idnits 2.17.1 

draft-ietf-dane-smtp-with-dane-14.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  -- The document has examples using IPv4 documentation addresses according
     to RFC6890, but does not use any IPv6 documentation addresses.  Maybe
     there should be IPv6 examples, too?


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (February 20, 2015) is 3350 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Outdated reference: A later version (-16) exists of
     draft-ietf-dane-ops-07

  ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446)

  ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525)

  == Outdated reference: A later version (-14) exists of
     draft-ietf-dane-srv-11


     Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	DANE                                                         V. Dukhovni
3	Internet-Draft                                                 Two Sigma
4	Intended status: Standards Track                             W. Hardaker
5	Expires: August 24, 2015                                         Parsons
6	                                                       February 20, 2015

8	                SMTP security via opportunistic DANE TLS
9	                   draft-ietf-dane-smtp-with-dane-14

11	Abstract

13	   This memo describes a downgrade-resistant protocol for SMTP transport
14	   security between Mail Transfer Agents (MTAs) based on the DNS-Based
15	   Authentication of Named Entities (DANE) TLSA DNS record.  Adoption of
16	   this protocol enables an incremental transition of the Internet email
17	   backbone to one using encrypted and authenticated Transport Layer
18	   Security (TLS).

20	Status of This Memo

22	   This Internet-Draft is submitted in full conformance with the
23	   provisions of BCP 78 and BCP 79.

25	   Internet-Drafts are working documents of the Internet Engineering
26	   Task Force (IETF).  Note that other groups may also distribute
27	   working documents as Internet-Drafts.  The list of current Internet-
28	   Drafts is at http://datatracker.ietf.org/drafts/current/.

30	   Internet-Drafts are draft documents valid for a maximum of six months
31	   and may be updated, replaced, or obsoleted by other documents at any
32	   time.  It is inappropriate to use Internet-Drafts as reference
33	   material or to cite them other than as "work in progress."

35	   This Internet-Draft will expire on August 24, 2015.

37	Copyright Notice

39	   Copyright (c) 2015 IETF Trust and the persons identified as the
40	   document authors.  All rights reserved.

42	   This document is subject to BCP 78 and the IETF Trust's Legal
43	   Provisions Relating to IETF Documents
44	   (http://trustee.ietf.org/license-info) in effect on the date of
45	   publication of this document.  Please review these documents
46	   carefully, as they describe your rights and restrictions with respect
47	   to this document.  Code Components extracted from this document must
48	   include Simplified BSD License text as described in Section 4.e of
49	   the Trust Legal Provisions and are provided without warranty as
50	   described in the Simplified BSD License.

52	Table of Contents

54	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
55	     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
56	     1.2.  Background  . . . . . . . . . . . . . . . . . . . . . . .   5
57	     1.3.  SMTP channel security . . . . . . . . . . . . . . . . . .   5
58	       1.3.1.  STARTTLS downgrade attack . . . . . . . . . . . . . .   6
59	       1.3.2.  Insecure server name without DNSSEC . . . . . . . . .   6
60	       1.3.3.  Sender policy does not scale  . . . . . . . . . . . .   7
61	       1.3.4.  Too many certification authorities  . . . . . . . . .   8
62	   2.  Identifying applicable TLSA records . . . . . . . . . . . . .   8
63	     2.1.  DNS considerations  . . . . . . . . . . . . . . . . . . .   8
64	       2.1.1.  DNS errors, bogus and indeterminate responses . . . .   8
65	       2.1.2.  DNS error handling  . . . . . . . . . . . . . . . . .  11
66	       2.1.3.  Stub resolver considerations  . . . . . . . . . . . .  11
67	     2.2.  TLS discovery . . . . . . . . . . . . . . . . . . . . . .  13
68	       2.2.1.  MX resolution . . . . . . . . . . . . . . . . . . . .  14
69	       2.2.2.  Non-MX destinations . . . . . . . . . . . . . . . . .  15
70	       2.2.3.  TLSA record lookup  . . . . . . . . . . . . . . . . .  17
71	   3.  DANE authentication . . . . . . . . . . . . . . . . . . . . .  19
72	     3.1.  TLSA certificate usages . . . . . . . . . . . . . . . . .  19
73	       3.1.1.  Certificate usage DANE-EE(3)  . . . . . . . . . . . .  21
74	       3.1.2.  Certificate usage DANE-TA(2)  . . . . . . . . . . . .  21
75	       3.1.3.  Certificate usages PKIX-TA(0) and PKIX-EE(1)  . . . .  23
76	     3.2.  Certificate matching  . . . . . . . . . . . . . . . . . .  23
77	       3.2.1.  DANE-EE(3) name checks  . . . . . . . . . . . . . . .  23
78	       3.2.2.  DANE-TA(2) name checks  . . . . . . . . . . . . . . .  24
79	       3.2.3.  Reference identifier matching . . . . . . . . . . . .  25
80	   4.  Server key management . . . . . . . . . . . . . . . . . . . .  25
81	   5.  Digest algorithm agility  . . . . . . . . . . . . . . . . . .  26
82	   6.  Mandatory TLS Security  . . . . . . . . . . . . . . . . . . .  26
83	   7.  Note on DANE for Message User Agents  . . . . . . . . . . . .  27
84	   8.  Interoperability considerations . . . . . . . . . . . . . . .  27
85	     8.1.  SNI support . . . . . . . . . . . . . . . . . . . . . . .  27
86	     8.2.  Anonymous TLS cipher suites . . . . . . . . . . . . . . .  28
87	   9.  Operational Considerations  . . . . . . . . . . . . . . . . .  28
88	     9.1.  Client Operational Considerations . . . . . . . . . . . .  28
89	     9.2.  Publisher Operational Considerations  . . . . . . . . . .  29
90	   10. Security Considerations . . . . . . . . . . . . . . . . . . .  29
91	   11. IANA considerations . . . . . . . . . . . . . . . . . . . . .  30
92	   12. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  30
93	   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  31
94	     13.1.  Normative References . . . . . . . . . . . . . . . . . .  31
95	     13.2.  Informative References . . . . . . . . . . . . . . . . .  32
96	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  32

98	1.  Introduction

100	   This memo specifies a new connection security model for Message
101	   Transfer Agents (MTAs).  This model is motivated by key features of
102	   inter-domain SMTP delivery, in particular the fact that the
103	   destination server is selected indirectly via DNS Mail Exchange (MX)
104	   records and that neither email addresses nor MX hostnames signal a
105	   requirement for either secure or cleartext transport.  Therefore,
106	   aside from a few manually configured exceptions, SMTP transport
107	   security is of necessity opportunistic.

109	   This specification uses the presence of DANE TLSA records to securely
110	   signal TLS support and to publish the means by which SMTP clients can
111	   successfully authenticate legitimate SMTP servers.  This becomes
112	   "opportunistic DANE TLS" and is resistant to downgrade and man-in-
113	   the-middle (MITM) attacks.  It enables an incremental transition of
114	   the email backbone to authenticated TLS delivery, with increased
115	   global protection as adoption increases.

117	   With opportunistic DANE TLS, traffic from SMTP clients to domains
118	   that publish "usable" DANE TLSA records in accordance with this memo
119	   is authenticated and encrypted.  Traffic from legacy clients or to
120	   domains that do not publish TLSA records will continue to be sent in
121	   the same manner as before, via manually configured security, (pre-
122	   DANE) opportunistic TLS or just cleartext SMTP.

124	   Problems with existing use of TLS in MTA to MTA SMTP that motivate
125	   this specification are described in Section 1.3.  The specification
126	   itself follows in Section 2 and Section 3 which describe respectively
127	   how to locate and use DANE TLSA records with SMTP.  In Section 6, we
128	   discuss application of DANE TLS to destinations for which channel
129	   integrity and confidentiality are mandatory.  In Section 7 we briefly
130	   comment on potential applicability of this specification to Message
131	   User Agents.

133	1.1.  Terminology

135	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
136	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
137	   "OPTIONAL" in this document are to be interpreted as described in
138	   [RFC2119].

140	   The following terms or concepts are used through the document:

142	   Man-in-the-middle or MITM attack:  Active modification of network
143	      traffic by an adversary able to thereby compromise the
144	      confidentiality or integrity of the data.

146	   secure, bogus, insecure, indeterminate:  DNSSEC validation results,
147	      as defined in Section 4.3 of [RFC4035].

149	   Validating Security-Aware Stub Resolver and     Non-Validating
150	   Security-Aware Stub Resolver:
151	      Capabilities of the stub resolver in use as defined in [RFC4033];
152	      note that this specification requires the use of a Security-Aware
153	      Stub Resolver.

155	   (pre-DANE) opportunistic TLS:  Best-effort use of TLS that is
156	      generally vulnerable to DNS forgery and STARTTLS downgrade
157	      attacks.  When a TLS-encrypted communication channel is not
158	      available, message transmission takes place in the clear.  MX
159	      record indirection generally precludes authentication even when
160	      TLS is available.

162	   opportunistic DANE TLS:  Best-effort use of TLS, resistant to
163	      downgrade attacks for destinations with DNSSEC-validated TLSA
164	      records.  When opportunistic DANE TLS is determined to be
165	      unavailable, clients should fall back to opportunistic TLS.
166	      Opportunistic DANE TLS requires support for DNSSEC, DANE and
167	      STARTTLS on the client side and STARTTLS plus a DNSSEC published
168	      TLSA record on the server side.

170	   reference identifier:  (Special case of [RFC6125] definition).  One
171	      of the domain names associated by the SMTP client with the
172	      destination SMTP server for performing name checks on the server
173	      certificate.  When name checks are applicable, at least one of the
174	      reference identifiers MUST match an [RFC6125] DNS-ID (or if none
175	      are present the [RFC6125] CN-ID) of the server certificate (see
176	      Section 3.2.3).

178	   MX hostname:  The RRDATA of an MX record consists of a 16 bit
179	      preference followed by a Mail Exchange domain name (see [RFC1035],
180	      Section 3.3.9).  We will use the term "MX hostname" to refer to
181	      the latter, that is, the DNS domain name found after the
182	      preference value in an MX record.  Thus an "MX hostname" is
183	      specifically a reference to a DNS domain name, rather than any
184	      host that bears that name.

186	   delayed delivery:  Email delivery is a multi-hop store & forward
187	      process.  When an MTA is unable to forward a message that may
188	      become deliverable later the message is queued and delivery is
189	      retried periodically.  Some MTAs may be configured with a fallback
190	      next-hop destination that handles messages that the MTA would
191	      otherwise queue and retry.  When a fallback next-hop is
192	      configured, messages that would otherwise have to be delayed may
193	      be sent to the fallback next-hop destination instead.  The
194	      fallback destination may itself be subject to opportunistic or
195	      mandatory DANE TLS (Section 6) as though it were the original
196	      message destination.

198	   original next hop destination:   The logical destination for mail
199	      delivery.  By default this is the domain portion of the recipient
200	      address, but MTAs may be configured to forward mail for some or
201	      all recipients via designated relays.  The original next hop
202	      destination is, respectively, either the recipient domain or the
203	      associated configured relay.

205	   MTA:   Message Transfer Agent ([RFC5598], Section 4.3.2).

207	   MSA:   Message Submission Agent ([RFC5598], Section 4.3.1).

209	   MUA:   Message User Agent ([RFC5598], Section 4.2.1).

211	   RR:   A DNS Resource Record as defined in [RFC1034], Section 3.6.

213	   RRSet:  An RRSet ([RFC2181], Section 5) is a group of DNS resource
214	      records that share the same label, class and type.

216	1.2.  Background

218	   The Domain Name System Security Extensions (DNSSEC) add data origin
219	   authentication, data integrity and data non-existence proofs to the
220	   Domain Name System (DNS).  DNSSEC is defined in [RFC4033], [RFC4034]
221	   and [RFC4035].

223	   As described in the introduction of [RFC6698], TLS authentication via
224	   the existing public Certification Authority (CA) PKI suffers from an
225	   over-abundance of trusted parties capable of issuing certificates for
226	   any domain of their choice.  DANE leverages the DNSSEC infrastructure
227	   to publish trusted public keys and certificates for use with the
228	   Transport Layer Security (TLS) [RFC5246] protocol via a new "TLSA"
229	   DNS record type.  With DNSSEC each domain can only vouch for the keys
230	   of its directly delegated sub-domains.

232	   The TLS protocol enables secure TCP communication.  In the context of
233	   this memo, channel security is assumed to be provided by TLS.  Used
234	   without authentication, TLS provides only privacy protection against
235	   eavesdropping attacks.  With authentication, TLS also provides data
236	   integrity protection to guard against MITM attacks.

238	1.3.  SMTP channel security

240	   With HTTPS, Transport Layer Security (TLS) employs X.509 certificates
241	   [RFC5280] issued by one of the many Certification Authorities (CAs)
242	   bundled with popular web browsers to allow users to authenticate
243	   their "secure" websites.  Before we specify a new DANE TLS security
244	   model for SMTP, we will explain why a new security model is needed.
245	   In the process, we will explain why the familiar HTTPS security model
246	   is inadequate to protect inter-domain SMTP traffic.

248	   The subsections below outline four key problems with applying
249	   traditional PKI to SMTP that are addressed by this specification.
250	   Since SMTP channel security policy is not explicitly specified in
251	   either the recipient address or the MX record, a new signaling
252	   mechanism is required to indicate when channel security is possible
253	   and should be used.  The publication of TLSA records allows server
254	   operators to securely signal to SMTP clients that TLS is available
255	   and should be used.  DANE TLSA makes it possible to simultaneously
256	   discover which destination domains support secure delivery via TLS
257	   and how to verify the authenticity of the associated SMTP services,
258	   providing a path forward to ubiquitous SMTP channel security.

260	1.3.1.  STARTTLS downgrade attack

262	   The Simple Mail Transfer Protocol (SMTP) [RFC5321] is a single-hop
263	   protocol in a multi-hop store & forward email delivery process.  An
264	   SMTP envelope recipient address does not correspond to a specific
265	   transport-layer endpoint address, rather at each relay hop the
266	   transport-layer endpoint is the next-hop relay, while the envelope
267	   recipient address typically remains the same.  Unlike the Hypertext
268	   Transfer Protocol (HTTP) and its corresponding secured version,
269	   HTTPS, where the use of TLS is signaled via the URI scheme, email
270	   recipient addresses do not directly signal transport security policy.
271	   Indeed, no such signaling could work well with SMTP since TLS
272	   encryption of SMTP protects email traffic on a hop-by-hop basis while
273	   email addresses could only express end-to-end policy.

275	   With no mechanism available to signal transport security policy, SMTP
276	   relays employ a best-effort "opportunistic" security model for TLS.
277	   A single SMTP server TCP listening endpoint can serve both TLS and
278	   non-TLS clients; the use of TLS is negotiated via the SMTP STARTTLS
279	   command ([RFC3207]).  The server signals TLS support to the client
280	   over a cleartext SMTP connection, and, if the client also supports
281	   TLS, it may negotiate a TLS encrypted channel to use for email
282	   transmission.  The server's indication of TLS support can be easily
283	   suppressed by an MITM attacker.  Thus pre-DANE SMTP TLS security can
284	   be subverted by simply downgrading a connection to cleartext.  No TLS
285	   security feature, such as the use of PKIX, can prevent this.  The
286	   attacker can simply disable TLS.

288	1.3.2.  Insecure server name without DNSSEC
289	   With SMTP, DNS Mail Exchange (MX) records abstract the next-hop
290	   transport endpoint and allow administrators to specify a set of
291	   target servers to which SMTP traffic should be directed for a given
292	   domain.

294	   A PKIX TLS client is vulnerable to MITM attacks unless it verifies
295	   that the server's certificate binds the public key to a name that
296	   matches one of the client's reference identifiers.  A natural choice
297	   of reference identifier is the server's domain name.  However, with
298	   SMTP, server names are not directly encoded in the recipient address,
299	   instead they are obtained indirectly via MX records.  Without DNSSEC,
300	   the MX lookup is vulnerable to MITM and DNS cache poisoning attacks.
301	   Active attackers can forge DNS replies with fake MX records and can
302	   redirect email to servers with names of their choice.  Therefore,
303	   secure verification of SMTP TLS certificates matching the server name
304	   is not possible without DNSSEC.

306	   One might try to harden TLS for SMTP against DNS attacks by using the
307	   envelope recipient domain as a reference identifier and by requiring
308	   each SMTP server to possess a trusted certificate for the envelope
309	   recipient domain rather than the MX hostname.  Unfortunately, this is
310	   impractical as email for many domains is handled by third parties
311	   that are not in a position to obtain certificates for all the domains
312	   they serve.  Deployment of the Server Name Indication (SNI) extension
313	   to TLS (see [RFC6066] Section 3) is no panacea, since SNI key
314	   management is operationally challenging except when the email service
315	   provider is also the domain's registrar and its certificate issuer;
316	   this is rarely the case for email.

318	   Since the recipient domain name cannot be used as the SMTP server
319	   reference identifier, and neither can the MX hostname without DNSSEC,
320	   large-scale deployment of authenticated TLS for SMTP requires that
321	   the DNS be secure.

323	   Since SMTP security depends critically on DNSSEC, it is important to
324	   point out that consequently SMTP with DANE is the most conservative
325	   possible trust model.  It trusts only what must be trusted and no
326	   more.  Adding any other trusted actors to the mix can only reduce
327	   SMTP security.  A sender may choose to further harden DNSSEC for
328	   selected high-value receiving domains by configuring explicit trust
329	   anchors for those domains instead of relying on the chain of trust
330	   from the root domain.  However, detailed discussion of DNSSEC
331	   security practices is out of scope for this document.

333	1.3.3.  Sender policy does not scale

335	   Sending systems are in some cases explicitly configured to use TLS
336	   for mail sent to selected peer domains, but this requires configuring
337	   sending MTAs with appropriate subject names or certificate content
338	   digests from their peer domains.  Due to the resulting administrative
339	   burden, such statically configured SMTP secure channels are used
340	   rarely (generally only between domains that make bilateral
341	   arrangements with their business partners).  Internet email, on the
342	   other hand, requires regularly contacting new domains for which
343	   security configurations cannot be established in advance.

345	   The abstraction of the SMTP transport endpoint via DNS MX records,
346	   often across organization boundaries, limits the use of public CA PKI
347	   with SMTP to a small set of sender-configured peer domains.  With
348	   little opportunity to use TLS authentication, sending MTAs are rarely
349	   configured with a comprehensive list of trusted CAs.  SMTP services
350	   that support STARTTLS often deploy X.509 certificates that are self-
351	   signed or issued by a private CA.

353	1.3.4.  Too many certification authorities

355	   Even if it were generally possible to determine a secure server name,
356	   the SMTP client would still need to verify that the server's
357	   certificate chain is issued by a trusted Certification Authority (a
358	   trust anchor).  MTAs are not interactive applications where a human
359	   operator can make a decision (wisely or otherwise) to selectively
360	   disable TLS security policy when certificate chain verification
361	   fails.  With no user to "click OK", the MTA's list of public CA trust
362	   anchors would need to be comprehensive in order to avoid bouncing
363	   mail addressed to sites that employ unknown Certification
364	   Authorities.

366	   On the other hand, each trusted CA can issue certificates for any
367	   domain.  If even one of the configured CAs is compromised or operated
368	   by an adversary, it can subvert TLS security for all destinations.
369	   Any set of CAs is simultaneously both overly inclusive and not
370	   inclusive enough.

372	2.  Identifying applicable TLSA records

374	2.1.  DNS considerations

376	2.1.1.  DNS errors, bogus and indeterminate responses

378	   An SMTP client that implements opportunistic DANE TLS per this
379	   specification depends critically on the integrity of DNSSEC lookups,
380	   as discussed in Section 1.3.2.  This section lists the DNS resolver
381	   requirements needed to avoid downgrade attacks when using
382	   opportunistic DANE TLS.

384	   A DNS lookup may signal an error or return a definitive answer.  A
385	   security-aware resolver must be used for this specification.
386	   Security-aware resolvers will indicate the security status of a DNS
387	   RRSet with one of four possible values defined in Section 4.3 of
388	   [RFC4035]: "secure", "insecure", "bogus" and "indeterminate".  In
389	   [RFC4035] the meaning of the "indeterminate" security status is:

391	     An RRSet for which the resolver is not able to determine whether
392	     the RRSet should be signed, as the resolver is not able to obtain
393	     the necessary DNSSEC RRs.  This can occur when the security-aware
394	     resolver is not able to contact security-aware name servers for
395	     the relevant zones.

397	   Note, the "indeterminate" security status has a conflicting
398	   definition in section 5 of [RFC4033].

400	     There is no trust anchor that would indicate that a specific
401	     portion of the tree is secure.

403	   To avoid further confusion, the adjective "anchorless" will be used
404	   below to refer to domains or RRSets that are "indeterminate" in the
405	   [RFC4033] sense, and the term "indeterminate" will be used
406	   exclusively in the sense of [RFC4035].

408	   SMTP clients following this specification SHOULD NOT distinguish
409	   between "insecure" and "anchorless" DNS responses.  Both "insecure"
410	   and "anchorless" RRSets MUST be handled identically: in either case
411	   unvalidated data for the query domain is all that is and can be
412	   available, and authentication using the data is impossible.  In what
413	   follows, the term "insecure" will also include the case of
414	   "anchorless" domains that lie in a portion of the DNS tree for which
415	   there is no applicable trust anchor.  With the DNS root zone signed,
416	   we expect that validating resolvers used by Internet-facing MTAs will
417	   be configured with trust anchor data for the root zone, and that
418	   therefore "anchorless" domains should be rare in practice.

420	   As noted in section 4.3 of [RFC4035], a security-aware DNS resolver
421	   MUST be able to determine whether a given non-error DNS response is
422	   "secure", "insecure", "bogus" or "indeterminate".  It is expected
423	   that most security-aware stub resolvers will not signal an
424	   "indeterminate" security status (in the sense of RFC4035) to the
425	   application, and will signal a "bogus" or error result instead.  If a
426	   resolver does signal an RFC4035 "indeterminate" security status, this
427	   MUST be treated by the SMTP client as though a "bogus" or error
428	   result had been returned.

430	   An MTA making use of a non-validating security-aware stub resolver
431	   MAY use the stub resolver's ability, if available, to signal DNSSEC
432	   validation status based on information the stub resolver has learned
433	   from an upstream validating recursive resolver.  Security-Oblivious
434	   stub-resolvers ([RFC4033]) MUST NOT be used.  In accordance with
435	   section 4.9.3 of [RFC4035]:

437	     ... a security-aware stub resolver MUST NOT place any reliance on
438	     signature validation allegedly performed on its behalf, except
439	     when the security-aware stub resolver obtained the data in question
440	     from a trusted security-aware recursive name server via a secure
441	     channel.

443	   To avoid much repetition in the text below, we will pause to explain
444	   the handling of "bogus" or "indeterminate" DNSSEC query responses.
445	   These are not necessarily the result of a malicious actor; they can,
446	   for example, occur when network packets are corrupted or lost in
447	   transit.  Therefore, "bogus" or "indeterminate" replies are equated
448	   in this memo with lookup failure.

450	   There is an important non-failure condition we need to highlight in
451	   addition to the obvious case of the DNS client obtaining a non-empty
452	   "secure" or "insecure" RRSet of the requested type.  Namely, it is
453	   not an error when either "secure" or "insecure" non-existence is
454	   determined for the requested data.  When a DNSSEC response with a
455	   validation status that is either "secure" or "insecure" reports
456	   either no records of the requested type or non-existence of the query
457	   domain, the response is not a DNS error condition.  The DNS client
458	   has not been left without an answer; it has learned that records of
459	   the requested type do not exist.

461	   Security-aware stub resolvers will, of course, also signal DNS lookup
462	   errors in other cases, for example when processing a "ServFail"
463	   RCODE, which will not have an associated DNSSEC status.  All lookup
464	   errors are treated the same way by this specification, regardless of
465	   whether they are from a "bogus" or "indeterminate" DNSSEC status or
466	   from a more generic DNS error: the information that was requested
467	   cannot be obtained by the security-aware resolver at this time.  A
468	   lookup error is thus a failure to obtain the relevant RRSet if it
469	   exists, or to determine that no such RRSet exists when it does not.

471	   In contrast to a "bogus" or an "indeterminate" response, an
472	   "insecure" DNSSEC response is not an error, rather it indicates that
473	   the target DNS zone is either securely opted out of DNSSEC validation
474	   or is not connected with the DNSSEC trust anchors being used.
475	   Insecure results will leave the SMTP client with degraded channel
476	   security, but do not stand in the way of message delivery.  See
477	   section Section 2.2 for further details.

479	2.1.2.  DNS error handling

481	   When a DNS lookup failure (error or "bogus" or "indeterminate" as
482	   defined above) prevents an SMTP client from determining which SMTP
483	   server or servers it should connect to, message delivery MUST be
484	   delayed.  This naturally includes, for example, the case when a
485	   "bogus" or "indeterminate" response is encountered during MX
486	   resolution.  When multiple MX hostnames are obtained from a
487	   successful MX lookup, but a later DNS lookup failure prevents network
488	   address resolution for a given MX hostname, delivery may proceed via
489	   any remaining MX hosts.

491	   When a particular SMTP server is securely identified as the delivery
492	   destination, a set of DNS lookups (Section 2.2) MUST be performed to
493	   locate any related TLSA records.  If any DNS queries used to locate
494	   TLSA records fail (be it due to "bogus" or "indeterminate" records,
495	   timeouts, malformed replies, ServFails, etc.), then the SMTP client
496	   MUST treat that server as unreachable and MUST NOT deliver the
497	   message via that server.  If no servers are reachable, delivery is
498	   delayed.

500	   In what follows, we will only describe what happens when all relevant
501	   DNS queries succeed.  If any DNS failure occurs, the SMTP client MUST
502	   behave as described in this section, by skipping the problem SMTP
503	   server, or the problem destination.  Queries for candidate TLSA
504	   records are explicitly part of "all relevant DNS queries" and SMTP
505	   clients MUST NOT continue to connect to an SMTP server or destination
506	   whose TLSA record lookup fails.

508	2.1.3.  Stub resolver considerations

510	   SMTP clients that employ opportunistic DANE TLS to secure connections
511	   to SMTP servers MUST NOT use Security-Oblivious ([RFC4033]) stub-
512	   resolvers.

514	   A note about DNAME aliases: a query for a domain name whose ancestor
515	   domain is a DNAME alias returns the DNAME RR for the ancestor domain
516	   along with a CNAME that maps the query domain to the corresponding
517	   sub-domain of the target domain of the DNAME alias [RFC6672].
518	   Therefore, whenever we speak of CNAME aliases, we implicitly allow
519	   for the possibility that the alias in question is the result of an
520	   ancestor domain DNAME record.  Consequently, no explicit support for
521	   DNAME records is needed in SMTP software; it is sufficient to process
522	   the resulting CNAME aliases.  DNAME records only require special
523	   processing in the validating stub-resolver library that checks the
524	   integrity of the combined DNAME + CNAME reply.  When DNSSEC
525	   validation is handled by a local caching resolver, rather than the
526	   MTA itself, even that part of the DNAME support logic is outside the
527	   MTA.

529	   When a stub resolver returns a response containing a CNAME alias that
530	   does not also contain the corresponding query results for the target
531	   of the alias, the SMTP client will need to repeat the query at the
532	   target of the alias, and should do so recursively up to some
533	   configured or implementation-dependent recursion limit.  If at any
534	   stage of CNAME expansion an error is detected, the lookup of the
535	   original requested records MUST be considered to have failed.

537	   Whether a chain of CNAME records was returned in a single stub
538	   resolver response or via explicit recursion by the SMTP client, if at
539	   any stage of recursive expansion an "insecure" CNAME record is
540	   encountered, then it and all subsequent results (in particular, the
541	   final result) MUST be considered "insecure" regardless of whether any
542	   earlier CNAME records leading to the "insecure" record were "secure".

544	   Note that a security-aware non-validating stub resolver may return to
545	   the SMTP client an "insecure" reply received from a validating
546	   recursive resolver that contains a CNAME record along with additional
547	   answers recursively obtained starting at the target of the CNAME.  In
548	   this case, the only possible conclusion is that some record in the
549	   set of records returned is "insecure", and it is in fact possible
550	   that the initial CNAME record and a subset of the subsequent records
551	   are "secure".

553	   If the SMTP client needs to determine the security status of the DNS
554	   zone containing the initial CNAME record, it may need to issue a
555	   separate query of type "CNAME" that returns only the initial CNAME
556	   record.  In particular in Section 2.2.2 when insecure A or AAAA
557	   records are found for an SMTP server via a CNAME alias, it may be
558	   necessary to perform an additional CNAME query to determine whether
559	   the DNS zone in which the alias is published is signed.

561	2.2.  TLS discovery

563	   As noted previously (in Section 1.3.1), opportunistic TLS with SMTP
564	   servers that advertise TLS support via STARTTLS is subject to an MITM
565	   downgrade attack.  Also some SMTP servers that are not, in fact, TLS
566	   capable erroneously advertise STARTTLS by default and clients need to
567	   be prepared to retry cleartext delivery after STARTTLS fails.  In
568	   contrast, DNSSEC validated TLSA records MUST NOT be published for
569	   servers that do not support TLS.  Clients can safely interpret their
570	   presence as a commitment by the server operator to implement TLS and
571	   STARTTLS.

573	   This memo defines four actions to be taken after the search for a
574	   TLSA record returns secure usable results, secure unusable results,
575	   insecure or no results or an error signal.  The term "usable" in this
576	   context is in the sense of Section 4.1 of [RFC6698].  Specifically,
577	   if the DNS lookup for a TLSA record returns:

579	   A secure TLSA RRSet with at least one usable record:  A connection to
580	      the MTA MUST be made using authenticated and encrypted TLS, using
581	      the techniques discussed in the rest of this document.  Failure to
582	      establish an authenticated TLS connection MUST result in falling
583	      back to the next SMTP server or delayed delivery.

585	   A secure non-empty TLSA RRSet where all the records are unusable:  A
586	      connection to the MTA MUST be made via TLS, but authentication is
587	      not required.  Failure to establish an encrypted TLS connection
588	      MUST result in falling back to the next SMTP server or delayed
589	      delivery.

591	   An insecure TLSA RRSet or DNSSEC validated proof-of-non-existent TLSA
592	    records:
593	      A connection to the MTA SHOULD be made using (pre-DANE)
594	      opportunistic TLS, this includes using cleartext delivery when the
595	      remote SMTP server does not appear to support TLS.  The MTA MAY
596	      retry in cleartext when delivery via TLS fails either during the
597	      handshake or even during data transfer.

599	   Any lookup error:  Lookup errors, including "bogus" and
600	      "indeterminate", as explained in Section 2.1.1 MUST result in
601	      falling back to the next SMTP server or delayed delivery.

603	   An SMTP client MAY be configured to mandate DANE verified delivery
604	   for some destinations.  With mandatory DANE TLS (Section 6), delivery
605	   proceeds only when "secure" TLSA records are used to establish an
606	   encrypted and authenticated TLS channel with the SMTP server.

608	   When the original next-hop destination is an address literal, rather
609	   than a DNS domain, DANE TLS does not apply.  Delivery proceeds using
610	   any relevant security policy configured by the MTA administrator.
611	   Similarly, when an MX RRSet incorrectly lists a network address in
612	   lieu of an MX hostname, if an MTA chooses to connect to the network
613	   address in the non-conformant MX record, DANE TLSA does not apply for
614	   such a connection.

616	   In the subsections that follow we explain how to locate the SMTP
617	   servers and the associated TLSA records for a given next-hop
618	   destination domain.  We also explain which name or names are to be
619	   used in identity checks of the SMTP server certificate.

621	2.2.1.  MX resolution

623	   In this section we consider next-hop domains that are subject to MX
624	   resolution and have MX records.  The TLSA records and the associated
625	   base domain are derived separately for each MX hostname that is used
626	   to attempt message delivery.  DANE TLS can authenticate message
627	   delivery to the intended next-hop domain only when the MX records are
628	   obtained securely via a DNSSEC validated lookup.

630	   MX records MUST be sorted by preference; an MX hostname with a worse
631	   (numerically higher) MX preference that has TLSA records MUST NOT
632	   preempt an MX hostname with a better (numerically lower) preference
633	   that has no TLSA records.  In other words, prevention of delivery
634	   loops by obeying MX preferences MUST take precedence over channel
635	   security considerations.  Even with two equal-preference MX records,
636	   an MTA is not obligated to choose the MX hostname that offers more
637	   security.  Domains that want secure inbound mail delivery need to
638	   ensure that all their SMTP servers and MX records are configured
639	   accordingly.

641	   In the language of [RFC5321] Section 5.1, the original next-hop
642	   domain is the "initial name".  If the MX lookup of the initial name
643	   results in a CNAME alias, the MTA replaces the initial name with the
644	   resulting name and performs a new lookup with the new name.  MTAs
645	   typically support recursion in CNAME expansion, so this replacement
646	   is performed repeatedly (up to the MTA's recursion limit) until the
647	   ultimate non-CNAME domain is found.

649	   If the MX RRSet (or any CNAME leading to it) is "insecure" (see
650	   Section 2.1.1), DANE TLS need not apply, and delivery MAY proceed via
651	   pre-DANE opportunistic TLS.  That said, the protocol in this memo is
652	   an "opportunistic security" protocol, meaning that it strives to
653	   communicate with each peer as securely as possible, while maintaining
654	   broad interoperability.  Therefore, the SMTP client MAY proceed to
655	   use DANE TLS (as described in Section 2.2.2 below) even with MX hosts
656	   obtained via an "insecure" MX RRSet.  For example, when a hosting
657	   provider has a signed DNS zone and publishes TLSA records for its
658	   SMTP servers, hosted domains that are not signed may still benefit
659	   from the provider's TLSA records.  Deliveries via the provider's SMTP
660	   servers will not be subject to active attacks when sending SMTP
661	   clients elect to make use of the provider's TLSA records.

663	   When the MX records are not (DNSSEC) signed, an active attacker can
664	   redirect SMTP clients to MX hosts of his choice.  Such redirection is
665	   tamper-evident when SMTP servers found via "insecure" MX records are
666	   recorded as the next-hop relay in the MTA delivery logs in their
667	   original (rather than CNAME expanded) form.  Sending MTAs SHOULD log
668	   unexpanded MX hostnames when these result from insecure MX lookups.
669	   Any successful authentication via an insecurely determined MX host
670	   MUST NOT be misrepresented in the mail logs as secure delivery to the
671	   intended next-hop domain.  When DANE TLS is mandatory (Section 6) for
672	   a given destination, delivery MUST be delayed when the MX RRSet is
673	   not "secure".

675	   Otherwise, assuming no DNS errors (Section 2.1.1), the MX RRSet is
676	   "secure", and the SMTP client MUST treat each MX hostname as a
677	   separate non-MX destination for opportunistic DANE TLS as described
678	   in Section 2.2.2.  When, for a given MX hostname, no TLSA records are
679	   found, or only "insecure" TLSA records are found, DANE TLSA is not
680	   applicable with the SMTP server in question and delivery proceeds to
681	   that host as with pre-DANE opportunistic TLS.  To avoid downgrade
682	   attacks, any errors during TLSA lookups MUST, as explained in
683	   Section 2.1.1, cause the SMTP server in question to be treated as
684	   unreachable.

686	2.2.2.  Non-MX destinations

688	   This section describes the algorithm used to locate the TLSA records
689	   and associated TLSA base domain for an input domain not subject to MX
690	   resolution.  Such domains include:

692	   o  Each MX hostname used in a message delivery attempt for an
693	      original next-hop destination domain subject to MX resolution.
694	      Note, MTAs are not obligated to support CNAME expansion of MX
695	      hostnames.

697	   o  Any administrator configured relay hostname, not subject to MX
698	      resolution.  This frequently involves configuration set by the MTA
699	      administrator to handle some or all mail.

701	   o  A next-hop destination domain subject to MX resolution that has no
702	      MX records.  In this case the domain's name is implicitly also its
703	      sole SMTP server name.

705	   Note that DNS queries with type TLSA are mishandled by load balancing
706	   nameservers that serve the MX hostnames of some large email
707	   providers.  The DNS zones served by these nameservers are not signed
708	   and contain no TLSA records, but queries for TLSA records fail,
709	   rather than returning the non-existence of the requested TLSA
710	   records.

712	   To avoid problems delivering mail to domains whose SMTP servers are
713	   served by the problem nameservers the SMTP client MUST perform any A
714	   and/or AAAA queries for the destination before attempting to locate
715	   the associated TLSA records.  This lookup is needed in any case to
716	   determine whether the destination domain is reachable and the DNSSEC
717	   validation status of the chain of CNAME queries required to reach the
718	   ultimate address records.

720	   If no address records are found, the destination is unreachable.  If
721	   address records are found, but the DNSSEC validation status of the
722	   first query response is "insecure" (see Section 2.1.3), the SMTP
723	   client SHOULD NOT proceed to search for any associated TLSA records.
724	   With the problem domains, TLSA queries will lead to DNS lookup errors
725	   and cause messages to be consistently delayed and ultimately returned
726	   to the sender.  We don't expect to find any "secure" TLSA records
727	   associated with a TLSA base domain that lies in an unsigned DNS zone.
728	   Therefore, skipping TLSA lookups in this case will also reduce
729	   latency with no detrimental impact on security.

731	   If the A and/or AAAA lookup of the "initial name" yields a CNAME, we
732	   replace it with the resulting name as if it were the initial name and
733	   perform a lookup again using the new name.  This replacement is
734	   performed recursively (up to the MTA's recursion limit).

736	   We consider the following cases for handling a DNS response for an A
737	   or AAAA DNS lookup:

739	   Not found:   When the DNS queries for A and/or AAAA records yield
740	      neither a list of addresses nor a CNAME (or CNAME expansion is not
741	      supported) the destination is unreachable.

743	   Non-CNAME:   The answer is not a CNAME alias.  If the address RRSet
744	      is "secure", TLSA lookups are performed as described in
745	      Section 2.2.3 with the initial name as the candidate TLSA base
746	      domain.  If no "secure" TLSA records are found, DANE TLS is not
747	      applicable and mail delivery proceeds with pre-DANE opportunistic
748	      TLS (which, being best-effort, degrades to cleartext delivery when
749	      STARTTLS is not available or the TLS handshake fails).

751	   Insecure CNAME:   The input domain is a CNAME alias, but the ultimate
752	      network address RRSet is "insecure" (see Section 2.1.1).  If the
753	      initial CNAME response is also "insecure", DANE TLS does not
754	      apply.  Otherwise, this case is treated just like the non-CNAME
755	      case above, where a search is performed for a TLSA record with the
756	      original input domain as the candidate TLSA base domain.

758	   Secure CNAME:   The input domain is a CNAME alias, and the ultimate
759	      network address RRSet is "secure" (see Section 2.1.1).  Two
760	      candidate TLSA base domains are tried: the fully CNAME-expanded
761	      initial name and, failing that, then the initial name itself.

763	   In summary, if it is possible to securely obtain the full, CNAME-
764	   expanded, DNSSEC-validated address records for the input domain, then
765	   that name is the preferred TLSA base domain.  Otherwise, the
766	   unexpanded input-MX domain is the candidate TLSA base domain.  When
767	   no "secure" TLSA records are found at either the CNAME-expanded or
768	   unexpanded domain, then DANE TLS does not apply for mail delivery via
769	   the input domain in question.  And, as always, errors, bogus or
770	   indeterminate results for any query in the process MUST result in
771	   delaying or abandoning delivery.

773	2.2.3.  TLSA record lookup

775	   Each candidate TLSA base domain (the original or fully CNAME-expanded
776	   name of a non-MX destination or a particular MX hostname of an MX
777	   destination) is in turn prefixed with service labels of the form
778	   "_<port>._tcp".  The resulting domain name is used to issue a DNSSEC
779	   query with the query type set to TLSA ([RFC6698] Section 7.1).

781	   For SMTP, the destination TCP port is typically 25, but this may be
782	   different with custom routes specified by the MTA administrator in
783	   which case the SMTP client MUST use the appropriate number in the
784	   "_<port>" prefix in place of "_25".  If, for example, the candidate
785	   base domain is "mx.example.com", and the SMTP connection is to port
786	   25, the TLSA RRSet is obtained via a DNSSEC query of the form:

788	   _25._tcp.mx.example.com. IN TLSA ?

790	   The query response may be a CNAME, or the actual TLSA RRSet.  If the
791	   response is a CNAME, the SMTP client (through the use of its
792	   security-aware stub resolver) restarts the TLSA query at the target
793	   domain, following CNAMEs as appropriate and keeping track of whether
794	   the entire chain is "secure".  If any "insecure" records are
795	   encountered, or the TLSA records don't exist, the next candidate TLSA
796	   base domain is tried instead.

798	   If the ultimate response is a "secure" TLSA RRSet, then the candidate
799	   TLSA base domain will be the actual TLSA base domain and the TLSA
800	   RRSet will constitute the TLSA records for the destination.  If none
801	   of the candidate TLSA base domains yield "secure" TLSA records then
802	   delivery MAY proceed via pre-DANE opportunistic TLS.  SMTP clients
803	   MAY elect to use "insecure" TLSA records to avoid STARTTLS downgrades
804	   or even to skip SMTP servers that fail authentication, but MUST NOT
805	   misrepresent authentication success as either a secure connection to
806	   the SMTP server or as a secure delivery to the intended next-hop
807	   domain.

809	   TLSA record publishers may leverage CNAMEs to reference a single
810	   authoritative TLSA RRSet specifying a common Certification Authority
811	   or a common end entity certificate to be used with multiple TLS
812	   services.  Such CNAME expansion does not change the SMTP client's
813	   notion of the TLSA base domain; thus, when _25._tcp.mx.example.com is
814	   a CNAME, the base domain remains mx.example.com and this is still the
815	   reference identifier used together with the next-hop domain in peer
816	   certificate name checks.

818	   Note that shared end entity certificate associations expose the
819	   publishing domain to substitution attacks, where an MITM attacker can
820	   reroute traffic to a different server that shares the same end entity
821	   certificate.  Such shared end entity TLSA records SHOULD be avoided
822	   unless the servers in question are functionally equivalent or employ
823	   mutually incompatible protocols (an active attacker gains nothing by
824	   diverting client traffic from one such server to another).

826	   A better example, employing a shared trust anchor rather than shared
827	   end-entity certificates, is illustrated by the DNSSEC validated
828	   records below:

830	     example.com.                IN MX 0 mx1.example.com.
831	     example.com.                IN MX 0 mx2.example.com.
832	     _25._tcp.mx1.example.com.   IN CNAME tlsa201._dane.example.com.
833	     _25._tcp.mx2.example.com.   IN CNAME tlsa201._dane.example.com.
834	     tlsa201._dane.example.com.  IN TLSA 2 0 1 e3b0c44298fc1c149a...

836	   The SMTP servers mx1.example.com and mx2.example.com will be expected
837	   to have certificates issued under a common trust anchor, but each MX
838	   hostname's TLSA base domain remains unchanged despite the above CNAME
839	   records.  Correspondingly, each SMTP server will be associated with a
840	   pair of reference identifiers consisting of its hostname plus the
841	   next-hop domain "example.com".

843	   If, during TLSA resolution (including possible CNAME indirection), at
844	   least one "secure" TLSA record is found (even if not usable because
845	   it is unsupported by the implementation or support is
846	   administratively disabled), then the corresponding host has signaled
847	   its commitment to implement TLS.  The SMTP client MUST NOT deliver
848	   mail via the corresponding host unless a TLS session is negotiated
849	   via STARTTLS.  This is required to avoid MITM STARTTLS downgrade
850	   attacks.

852	   As noted previously (in Section Section 2.2.2), when no "secure" TLSA
853	   records are found at the fully CNAME-expanded name, the original
854	   unexpanded name MUST be tried instead.  This supports customers of
855	   hosting providers where the provider's zone cannot be validated with
856	   DNSSEC, but the customer has shared appropriate key material with the
857	   hosting provider to enable TLS via SNI.  Intermediate names that
858	   arise during CNAME expansion that are neither the original, nor the
859	   final name, are never candidate TLSA base domains, even if "secure".

861	3.  DANE authentication

863	   This section describes which TLSA records are applicable to SMTP
864	   opportunistic DANE TLS and how to apply such records to authenticate
865	   the SMTP server.  With opportunistic DANE TLS, both the TLS support
866	   implied by the presence of DANE TLSA records and the verification
867	   parameters necessary to authenticate the TLS peer are obtained
868	   together.  In contrast to protocols where channel security policy is
869	   set exclusively by the client, authentication via this protocol is
870	   expected to be less prone to connection failure caused by
871	   incompatible configuration of the client and server.

873	3.1.  TLSA certificate usages

875	   The DANE TLSA specification [RFC6698] defines multiple TLSA RR types
876	   via combinations of 3 numeric parameters.  The numeric values of
877	   these parameters were later given symbolic names in [RFC7218].  The
878	   rest of the TLSA record is the "certificate association data field",
879	   which specifies the full or digest value of a certificate or public
880	   key.  The parameters are:

882	   The TLSA Certificate Usage field:  Section 2.1.1 of [RFC6698]
883	      specifies four values: PKIX-TA(0), PKIX-EE(1), DANE-TA(2), and
884	      DANE-EE(3).  There is an additional private-use value:
885	      PrivCert(255).  All other values are reserved for use by future
886	      specifications.

888	   The selector field:  Section 2.1.2 of [RFC6698] specifies two values:
889	      Cert(0) and SPKI(1).  There is an additional private-use value:
890	      PrivSel(255).  All other values are reserved for use by future
891	      specifications.

893	   The matching type field:  Section 2.1.3 of [RFC6698] specifies three
894	      values: Full(0), SHA2-256(1) and SHA2-512(2).  There is an
895	      additional private-use value: PrivMatch(255).  All other values
896	      are reserved for use by future specifications.

898	   We may think of TLSA Certificate Usage values 0 through 3 as a
899	   combination of two one-bit flags.  The low bit chooses between trust
900	   anchor (TA) and end entity (EE) certificates.  The high bit chooses
901	   between public PKI issued and domain-issued certificates.

903	   The selector field specifies whether the TLSA RR matches the whole
904	   certificate: Cert(0), or just its subjectPublicKeyInfo: SPKI(1).  The
905	   subjectPublicKeyInfo is an ASN.1 DER ([X.690]) encoding of the
906	   certificate's algorithm id, any parameters and the public key data.

908	   The matching type field specifies how the TLSA RR Certificate
909	   Association Data field is to be compared with the certificate or
910	   public key.  A value of Full(0) means an exact match: the full DER
911	   encoding of the certificate or public key is given in the TLSA RR.  A
912	   value of SHA2-256(1) means that the association data matches the
913	   SHA2-256 digest of the certificate or public key, and likewise
914	   SHA2-512(2) means a SHA2-512 digest is used.

916	   Since opportunistic DANE TLS will be used by non-interactive MTAs,
917	   with no user to "press OK" when authentication fails, reliability of
918	   peer authentication is paramount.  Server operators are advised to
919	   publish TLSA records that are least likely to fail authentication due
920	   to interoperability or operational problems.  Because DANE TLS relies
921	   on coordinated changes to DNS and SMTP server settings, the best
922	   choice of records to publish will depend on site-specific practices.

924	   The certificate usage element of a TLSA record plays a critical role
925	   in determining how the corresponding certificate association data
926	   field is used to authenticate server's certificate chain.  The next
927	   two subsections explain the process for certificate usages DANE-EE(3)
928	   and DANE-TA(2).  The third subsection briefly explains why
929	   certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable with
930	   opportunistic DANE TLS.

932	   In summary, we RECOMMEND the use of either "DANE-EE(3) SPKI(1)
933	   SHA2-256(1)" or "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records
934	   depending on site needs.  Other combinations of TLSA parameters are
935	   either explicitly unsupported, or offer little to recommend them over
936	   these two.

938	   As specified in [RFC6698], the mandatory to implement matching type
939	   digest algorithm is SHA2-256(1).  When the server's TLSA RRSet
940	   includes records with a matching type indicating a digest record
941	   (i.e., a value other than Full(0)), a TLSA record with a SHA2-256(1)
942	   matching type SHOULD be provided along with any other digest
943	   published, since some SMTP clients may support only SHA2-256(1).  If
944	   at some point the SHA2-256 digest algorithm is tarnished by new
945	   cryptanalytic attacks, publishers will need to include an appropriate
946	   stronger digest in their TLSA records, initially along with, and
947	   ultimately in place of, SHA2-256.

949	3.1.1.  Certificate usage DANE-EE(3)

951	   Authentication via certificate usage DANE-EE(3) TLSA records involves
952	   simply checking that the server's leaf certificate matches the TLSA
953	   record.  In particular the binding of the server public key to its
954	   name is based entirely on the TLSA record association.  The server
955	   MUST be considered authenticated even if none of the names in the
956	   certificate match the client's reference identity for the server.

958	   Similarly, the expiration date of the server certificate MUST be
959	   ignored, the validity period of the TLSA record key binding is
960	   determined by the validity interval of the TLSA record DNSSEC
961	   signature.

963	   With DANE-EE(3) servers need not employ SNI (may ignore the client's
964	   SNI message) even when the server is known under independent names
965	   that would otherwise require separate certificates.  It is instead
966	   sufficient for the TLSA RRSets for all the domains in question to
967	   match the server's default certificate.  Of course with SMTP servers
968	   it is simpler still to publish the same MX hostname for all the
969	   hosted domains.

971	   For domains where it is practical to make coordinated changes in DNS
972	   TLSA records during SMTP server key rotation, it is often best to
973	   publish end-entity DANE-EE(3) certificate associations.  DANE-EE(3)
974	   certificates don't suddenly stop working when leaf or intermediate
975	   certificates expire, and don't fail when the server operator neglects
976	   to configure all the required issuer certificates in the server
977	   certificate chain.

979	   TLSA records published for SMTP servers SHOULD, in most cases, be
980	   "DANE-EE(3) SPKI(1) SHA2-256(1)" records.  Since all DANE
981	   implementations are required to support SHA2-256, this record type
982	   works for all clients and need not change across certificate renewals
983	   with the same key.

985	3.1.2.  Certificate usage DANE-TA(2)

987	   Some domains may prefer to avoid the operational complexity of
988	   publishing unique TLSA RRs for each TLS service.  If the domain
989	   employs a common issuing Certification Authority to create
990	   certificates for multiple TLS services, it may be simpler to publish
991	   the issuing authority as a trust anchor (TA) for the certificate
992	   chains of all relevant services.  The TLSA query domain (TLSA base
993	   domain with port and protocol prefix labels) for each service issued
994	   by the same TA may then be set to a CNAME alias that points to a
995	   common TLSA RRSet that matches the TA.  For example:

997	     example.com.                IN MX 0 mx1.example.com.
998	     example.com.                IN MX 0 mx2.example.com.
999	     _25._tcp.mx1.example.com.   IN CNAME tlsa201._dane.example.com.
1000	     _25._tcp.mx2.example.com.   IN CNAME tlsa201._dane.example.com.
1001	     tlsa201._dane.example.com.  IN TLSA 2 0 1 e3b0c44298fc1c14....

1003	   With usage DANE-TA(2) the server certificates will need to have names
1004	   that match one of the client's reference identifiers (see [RFC6125]).
1005	   The server MAY employ SNI to select the appropriate certificate to
1006	   present to the client.

1008	   SMTP servers that rely on certificate usage DANE-TA(2) TLSA records
1009	   for TLS authentication MUST include the TA certificate as part of the
1010	   certificate chain presented in the TLS handshake server certificate
1011	   message even when it is a self-signed root certificate.  At this
1012	   time, many SMTP servers are not configured with a comprehensive list
1013	   of trust anchors, nor are they expected to at any point in the
1014	   future.  Some MTAs will ignore all locally trusted certificates when
1015	   processing usage DANE-TA(2) TLSA records.  Thus even when the TA
1016	   happens to be a public Certification Authority known to the SMTP
1017	   client, authentication is likely to fail unless the TA certificate is
1018	   included in the TLS server certificate message.

1020	   TLSA records with matching type Full(0) are discouraged.  While these
1021	   potentially obviate the need to transmit the TA certificate in the
1022	   TLS server certificate message, client implementations may not be
1023	   able to augment the server certificate chain with the data obtained
1024	   from DNS, especially when the TLSA record supplies a bare key
1025	   (selector SPKI(1)).  Since the server will need to transmit the TA
1026	   certificate in any case, server operators SHOULD publish TLSA records
1027	   with a matching type other than Full(0) and avoid potential
1028	   interoperability issues with large TLSA records containing full
1029	   certificates or keys.

1031	   TLSA Publishers employing DANE-TA(2) records SHOULD publish records
1032	   with a selector of Cert(0).  Such TLSA records are associated with
1033	   the whole trust anchor certificate, not just with the trust anchor
1034	   public key.  In particular, the SMTP client SHOULD then apply any
1035	   relevant constraints from the trust anchor certificate, such as, for
1036	   example, path length constraints.

1038	   While a selector of SPKI(1) may also be employed, the resulting TLSA
1039	   record will not specify the full trust anchor certificate content,
1040	   and elements of the trust anchor certificate other than the public
1041	   key become mutable.  This may, for example, allow a subsidiary CA to
1042	   issue a chain that violates the trust anchor's path length or name
1043	   constraints.

1045	3.1.3.  Certificate usages PKIX-TA(0) and PKIX-EE(1)

1047	   As noted in the introduction, SMTP clients cannot, without relying on
1048	   DNSSEC for secure MX records and DANE for STARTTLS support signaling,
1049	   perform server identity verification or prevent STARTTLS downgrade
1050	   attacks.  The use of PKIX CAs offers no added security since an
1051	   attacker capable of compromising DNSSEC is free to replace any PKIX-
1052	   TA(0) or PKIX-EE(1) TLSA records with records bearing any convenient
1053	   non-PKIX certificate usage.

1055	   SMTP servers SHOULD NOT publish TLSA RRs with certificate usage PKIX-
1056	   TA(0) or PKIX-EE(1).  SMTP clients cannot be expected to be
1057	   configured with a suitably complete set of trusted public CAs.
1058	   Lacking a complete set of public CAs, clients would not be able to
1059	   verify the certificates of SMTP servers whose issuing root CAs are
1060	   not trusted by the client.

1062	   Opportunistic DANE TLS needs to interoperate without bilateral
1063	   coordination of security settings between client and server systems.
1064	   Therefore, parameter choices that are fragile in the absence of
1065	   bilateral coordination are unsupported.  Nothing is lost since the
1066	   PKIX certificate usages cannot aid SMTP TLS security, they can only
1067	   impede SMTP TLS interoperability.

1069	   SMTP client treatment of TLSA RRs with certificate usages PKIX-TA(0)
1070	   or PKIX-EE(1) is undefined.  SMTP clients should generally treat such
1071	   TLSA records as unusable.

1073	3.2.  Certificate matching

1075	   When at least one usable "secure" TLSA record is found, the SMTP
1076	   client MUST use TLSA records to authenticate the SMTP server.
1077	   Messages MUST NOT be delivered via the SMTP server if authentication
1078	   fails, otherwise the SMTP client is vulnerable to MITM attacks.

1080	3.2.1.  DANE-EE(3) name checks

1082	   The SMTP client MUST NOT perform certificate name checks with
1083	   certificate usage DANE-EE(3); see Section 3.1.1 above.

1085	3.2.2.  DANE-TA(2) name checks

1087	   To match a server via a TLSA record with certificate usage DANE-
1088	   TA(2), the client MUST perform name checks to ensure that it has
1089	   reached the correct server.  In all DANE-TA(2) cases the SMTP client
1090	   MUST include the TLSA base domain as one of the valid reference
1091	   identifiers for matching the server certificate.

1093	   TLSA records for MX hostnames:  If the TLSA base domain was obtained
1094	      indirectly via a "secure" MX lookup (including any CNAME-expanded
1095	      name of an MX hostname), then the original next-hop domain used in
1096	      the MX lookup MUST be included as as a second reference
1097	      identifier.  The CNAME-expanded original next-hop domain MUST be
1098	      included as a third reference identifier if different from the
1099	      original next-hop domain.  When the client MTA is employing DANE
1100	      TLS security despite "insecure" MX redirection the MX hostname is
1101	      the only reference identifier.

1103	   TLSA records for Non-MX hostnames:  If MX records were not used
1104	      (e.g., if none exist) and the TLSA base domain is the CNAME-
1105	      expanded original next-hop domain, then the original next-hop
1106	      domain MUST be included as a second reference identifier.

1108	   Accepting certificates with the original next-hop domain in addition
1109	   to the MX hostname allows a domain with multiple MX hostnames to
1110	   field a single certificate bearing a single domain name (i.e., the
1111	   email domain) across all the SMTP servers.  This also aids
1112	   interoperability with pre-DANE SMTP clients that are configured to
1113	   look for the email domain name in server certificates.  For example,
1114	   with "secure" DNS records as below:

1116	     exchange.example.org.            IN CNAME mail.example.org.
1117	     mail.example.org.                IN CNAME example.com.
1118	     example.com.                     IN MX    10 mx10.example.com.
1119	     example.com.                     IN MX    15 mx15.example.com.
1120	     example.com.                     IN MX    20 mx20.example.com.
1121	     ;
1122	     mx10.example.com.                IN A     192.0.2.10
1123	     _25._tcp.mx10.example.com.       IN TLSA  2 0 1 ...
1124	     ;
1125	     mx15.example.com.                IN CNAME mxbackup.example.com.
1126	     mxbackup.example.com.            IN A     192.0.2.15
1127	     ; _25._tcp.mxbackup.example.com. IN TLSA ? (NXDOMAIN)
1128	     _25._tcp.mx15.example.com.       IN TLSA  2 0 1 ...
1129	     ;
1130	     mx20.example.com.                IN CNAME mxbackup.example.net.
1131	     mxbackup.example.net.            IN A     198.51.100.20
1132	     _25._tcp.mxbackup.example.net.   IN TLSA  2 0 1 ...

1134	   Certificate name checks for delivery of mail to exchange.example.org
1135	   via any of the associated SMTP servers MUST accept at least the names
1136	   "exchange.example.org" and "example.com", which are respectively the
1137	   original and fully expanded next-hop domain.  When the SMTP server is
1138	   mx10.example.com, name checks MUST accept the TLSA base domain
1139	   "mx10.example.com".  If, despite the fact that MX hostnames are
1140	   required to not be aliases, the MTA supports delivery via
1141	   "mx15.example.com" or "mx20.example.com" then name checks MUST accept
1142	   the respective TLSA base domains "mx15.example.com" and
1143	   "mxbackup.example.net".

1145	3.2.3.  Reference identifier matching

1147	   When name checks are applicable (certificate usage DANE-TA(2)), if
1148	   the server certificate contains a Subject Alternative Name extension
1149	   ([RFC5280]), with at least one DNS-ID ([RFC6125]) then only the DNS-
1150	   IDs are matched against the client's reference identifiers.  The CN-
1151	   ID ([RFC6125]) is only considered when no DNS-IDs are present.  The
1152	   server certificate is considered matched when one of its presented
1153	   identifiers ([RFC5280]) matches any of the client's reference
1154	   identifiers.

1156	   Wildcards are valid in either DNS-IDs or the CN-ID when applicable.
1157	   The wildcard character must be the entire first label of the DNS-ID
1158	   or CN-ID.  Thus, "*.example.com" is valid, while "smtp*.example.com"
1159	   and "*smtp.example.com" are not.  SMTP clients MUST support wildcards
1160	   that match the first label of the reference identifier, with the
1161	   remaining labels matching verbatim.  For example, the DNS-ID
1162	   "*.example.com" matches the reference identifier "mx1.example.com".
1163	   SMTP clients MAY, subject to local policy allow wildcards to match
1164	   multiple reference identifier labels, but servers cannot expect broad
1165	   support for such a policy.  Therefore any wildcards in server
1166	   certificates SHOULD match exactly one label in either the TLSA base
1167	   domain or the next-hop domain.

1169	4.  Server key management

1171	   Two TLSA records MUST be published before employing a new EE or TA
1172	   public key or certificate, one matching the currently deployed key
1173	   and the other matching the new key scheduled to replace it.  Once
1174	   sufficient time has elapsed for all DNS caches to expire the previous
1175	   TLSA RRSet and related signature RRsets, servers may be configured to
1176	   use the new EE private key and associated public key certificate or
1177	   may employ certificates signed by the new trust anchor.

1179	   Once the new public key or certificate is in use, the TLSA RR that
1180	   matches the retired key can be removed from DNS, leaving only RRs
1181	   that match keys or certificates in active use.

1183	   As described in Section 3.1.2, when server certificates are validated
1184	   via a DANE-TA(2) trust anchor, and CNAME records are employed to
1185	   store the TA association data at a single location, the
1186	   responsibility of updating the TLSA RRSet shifts to the operator of
1187	   the trust anchor.  Before a new trust anchor is used to sign any new
1188	   server certificates, its certificate (digest) is added to the
1189	   relevant TLSA RRSet.  After enough time elapses for the original TLSA
1190	   RRSet to age out of DNS caches, the new trust anchor can start
1191	   issuing new server certificates.  Once all certificates issued under
1192	   the previous trust anchor have expired, its associated RRs can be
1193	   removed from the TLSA RRSet.

1195	   In the DANE-TA(2) key management model server operators do not
1196	   generally need to update DNS TLSA records after initially creating a
1197	   CNAME record that references the centrally operated DANE-TA(2) RRSet.
1198	   If a particular server's key is compromised, its TLSA CNAME SHOULD be
1199	   replaced with a DANE-EE(3) association until the certificate for the
1200	   compromised key expires, at which point it can return to using a
1201	   CNAME record.  If the central trust anchor is compromised, all
1202	   servers need to be issued new keys by a new TA, and an updated DANE-
1203	   TA(2) TLSA RRSet needs to be published containing just the new TA.

1205	   SMTP servers cannot expect broad CRL or OCSP support from SMTP
1206	   clients.  As outlined above, with DANE, compromised server or trust
1207	   anchor keys can be "revoked" by removing them from the DNS without
1208	   the need for client-side support for OCSP or CRLs.

1210	5.  Digest algorithm agility

1212	   While [RFC6698] specifies multiple digest algorithms, it does not
1213	   specify a protocol by which the SMTP client and TLSA record publisher
1214	   can agree on the strongest shared algorithm.  Such a protocol would
1215	   allow the client and server to avoid exposure to any deprecated
1216	   weaker algorithms that are published for compatibility with less
1217	   capable clients, but should be ignored when possible.  Such a
1218	   protocol is specified in [I-D.ietf-dane-ops].  SMTP clients and
1219	   servers that implement this specification MUST comply with the
1220	   requirements outlined under "Digest Algorithm Agility" in
1221	   [I-D.ietf-dane-ops].

1223	6.  Mandatory TLS Security

1225	   An MTA implementing this protocol may require a stronger security
1226	   assurance when sending email to selected destinations.  The sending
1227	   organization may need to send sensitive email and/or may have
1228	   regulatory obligations to protect its content.  This protocol is not
1229	   in conflict with such a requirement, and in fact can often simplify
1230	   authenticated delivery to such destinations.

1232	   Specifically, with domains that publish DANE TLSA records for their
1233	   MX hostnames, a sending MTA can be configured to use the receiving
1234	   domains's DANE TLSA records to authenticate the corresponding SMTP
1235	   server.  Authentication via DANE TLSA records is easier to manage, as
1236	   changes in the receiver's expected certificate properties are made on
1237	   the receiver end and don't require manually communicated
1238	   configuration changes.  With mandatory DANE TLS, when no usable TLSA
1239	   records are found, message delivery is delayed.  Thus, mail is only
1240	   sent when an authenticated TLS channel is established to the remote
1241	   SMTP server.

1243	   Administrators of mail servers that employ mandatory DANE TLS, need
1244	   to carefully monitor their mail logs and queues.  If a partner domain
1245	   unwittingly misconfigures their TLSA records, disables DNSSEC, or
1246	   misconfigures SMTP server certificate chains, mail will be delayed
1247	   and may bounce if the issue is not resolved in a timely manner.

1249	7.  Note on DANE for Message User Agents

1251	   We note that the SMTP protocol is also used between Message User
1252	   Agents (MUAs) and Message Submission Agents (MSAs) [RFC6409].  In
1253	   [RFC6186] a protocol is specified that enables an MUA to dynamically
1254	   locate the MSA based on the user's email address.  SMTP connection
1255	   security considerations for MUAs implementing [RFC6186] are largely
1256	   analogous to connection security requirements for MTAs, and this
1257	   specification could be applied largely verbatim with DNS MX records
1258	   replaced by corresponding DNS Service (SRV) records
1259	   [I-D.ietf-dane-srv].

1261	   However, until MUAs begin to adopt the dynamic configuration
1262	   mechanisms of [RFC6186] they are adequately served by more
1263	   traditional static TLS security policies.  Specification of DANE TLS
1264	   for Message User Agent (MUA) to Message Submission Agent (MSA) SMTP
1265	   is left to future documents that focus specifically on SMTP security
1266	   between MUAs and MSAs.

1268	8.  Interoperability considerations

1270	8.1.  SNI support

1272	   To ensure that the server sends the right certificate chain, the SMTP
1273	   client MUST send the TLS SNI extension containing the TLSA base
1274	   domain.  This precludes the use of the backward compatible SSL 2.0
1275	   compatible SSL HELLO by the SMTP client.  The minimum SSL/TLS client
1276	   HELLO version for SMTP clients performing DANE authentication is SSL
1277	   3.0, but a client that offers SSL 3.0 MUST also offer at least TLS
1278	   1.0 and MUST include the SNI extension.  Servers that don't make use
1279	   of SNI MAY negotiate SSL 3.0 if offered by the client.

1281	   Each SMTP server MUST present a certificate chain (see [RFC5246]
1282	   Section 7.4.2) that matches at least one of the TLSA records.  The
1283	   server MAY rely on SNI to determine which certificate chain to
1284	   present to the client.  Clients that don't send SNI information may
1285	   not see the expected certificate chain.

1287	   If the server's TLSA records match the server's default certificate
1288	   chain, the server need not support SNI.  In either case, the server
1289	   need not include the SNI extension in its TLS HELLO as simply
1290	   returning a matching certificate chain is sufficient.  Servers MUST
1291	   NOT enforce the use of SNI by clients, as the client may be using
1292	   unauthenticated opportunistic TLS and may not expect any particular
1293	   certificate from the server.  If the client sends no SNI extension,
1294	   or sends an SNI extension for an unsupported domain, the server MUST
1295	   simply send some fallback certificate chain of its choice.  The
1296	   reason for not enforcing strict matching of the requested SNI
1297	   hostname is that DANE TLS clients are typically willing to accept
1298	   multiple server names, but can only send one name in the SNI
1299	   extension.  The server's fallback certificate may match a different
1300	   name acceptable to the client, e.g., the original next-hop domain.

1302	8.2.  Anonymous TLS cipher suites

1304	   Since many SMTP servers either do not support or do not enable any
1305	   anonymous TLS cipher suites, SMTP client TLS HELLO messages SHOULD
1306	   offer to negotiate a typical set of non-anonymous cipher suites
1307	   required for interoperability with such servers.  An SMTP client
1308	   employing pre-DANE opportunistic TLS MAY in addition include one or
1309	   more anonymous TLS cipher suites in its TLS HELLO.  SMTP servers,
1310	   that need to interoperate with opportunistic TLS clients SHOULD be
1311	   prepared to interoperate with such clients by either always selecting
1312	   a mutually supported non-anonymous cipher suite or by correctly
1313	   handling client connections that negotiate anonymous cipher suites.

1315	   Note that while SMTP server operators are under no obligation to
1316	   enable anonymous cipher suites, no security is gained by sending
1317	   certificates to clients that will ignore them.  Indeed support for
1318	   anonymous cipher suites in the server makes audit trails more
1319	   informative.  Log entries that record connections that employed an
1320	   anonymous cipher suite record the fact that the clients did not care
1321	   to authenticate the server.

1323	9.  Operational Considerations

1325	9.1.  Client Operational Considerations

1327	   An operational error on the sending or receiving side that cannot be
1328	   corrected in a timely manner may, at times, lead to consistent
1329	   failure to deliver time-sensitive email.  The sending MTA
1330	   administrator may have to choose between letting email queue until
1331	   the error is resolved and disabling opportunistic or mandatory DANE
1332	   TLS (Section 6) for one or more destinations.  The choice to disable
1333	   DANE TLS security should not be made lightly.  Every reasonable
1334	   effort should be made to determine that problems with mail delivery
1335	   are the result of an operational error, and not an attack.  A
1336	   fallback strategy may be to configure explicit out-of-band TLS
1337	   security settings if supported by the sending MTA.

1339	   SMTP clients may deploy opportunistic DANE TLS incrementally by
1340	   enabling it only for selected sites, or may occasionally need to
1341	   disable opportunistic DANE TLS for peers that fail to interoperate
1342	   due to misconfiguration or software defects on either end.  Some
1343	   implementations MAY support DANE TLS in an "audit only" mode in which
1344	   failure to achieve the requisite security level is logged as a
1345	   warning and delivery proceeds at a reduced security level.  Unless
1346	   local policy specifies "audit only" or that opportunistic DANE TLS is
1347	   not to be used for a particular destination, an SMTP client MUST NOT
1348	   deliver mail via a server whose certificate chain fails to match at
1349	   least one TLSA record when usable TLSA records are found for that
1350	   server.

1352	9.2.  Publisher Operational Considerations

1354	   SMTP servers that publish certificate usage DANE-TA(2) associations
1355	   MUST include the TA certificate in their TLS server certificate
1356	   chain, even when that TA certificate is a self-signed root
1357	   certificate.

1359	   TLSA Publishers MUST follow the guidelines in the "TLSA Publisher
1360	   Requirements" section of [I-D.ietf-dane-ops].

1362	   TLSA Publishers SHOULD follow the TLSA publication size guidance
1363	   found in [I-D.ietf-dane-ops] under "DANE DNS Record Size Guidelines".

1365	   TLSA Publishers SHOULD follow the TLSA record TTL and signature
1366	   lifetime recommendations found in [I-D.ietf-dane-ops] under
1367	   "Operational Considerations".

1369	10.  Security Considerations

1371	   This protocol leverages DANE TLSA records to implement MITM resistant
1372	   opportunistic security ([RFC7435]) for SMTP.  For destination domains
1373	   that sign their MX records and publish signed TLSA records for their
1374	   MX hostnames, this protocol allows sending MTAs to securely discover
1375	   both the availability of TLS and how to authenticate the destination.

1377	   This protocol does not aim to secure all SMTP traffic, as that is not
1378	   practical until DNSSEC and DANE adoption are universal.  The
1379	   incremental deployment provided by following this specification is a
1380	   best possible path for securing SMTP.  This protocol coexists and
1381	   interoperates with the existing insecure Internet email backbone.

1383	   The protocol does not preclude existing non-opportunistic SMTP TLS
1384	   security arrangements, which can continue to be used as before via
1385	   manual configuration with negotiated out-of-band key and TLS
1386	   configuration exchanges.

1388	   Opportunistic SMTP TLS depends critically on DNSSEC for downgrade
1389	   resistance and secure resolution of the destination name.  If DNSSEC
1390	   is compromised, it is not possible to fall back on the public CA PKI
1391	   to prevent MITM attacks.  A successful breach of DNSSEC enables the
1392	   attacker to publish TLSA usage 3 certificate associations, and
1393	   thereby bypass any security benefit the legitimate domain owner might
1394	   hope to gain by publishing usage 0 or 1 TLSA RRs.  Given the lack of
1395	   public CA PKI support in existing MTA deployments, avoiding
1396	   certificate usages 0 and 1 simplifies implementation and deployment
1397	   with no adverse security consequences.

1399	   Implementations must strictly follow the portions of this
1400	   specification that indicate when it is appropriate to initiate a non-
1401	   authenticated connection or cleartext connection to a SMTP server.
1402	   Specifically, in order to prevent downgrade attacks on this protocol,
1403	   implementation must not initiate a connection when this specification
1404	   indicates a particular SMTP server must be considered unreachable.

1406	11.  IANA considerations

1408	   This specification requires no support from IANA.

1410	12.  Acknowledgements

1412	   The authors would like to extend great thanks to Tony Finch, who
1413	   started the original version of a DANE SMTP document.  His work is
1414	   greatly appreciated and has been incorporated into this document.
1415	   The authors would like to additionally thank Phil Pennock for his
1416	   comments and advice on this document.

1418	   Acknowledgments from Viktor: Thanks to Paul Hoffman who motivated me
1419	   to begin work on this memo and provided feedback on early drafts.
1420	   Thanks to Patrick Koetter, Perry Metzger and Nico Williams for
1421	   valuable review comments.  Thanks also to Wietse Venema who created
1422	   Postfix, and whose advice and feedback were essential to the
1423	   development of the Postfix DANE implementation.

1425	13.  References

1427	13.1.  Normative References

1429	   [I-D.ietf-dane-ops]
1430	              Dukhovni, V. and W. Hardaker, "Updates to and Operational
1431	              Guidance for the DANE Protocol", draft-ietf-dane-ops-07
1432	              (work in progress), October 2014.

1434	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1435	              Requirement Levels", BCP 14, RFC 2119, March 1997.

1437	   [RFC3207]  Hoffman, P., "SMTP Service Extension for Secure SMTP over
1438	              Transport Layer Security", RFC 3207, February 2002.

1440	   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
1441	              Rose, "DNS Security Introduction and Requirements", RFC
1442	              4033, March 2005.

1444	   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
1445	              Rose, "Resource Records for the DNS Security Extensions",
1446	              RFC 4034, March 2005.

1448	   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
1449	              Rose, "Protocol Modifications for the DNS Security
1450	              Extensions", RFC 4035, March 2005.

1452	   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
1453	              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

1455	   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
1456	              Housley, R., and W. Polk, "Internet X.509 Public Key
1457	              Infrastructure Certificate and Certificate Revocation List
1458	              (CRL) Profile", RFC 5280, May 2008.

1460	   [RFC5321]  Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
1461	              October 2008.

1463	   [RFC6066]  Eastlake, D., "Transport Layer Security (TLS) Extensions:
1464	              Extension Definitions", RFC 6066, January 2011.

1466	   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
1467	              Verification of Domain-Based Application Service Identity
1468	              within Internet Public Key Infrastructure Using X.509
1469	              (PKIX) Certificates in the Context of Transport Layer
1470	              Security (TLS)", RFC 6125, March 2011.

1472	   [RFC6186]  Daboo, C., "Use of SRV Records for Locating Email
1473	              Submission/Access Services", RFC 6186, March 2011.

1475	   [RFC6672]  Rose, S. and W. Wijngaards, "DNAME Redirection in the
1476	              DNS", RFC 6672, June 2012.

1478	   [RFC6698]  Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
1479	              of Named Entities (DANE) Transport Layer Security (TLS)
1480	              Protocol: TLSA", RFC 6698, August 2012.

1482	   [RFC7218]  Gudmundsson, O., "Adding Acronyms to Simplify
1483	              Conversations about DNS-Based Authentication of Named
1484	              Entities (DANE)", RFC 7218, April 2014.

1486	   [X.690]    International Telecommunications Union, "Recommendation
1487	              ITU-T X.690 (2002) | ISO/IEC 8825-1:2002, Information
1488	              technology - ASN.1 encoding rules: Specification of Basic
1489	              Encoding Rules (BER), Canonical Encoding Rules (CER) and
1490	              Distinguished Encoding Rules (DER)", July 2002.

1492	13.2.  Informative References

1494	   [I-D.ietf-dane-srv]
1495	              Finch, T., Miller, M., and P. Saint-Andre, "Using DNS-
1496	              Based Authentication of Named Entities (DANE) TLSA Records
1497	              with SRV Records", draft-ietf-dane-srv-11 (work in
1498	              progress), February 2015.

1500	   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
1501	              STD 13, RFC 1034, November 1987.

1503	   [RFC1035]  Mockapetris, P., "Domain names - implementation and
1504	              specification", STD 13, RFC 1035, November 1987.

1506	   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
1507	              Specification", RFC 2181, July 1997.

1509	   [RFC5598]  Crocker, D., "Internet Mail Architecture", RFC 5598, July
1510	              2009.

1512	   [RFC6409]  Gellens, R. and J. Klensin, "Message Submission for Mail",
1513	              STD 72, RFC 6409, November 2011.

1515	   [RFC7435]  Dukhovni, V., "Opportunistic Security: Some Protection
1516	              Most of the Time", RFC 7435, December 2014.

1518	Authors' Addresses
1519	   Viktor Dukhovni
1520	   Two Sigma

1522	   Email: ietf-dane@dukhovni.org

1524	   Wes Hardaker
1525	   Parsons
1526	   P.O. Box 382
1527	   Davis, CA  95617
1528	   US

1530	   Email: ietf@hardakers.net