and server to avoid exposure to any deprecated 1194 weaker algorithms that are published for compatibility with less 1195 capable clients, but should be ignored when possible. We specify 1196 such a protocol below. 1198 Suppose that a DANE TLS client authenticating a TLS server considers 1199 digest algorithm "BetterAlg" stronger than digest algorithm 1200 "WorseAlg". Suppose further that a server's TLSA RRset contains some 1201 records with "BetterAlg" as the digest algorithm. Finally, suppose 1202 that for every raw public key or certificate object that is included 1203 in the server's TLSA RRset in digest form, whenever that object 1204 appears with algorithm "WorseAlg" with some usage and selector it 1205 also appears with algorithm "BetterAlg" with the same usage and 1206 selector. In that case our client can safely ignore TLSA records 1207 with the weaker algorithm "WorseAlg", because it suffices to check 1208 the records with the stronger algorithm "BetterAlg". 1210 Server operators MUST ensure that for any given usage and selector, 1211 each object (certificate or public key), for which a digest 1212 association exists in the TLSA RRset, is published with the SAME SET 1213 of digest algorithms as all other objects that published with that 1214 usage and selector. In other words, for each usage and selector, the 1215 records with non-zero matching types will correspond to on a cross- 1216 product of a set of underlying objects and a fixed set of digest 1217 algorithms that apply uniformly to all the objects. 1219 To achieve digest algorithm agility, all published TLSA RRsets for 1220 use with opportunistic DANE TLS for SMTP MUST conform to the above 1221 requirements. Then, for each combination of usage and selector, SMTP 1222 clients can simply ignore all digest records except those that employ 1223 the strongest digest algorithm. The ordering of digest algorithms by 1224 strength is not specified in advance, it is entirely up to the SMTP 1225 client. SMTP client implementations SHOULD make the digest algorithm 1226 preference order configurable. Only the future will tell which 1227 algorithms might be weakened by new attacks and when. 1229 Note, TLSA records with a matching type of Full(0), that publish the 1230 full value of a certificate or public key object, play no role in 1231 digest algorithm agility. They neither trump the processing of 1232 records that employ digests, nor are they ignored in the presence of 1233 any records with a digest (i.e. non-zero) matching type. 1235 SMTP clients SHOULD use digest algorithm agility when processing the 1236 DANE TLSA records of an SMTP server. Algorithm agility is to be 1237 applied after first discarding any unusable or malformed records 1238 (unsupported digest algorithm, or incorrect digest length). Thus, 1239 for each usage and selector, the client SHOULD process only any 1240 usable records with a matching type of Full(0) and the usable records 1241 whose digest algorithm is believed to be the strongest among usable 1242 records with the given usage and selector. 1244 The main impact of this requirement is on key rotation, when the TLSA 1245 RRset is pre-populated with digests of new certificates or public 1246 keys, before these replace or augment their predecessors. Were the 1247 newly introduced RRs to include previously unused digest algorithms, 1248 clients that employ this protocol could potentially ignore all the 1249 digests corresponding to the current keys or certificates, causing 1250 connectivity issues until the new keys or certificates are deployed. 1251 Similarly, publishing new records with fewer digests could cause 1252 problems for clients using cached TLSA RRsets that list both the old 1253 and new objects once the new keys are deployed. 1255 To avoid problems, server operators SHOULD apply the following 1256 strategy: 1258 o When changing the set of objects published via the TLSA RRset 1259 (e.g. during key rotation), DO NOT change the set of digest 1260 algorithms used; change just the list of objects. 1262 o When changing the set of digest algorithms, change only the set of 1263 algorithms, and generate a new RRset in which all the current 1264 objects are re-published with the new set of digest algorithms. 1266 After either of these two changes are made, the new TLSA RRset should 1267 be left in place long enough that the older TLSA RRset can be flushed 1268 from caches before making another change. 1270 6. Mandatory TLS Security 1271 An MTA implementing this protocol may require a stronger security 1272 assurance when sending email to selected destinations. The sending 1273 organization may need to send sensitive email and/or may have 1274 regulatory obligations to protect its content. This protocol is not 1275 in conflict with such a requirement, and in fact can often simplify 1276 authenticated delivery to such destinations. 1278 Specifically, with domains that publish DANE TLSA records for their 1279 MX hostnames, a sending MTA can be configured to use the receiving 1280 domains's DANE TLSA records to authenticate the corresponding SMTP 1281 server. Authentication via DANE TLSA records is easier to manage, as 1282 changes in the receiver's expected certificate properties are made on 1283 the receiver end and don't require manually communicated 1284 configuration changes. With mandatory DANE TLS, when no usable TLSA 1285 records are found, message delivery is delayed. Thus, mail is only 1286 sent when an authenticated TLS channel is established to the remote 1287 SMTP server. 1289 Administrators of mail servers that employ mandatory DANE TLS, need 1290 to carefully monitor their mail logs and queues. If a partner domain 1291 unwittingly misconfigures their TLSA records, disables DNSSEC, or 1292 misconfigures SMTP server certificate chains, mail will be delayed 1293 and may bounce if the issue is not resolved in a timely manner. 1295 7. Note on DANE for Message User Agents 1297 We note that the SMTP protocol is also used between Message User 1298 Agents (MUAs) and Message Submission Agents (MSAs) [RFC6409]. In 1299 [RFC6186] a protocol is specified that enables an MUA to dynamically 1300 locate the MSA based on the user's email address. SMTP connection 1301 security considerations for MUAs implementing [RFC6186] are largely 1302 analogous to connection security requirements for MTAs, and this 1303 specification could be applied largely verbatim with DNS MX records 1304 replaced by corresponding DNS Service (SRV) records 1305 [I-D.ietf-dane-srv]. 1307 However, until MUAs begin to adopt the dynamic configuration 1308 mechanisms of [RFC6186] they are adequately served by more 1309 traditional static TLS security policies. Specification of DANE TLS 1310 for Message User Agent (MUA) to Message Submission Agent (MSA) SMTP 1311 is left to future documents that focus specifically on SMTP security 1312 between MUAs and MSAs. 1314 8. Interoperability considerations 1316 8.1. SNI support 1318 To ensure that the server sends the right certificate chain, the SMTP 1319 client MUST send the TLS SNI extension containing the TLSA base 1320 domain. This precludes the use of the backward compatible SSL 2.0 1321 compatible SSL HELLO by the SMTP client. The minimum SSL/TLS client 1322 HELLO version for SMTP clients performing DANE authentication is SSL 1323 3.0, but a client that offers SSL 3.0 MUST also offer at least TLS 1324 1.0 and MUST include the SNI extension. Servers that don't make use 1325 of SNI MAY negotiate SSL 3.0 if offered by the client. 1327 Each SMTP server MUST present a certificate chain (see [RFC5246] 1328 Section 7.4.2) that matches at least one of the TLSA records. The 1329 server MAY rely on SNI to determine which certificate chain to 1330 present to the client. Clients that don't send SNI information may 1331 not see the expected certificate chain. 1333 If the server's TLSA records match the server's default certificate 1334 chain, the server need not support SNI. In either case, the server 1335 need not include the SNI extension in its TLS HELLO as simply 1336 returning a matching certificate chain is sufficient. Servers MUST 1337 NOT enforce the use of SNI by clients, as the client may be using 1338 unauthenticated opportunistic TLS and may not expect any particular 1339 certificate from the server. If the client sends no SNI extension, 1340 or sends an SNI extension for an unsupported domain, the server MUST 1341 simply send some fallback certificate chain of its choice. The 1342 reason for not enforcing strict matching of the requested SNI 1343 hostname is that DANE TLS clients are typically willing to accept 1344 multiple server names, but can only send one name in the SNI 1345 extension. The server's fallback certificate may match a different 1346 name acceptable to the client, e.g., the original next-hop domain. 1348 8.2. Anonymous TLS cipher suites 1350 Since many SMTP servers either do not support or do not enable any 1351 anonymous TLS cipher suites, SMTP client TLS HELLO messages SHOULD 1352 offer to negotiate a typical set of non-anonymous cipher suites 1353 required for interoperability with such servers. An SMTP client 1354 employing pre-DANE opportunistic TLS MAY in addition include one or 1355 more anonymous TLS cipher suites in its TLS HELLO. SMTP servers, 1356 that need to interoperate with opportunistic TLS clients SHOULD be 1357 prepared to interoperate with such clients by either always selecting 1358 a mutually supported non-anonymous cipher suite or by correctly 1359 handling client connections that negotiate anonymous cipher suites. 1361 Note that while SMTP server operators are under no obligation to 1362 enable anonymous cipher suites, no security is gained by sending 1363 certificates to clients that will ignore them. Indeed support for 1364 anonymous cipher suites in the server makes audit trails more 1365 informative. Log entries that record connections that employed an 1366 anonymous cipher suite record the fact that the clients did not care 1367 to authenticate the server. 1369 9. Operational Considerations 1371 9.1. Client Operational Considerations 1373 An operational error on the sending or receiving side that cannot be 1374 corrected in a timely manner may, at times, lead to consistent 1375 failure to deliver time-sensitive email. The sending MTA 1376 administrator may have to choose between letting email queue until 1377 the error is resolved and disabling opportunistic or mandatory DANE 1378 TLS for one or more destinations. The choice to disable DANE TLS 1379 security should not be made lightly. Every reasonable effort should 1380 be made to determine that problems with mail delivery are the result 1381 of an operational error, and not an attack. A fallback strategy may 1382 be to configure explicit out-of-band TLS security settings if 1383 supported by the sending MTA. 1385 SMTP clients may deploy opportunistic DANE TLS incrementally by 1386 enabling it only for selected sites, or may occasionally need to 1387 disable opportunistic DANE TLS for peers that fail to interoperate 1388 due to misconfiguration or software defects on either end. Some 1389 implementations MAY support DANE TLS in an "audit only" mode in which 1390 failure to achieve the requisite security level is logged as a 1391 warning and delivery proceeds at a reduced security level. Unless 1392 local policy specifies "audit only" or that opportunistic DANE TLS is 1393 not to be used for a particular destination, an SMTP client MUST NOT 1394 deliver mail via a server whose certificate chain fails to match at 1395 least one TLSA record when usable TLSA records are found for that 1396 server. 1398 9.2. Publisher Operational Considerations 1400 SMTP servers that publish certificate usage DANE-TA(2) associations 1401 MUST include the TA certificate in their TLS server certificate 1402 chain, even when that TA certificate is a self-signed root 1403 certificate. 1405 TLSA Publishers must follow the digest agility guidelines in 1406 Section 5 and must make sure that all objects published in digest 1407 form for a particular usage and selector are published with the same 1408 set of digest algorithms. 1410 TLSA Publishers should follow the TLSA publication size guidance 1411 found in [I-D.ietf-dane-ops] about "DANE DNS Record Size Guidelines". 1413 10. Security Considerations 1415 This protocol leverages DANE TLSA records to implement MITM resistant 1416 opportunistic channel security for SMTP. For destination domains 1417 that sign their MX records and publish signed TLSA records for their 1418 MX hostnames, this protocol allows sending MTAs to securely discover 1419 both the availability of TLS and how to authenticate the destination. 1421 This protocol does not aim to secure all SMTP traffic, as that is not 1422 practical until DNSSEC and DANE adoption are universal. The 1423 incremental deployment provided by following this specification is a 1424 best possible path for securing SMTP. This protocol coexists and 1425 interoperates with the existing insecure Internet email backbone. 1427 The protocol does not preclude existing non-opportunistic SMTP TLS 1428 security arrangements, which can continue to be used as before via 1429 manual configuration with negotiated out-of-band key and TLS 1430 configuration exchanges. 1432 Opportunistic SMTP TLS depends critically on DNSSEC for downgrade 1433 resistance and secure resolution of the destination name. If DNSSEC 1434 is compromised, it is not possible to fall back on the public CA PKI 1435 to prevent MITM attacks. A successful breach of DNSSEC enables the 1436 attacker to publish TLSA usage 3 certificate associations, and 1437 thereby bypass any security benefit the legitimate domain owner might 1438 hope to gain by publishing usage 0 or 1 TLSA RRs. Given the lack of 1439 public CA PKI support in existing MTA deployments, avoiding 1440 certificate usages 0 and 1 simplifies implementation and deployment 1441 with no adverse security consequences. 1443 Implementations must strictly follow the portions of this 1444 specification that indicate when it is appropriate to initiate a non- 1445 authenticated connection or cleartext connection to a SMTP server. 1446 Specifically, in order to prevent downgrade attacks on this protocol, 1447 implementation must not initiate a connection when this specification 1448 indicates a particular SMTP server must be considered unreachable. 1450 11. IANA considerations 1452 This specification requires no support from IANA. 1454 12. Acknowledgements 1456 The authors would like to extend great thanks to Tony Finch, who 1457 started the original version of a DANE SMTP document. His work is 1458 greatly appreciated and has been incorporated into this document. 1459 The authors would like to additionally thank Phil Pennock for his 1460 comments and advice on this document. 1462 Acknowledgments from Viktor: Thanks to Paul Hoffman who motivated me 1463 to begin work on this memo and provided feedback on early drafts. 1464 Thanks to Patrick Koetter, Perry Metzger and Nico Williams for 1465 valuable review comments. Thanks also to Wietse Venema who created 1466 Postfix, and whose advice and feedback were essential to the 1467 development of the Postfix DANE implementation. 1469 13. References 1471 13.1. Normative References 1473 [I-D.ietf-dane-ops] 1474 Dukhovni, V. and W. Hardaker, "DANE TLSA implementation 1475 and operational guidance", draft-ietf-dane-ops-00 (work in 1476 progress), October 2013. 1478 [RFC1035] Mockapetris, P., "Domain names - implementation and 1479 specification", STD 13, RFC 1035, November 1987. 1481 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1482 Requirement Levels", BCP 14, RFC 2119, March 1997. 1484 [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over 1485 Transport Layer Security", RFC 3207, February 2002. 1487 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1488 Rose, "DNS Security Introduction and Requirements", RFC 1489 4033, March 2005. 1491 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1492 Rose, "Resource Records for the DNS Security Extensions", 1493 RFC 4034, March 2005. 1495 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1496 Rose, "Protocol Modifications for the DNS Security 1497 Extensions", RFC 4035, March 2005. 1499 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1500 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1502 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1503 Housley, R., and W. Polk, "Internet X.509 Public Key 1504 Infrastructure Certificate and Certificate Revocation List 1505 (CRL) Profile", RFC 5280, May 2008. 1507 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 1508 October 2008. 1510 [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: 1511 Extension Definitions", RFC 6066, January 2011. 1513 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 1514 Verification of Domain-Based Application Service Identity 1515 within Internet Public Key Infrastructure Using X.509 1516 (PKIX) Certificates in the Context of Transport Layer 1517 Security (TLS)", RFC 6125, March 2011. 1519 [RFC6186] Daboo, C., "Use of SRV Records for Locating Email 1520 Submission/Access Services", RFC 6186, March 2011. 1522 [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the 1523 DNS", RFC 6672, June 2012. 1525 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication 1526 of Named Entities (DANE) Transport Layer Security (TLS) 1527 Protocol: TLSA", RFC 6698, August 2012. 1529 13.2. Informative References 1531 [I-D.ietf-dane-registry-acronyms] 1532 Gudmundsson, O., "Adding acronyms to simplify DANE 1533 conversations", draft-ietf-dane-registry-acronyms-01 (work 1534 in progress), October 2013. 1536 [I-D.ietf-dane-srv] 1537 Finch, T., "Using DNS-Based Authentication of Named 1538 Entities (DANE) TLSA records with SRV and MX records.", 1539 draft-ietf-dane-srv-02 (work in progress), February 2013. 1541 [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July 1542 2009. 1544 [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", 1545 STD 72, RFC 6409, November 2011. 1547 Authors' Addresses 1549 Viktor Dukhovni 1550 Two Sigma 1552 Email: ietf-dane@dukhovni.org 1553 Wes Hardaker 1554 Parsons 1555 P.O. Box 382 1556 Davis, CA 95617 1557 US 1559 Email: ietf@hardakers.net