One document matched: draft-ietf-dane-protocol-14.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc2782 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2782.xml">
<!ENTITY rfc2818 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2818.xml">
<!ENTITY rfc2845 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2845.xml">
<!ENTITY rfc2931 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2931.xml">
<!ENTITY rfc4025 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4025.xml">
<!ENTITY rfc4033 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4033.xml">
<!ENTITY rfc4034 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4034.xml">
<!ENTITY rfc4035 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4035.xml">
<!ENTITY rfc4255 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4255.xml">
<!ENTITY rfc5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY rfc5280 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5280.xml">
<!ENTITY rfc6071 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6071.xml">
<!ENTITY rfc6125 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6125.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict='yes'?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc strict="no" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<rfc ipr="trust200902"
docName="draft-ietf-dane-protocol-14"
category="std"
>
<front>
<title abbrev="DNS Cert Association for TLS">
Using Secure DNS to Associate Certificates with Domain Names For TLS</title>
<author initials='P.' surname="Hoffman" fullname='Paul Hoffman'>
<organization>VPN Consortium</organization>
<address>
<email>paul.hoffman@vpnc.org</email>
</address>
</author>
<author initials="J." surname="Schlyter" fullname="Jakob Schlyter">
<organization>Kirei AB</organization>
<address>
<email>jakob@kirei.se</email>
</address>
</author>
<date month="January" year="2012"/>
<abstract>
<t>TLS and DTLS use PKIX certificates for authenticating the server. Users
want their applications to verify that the certificate provided by the TLS
server is in fact associated with the domain name they expect. TLSA provides
bindings of keys to domains that are asserted not by external entities, but by
the entities that operate the DNS. This document describes how to use secure
DNS to associate the TLS server's certificate with the intended domain
name.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>The first response from the server in TLS may contain a certificate. In
order for the TLS client to authenticate that it is talking to the expected
TLS server, the client must validate that this certificate is associated with
the domain name used by the client to get to the server. Currently, the client
must extract the domain name from the certificate, must trust a trust anchor
upon which the server's certificate is rooted, and must successfully validate
the certificate.</t>
<t>Some people want a different way to authenticate the association of the
server's certificate with the intended domain name without trusting an
external certificate authority (CA). Given that the DNS administrator for a
domain name is authorized to give identifying information about the zone, it
makes sense to allow that administrator to also make an authoritative binding
between the domain name and a certificate that might be used by a host at that
domain name. The easiest way to do this is to use the DNS.</t>
<t>There are many use cases for such functionality. <xref
target="DANEUSECASES"/> lists the ones that the protocol in this document is
meant to apply to. <xref target="DANEUSECASES"/> also lists many requirements,
most of which the protocol in this document is believed to meet.
Section 5 covers the applicability of this document to the use cases
in detail.</t>
<t>This document applies to both TLS <xref target='RFC5246'/> and DTLS <xref
target='RFC4347bis'/>. In order to make the document more readable, it mostly
only talks about "TLS", but in all cases, it means "TLS or DTLS". This
document only relates to securely associating certificates for TLS and DTLS
with host names; other security protocols and other forms of identification of
TLS servers (such as IP addresses) are handled in other documents. For
example, keys for IPsec are covered in <xref target='RFC4025'/> and keys for
SSH are covered in <xref target='RFC4255'/>.</t>
<section title="Certificate Associations">
<t>A certificate association is formed from a piece of information identifying
a certificate with the domain name where the data is found. The data used
to identify the certificate consists of either a PKIX certificate or a
hash of a PKIX certificate. When using the certificate itself in the certificate
association, the entire certificate in the normal format is used. This
document only applies to PKIX <xref target="RFC5280"/> certificates, not
certificates of other formats.</t>
<t>A DNS query can
return multiple certificate associations, such as in the case of different
server software on a single host using different certificates, or in the case
that a server is changing from one certificate to another.</t>
</section>
<section title="Securing Certificate Associations">
<t>This document defines a secure method to associate the certificate that is
obtained from the TLS server with a domain name using DNS; the DNS information
needs to be be protected by DNSSEC. Because the certificate association was
retrieved based on a DNS query, the domain name in the query is by definition
associated with the certificate.</t>
<t>DNSSEC, which is defined in RFCs 4033, 4034, and 4035 (<xref
target='RFC4033'/>, <xref target='RFC4034'/>, and <xref target='RFC4035'/>),
uses cryptographic keys and digital signatures to provide authentication of
DNS data. Information retrieved from the DNS and that is validated using
DNSSEC is thereby proved to be the authoritative data. The DNSSEC signature
MUST be validated on all responses that use DNSSEC in order to assure the
proof of origin of the data. This document does not specify how DNSSEC
validation occurs because there are many different proposals for how a client
might get validated DNSSEC results.</t>
<t>This document only relates to securely getting the DNS information for the
certificate association using DNSSEC; other secure DNS mechanisms are out of
scope.</t>
</section>
<section title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in RFC 2119 <xref target='RFC2119'/>.</t>
<t>This document also makes use of standard PKIX, DNSSEC, and TLS terminology.
See <xref target='RFC5280'/>, <xref target='RFC4033'/>, and <xref
target='RFC5246'/> respectively, for these terms. In addition, terms related
to TLS-protected application services and DNS names are taken from <xref
target='RFC6125'/>.</t>
</section>
</section>
<section title="The TLSA Resource Record" anchor="tlsa_rr">
<t>The TLSA DNS resource record (RR) is used to associate a certificate with
the domain name where the record is found. The semantics of how the TLSA
RR is interpreted are given later in this document.</t>
<t>The type value for the TLSA RR type is TBD.</t>
<t>The TLSA RR is class independent.</t>
<t>The TLSA RR has no special TTL requirements.</t>
<section title="TLSA RDATA Wire Format" anchor="tlsa_wire">
<t>The RDATA for a TLSA RR consists of a one octet usage type field, a one
octet selector field, a one octet matching type field and the certificate for
association field.
<figure><artwork><![CDATA[
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Usage | Selector | Matching Type | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /
/ /
/ Certificate for Association /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>
</t>
<section title="The Certificate Usage Field" anchor="usage">
<t>A one-octet value, called "certificate usage" or just "usage", specifying
the provided association that will be used to match the target certificate from TLS.
This will be an IANA registry in order to make it easier to add additional
certificate usages in the future. The usages defined in this document are:
<list style='empty'>
<t>0 -- The target certificate MUST pass PKIX validation and MUST chain through a CA
certificate matching the TLSA record</t>
<t>1 -- The target certificate MUST pass PKIX validation and MUST match the TLSA record</t>
<t>2 -- The target certificate MUST pass PKIX validation, with any certificate matching
the TLSA record considered to be a trust anchor for this validation</t>
</list>
</t>
<t>The three certificate usages defined in this document explicitly only apply
to PKIX-formatted certificates. If TLS allows other formats later, or if
extensions to this protocol are made that accept other formats for
certificates, those certificates will need their own certificate types.</t>
<t>The use of this field is described in greater detail in <xref target="usage_semantics"/>.</t>
</section>
<section title="The Selector Field" anchor="selector">
<t>A one-octet value, called "selector", specifying what will be matched. This
value is defined in a new IANA registry. The selectors defined in this
document are:
<list style='empty'>
<t>0 -- Full certificate</t>
<t>1 -- SubjectPublicKeyInfo</t>
</list>
</t>
</section>
<section title="The Matching Type Field" anchor="matching_type">
<t>A one-octet value, called "matching type", specifying how the certificate
association is presented. This value is defined in a new IANA registry. The
types defined in this document are:
<list style='empty'>
<t>0 -- Exact match on selected content</t>
<t>1 -- SHA-256 hash of selected content</t>
<t>2 -- SHA-512 hash of selected content</t>
</list>
Using the same hash algorithm as is used in the signature in the certificate
will make it more likely that the TLS client will understand this TLSA
data.</t>
</section>
<section title="The Certificate for Association Field" anchor="association">
<t>The "association data" to be matched. The field contains the bytes to be
matched or the hash of the bytes to be matched. The source of the data to
be matched is controlled by the Matching Type field. The data refers to the
certificate in the association, not to the TLS ASN.1 Certificate object.</t>
</section>
</section>
<section title="TLSA RR Presentation Format">
<t>The presentation format of the RDATA portion is as follows:
<list style='symbols'>
<t>The certificate usage field MUST be represented as an unsigned decimal
integer.</t>
<t>The selector field MUST be represented as an unsigned decimal integer.</t>
<t>The matching type field MUST be represented as an unsigned decimal
integer.</t>
<t>The certificate for association field MUST be represented as a string of
hexadecimal characters. Whitespace is allowed within the string of hexadecimal
characters.</t>
</list>
</t>
</section>
<section title="TLSA RR Examples">
<t>An example of a hashed (SHA-256) association of a PKIX CA certificate:
<figure><artwork><![CDATA[
_443._tcp.www.example.com. IN TLSA (
0 0 1 d2abde240d7cd3ee6b4b28c54df034b9
7983a1d16e8a410e4561cb106618e971 )
]]></artwork></figure>
</t>
<t>An example of a hashed (SHA-512) subject public key association of a PKIX
end entity certificate:
<figure><artwork><![CDATA[
_443._tcp.www.example.com. IN TLSA
1 1 2 92003ba34942dc74152e2f2c408d29ec
a5a520e7f2e06bb944f4dca346baf63c
1b177615d466f6c4b71c216a50292bd5
8c9ebdd2f74e38fe51ffd48c43326cbc )
]]></artwork></figure>
</t>
<t>An example of a full certificate association of a PKIX trust anchor:
<figure><artwork><![CDATA[
_443._tcp.www.example.com. IN TLSA
2 0 0 30820307308201efa003020102020... )
]]></artwork></figure>
</t>
</section>
</section>
<section title="Domain Names for TLS Certificate Associations">
<t>TLSA resource records are stored at a prefixed DNS domain name. The prefix
is prepared in the following manner:
<list style="numbers">
<t>The decimal representation of the port number on which a TLS-based service
is assumed to exist is prepended with an underscore character ("_") to become
the left-most label in the prepared domain name. This number has no leading
zeros.</t>
<t>The protocol name of the transport on which a TLS-based service is assumed
to exist is prepended with an underscore character ("_") to become the second
left-most label in the prepared domain name. The transport names defined for
this protocol are "tcp", "udp" and "sctp".</t>
<t>The domain name is appended to the result of step 2 to complete the
prepared domain name.</t>
</list></t>
<t>For example, to request a TLSA resource record for an HTTP server running
TLS on port 443 at "www.example.com", you would use
"_443._tcp.www.example.com" in the request. To request a TLSA resource record
for an SMTP server running the STARTTLS protocol on port 25 at
"mail.example.com", you would use "_25._tcp.mail.example.com".</t>
</section>
<section title="Semantics and Features of TLSA Certificate Usages" anchor="usage_semantics">
<t>The three certificate usages have very different semantics, but also have
features common to all three types.</t>
<section title="Pass PKIX Validation and Chain Through CA">
<t>Certificate usage 0 is used to specify a CA certificate, or the public key
of such a certificate, that the must be found in any of the PKIX validation
chains for the end entity certificate given by the server in TLS. This usage
is sometimes referred to as "CA constraint" because it limits which CA can be
used to issue certificates for a given host name.</t>
</section>
<section title="Pass PKIX Validation and Match End Entity Certificate">
<t>Certificate usage 1 is used to specify an end entity certificate, or the
public key of such a certificate, that must be matched with the end entity
certificate given by the server in TLS. This usage is sometimes referred to as
"service certificate constraints" because it limits which end entity
certificate may be used by a given host name.</t>
</section>
<section title="Pass PKIX Validation and Use Trust Anchor">
<t>Certificate usage 2 is used to specify a certificate, or the public key of
such a certificate, that must be used as a trust anchor when validating the
end entity certificate given by the server in TLS. This usage is sometimes
referred to as "domain-issued certificate" because it allows for a domain name
administrator to issue certificates for a domain without involving a
third-party CA.</t>
</section>
<section title="Use of TLS Certificate Associations in TLS">
<t><xref target="tlsa_wire"/> of this document defines the mandatory matching
rules for the data from the TLS certificate associations and the certificates
received from the TLS server.</t>
<t>The TLS session that is to be set up MUST be for the specific port number
and transport name that was given in the TLSA query. The matching or chaining
MUST be done within the life of the TTL on the TLSA record.</t>
<t>Some specifications for applications that run under TLS, such as <xref
target="RFC2818"/> for HTTP, require the server's certificate to have a domain
name that matches the host name expected by the client. Some specifications
such at <xref target="RFC6125"/> detail how to match the identify given in a
PKIX certificate with those expected by the user.</t>
<!-- BEGIN issue #36 -->
<t>An application that complies with this document first requests TLSA records
in order to make certificate associations.</t>
<t>Determining whether a TLSA RRset can be used depends on the DNSSEC
validation state (as defined in <xref target="RFC4033"/>).
<list style='symbols'>
<t>A TLSA RRset whose DNSSEC validation state is secure MUST be used as a
certificate association for TLS unless a local policy would prohibit the use
of the specific certificate association in the secure TLSA RRset.</t>
<t>If the DNSSEC validation state on the response to the request for the TLSA
RRset is bogus, this MUST cause TLS not to be started or, if the TLS
negotiation is already in progress, to cause the connection to be aborted.</t>
<t>A TLSA RRset whose DNSSEC validation state is indeterminate or insecure
cannot be used for TLS and MUST be marked as unusable.</t>
</list>
</t>
<!-- END issue #36 -->
<t>If an application receives zero usable certificate associations, it
processes TLS in the normal fashion without any input from the
TLSA records; otherwise, that application attempts to
match each certificate association with the TLS server's end entity
certificate.</t>
<t>Clients that validate the DNSSEC signatures themselves MUST either use
standard DNSSEC validation procedures or
a secure transport (such as <xref
target="RFC2845">TSIG</xref>, <xref target="RFC2931">SIG(0)</xref>, or <xref
target="RFC6071">IPsec</xref>) between themselves and the entity performing
the DNSSEC signature validation. Note that it is not sufficient to use secure
transport to a DNS resolver that does not do DNSSEC signature validation.</t>
<t>If a certificate association contains a certificate usage, selector, or
matching type that is not understood by the TLS client, that certificate
association MUST be marked as unusable.
<!--
If the matching type is not trusted by the application,
the certificate association MUST be marked as unusable.
-->
If the comparison data for a
certificate is malformed, the certificate association MUST be marked as
unusable.</t>
</section>
</section>
<section title="TLSA and DANE Use Cases and Requirements">
<t>The different types of certificates for association defined in TLSA are
matched with various sections of <xref target="DANEUSECASES"/>. The three use
cases from section 3 of <xref target="DANEUSECASES"/> are covered in this
protocol as follows:</t>
<t><list style='hanging'>
<t hangText="3.1 CA Constraints"> -- Implemented using certificate usage
0.</t>
<t hangText="3.2 Certificate Constraints"> -- Implemented using certificate
usage 1.</t>
<t hangText="3.3 Domain-Issued Certificates"> -- Implemented using certificate
usage 2.</t>
</list></t>
<t>The requirements from section 4 of <xref target="DANEUSECASES"/> are covered
in this protocol as follows (note that some of these might be excessively
glib):</t>
<t><list style='hanging'>
<t hangText="Multiple Ports"> -- Covered in the TLSA request syntax.</t>
<t hangText="No Downgrade"> -- Covered by DNSSEC itself.</t>
<t hangText="Encapsulation"> -- Covered in the TLSA response semantics.</t>
<t hangText="Predictability"> -- Covered by this spec.</t>
<t hangText="Opportunistic Security"> -- Covered in the TLSA request syntax.</t>
<t hangText="Combination"> -- Covered in the TLSA response semantics.
No support is provided to combine two TLSA certificate
associations in a single operation. Support exists for having multiple TLSA
certificate associations that are treated independently.</t>
<t hangText="Roll-over"> -- Covered by the TTLs on the TLSA records.</t>
<t hangText="Simple Key Management"> -- Implemented using the
SubjectPublicKeyInfo selector.</t>
<t hangText="Minimal Dependencies"> -- Covered in the TLSA response semantics.</t>
<t hangText="Minimal Options"> -- Covered in the TLSA response semantics.</t>
<t hangText="Wild Cards"> -- Covered in a limited manner in the TLSA request syntax; see Appendix A.</t>
<t hangText="Redirection"> -- Covered in the TLSA request syntax; see Appendix A.</t>
</list></t>
</section>
<section title='Mandatory-to-Implement Algorithms'>
<t>A system creating TLSA records that conforms to this specification MUST be able to create TLSA
records containing certificate usages 0, 1 and 2. A system creating TLSA records that conforms to
this specification MUST be able to create TLSA records with selectors 0 (full
certificate) and 1 (SubjectPublicKeyInfo). A system creating TLSA records that conforms to this
specification MUST be able to create TLSA records using matching type 0 (no
hash used) and matching type 1 (SHA-256), and SHOULD be able to create TLSA
records using matching type 2 (SHA-512).</t>
<t>TLS clients conforming to this specification MUST be able to correctly
interpret TLSA records with certificate usages 0, 1 and 2. TLS clients
conforming to this specification MUST be able to compare a certificate for
association with a certificate from TLS using selectors type 0 and 1, and
matching type 0 (no hash used) and matching type 1 (SHA-256), and SHOULD be
able to make such comparisons with matching type 2 (SHA-512).</t>
<t>At the time this is written, it is expected that there will be a new family
of hash algorithms called SHA-3 within the next few years. It is expected that
some of the SHA-3 algorithms will be mandatory and/or recommended for TLSA
records after the algorithms are fully defined. At that time, this
specification will be updated.</t>
</section>
<section title='IANA Considerations'>
<section title='TLSA RRtype'>
<t>This document uses a new DNS RR type, TLSA, whose value is TBD. A separate
request for the RR type will be submitted to the expert reviewer, and future
versions of this document will have that value instead of TBD.</t>
</section>
<section title='TLSA Usages'>
<t>This document creates a new registry, "Certificate Usages for TLSA Resource
Records". The registry policy is "RFC Required". The initial entries in the
registry are:
<figure><artwork><![CDATA[
Value Short description Reference
----------------------------------------------------------
0 Pass PKIX and chain through CA [This]
1 Pass PKIX and match EE [This]
2 Pass PKIX and trusted via certificate [This]
4-254 Unassigned
255 Private use
]]></artwork></figure></t>
<t>Applications to the registry can request specific values that have yet to
be assigned.</t>
</section>
<section title='TLSA Selectors'>
<t>This document creates a new registry, "Selectors for TLSA Resource
Records". The registry policy is "Specification Required". The initial entries
in the registry are:
<figure><artwork><![CDATA[
Value Short description Reference
----------------------------------------------------------
0 Full Certificate [This]
1 SubjectPublickeyInfo [This]
2-254 Unassigned
255 Private use
]]></artwork></figure></t>
</section>
<section title='TLSA Matching Types'>
<t>This document creates a new registry, "Matching Types for TLSA Resource
Records". The registry policy is "Specification Required". The initial entries
in the registry are:
<figure><artwork><![CDATA[
Value Short description Reference
---------------------------------------------
0 No hash used [This]
1 SHA-256 NIST FIPS 180-3
2 SHA-512 NIST FIPS 180-3
3-254 Unassigned
255 Private use
]]></artwork></figure></t>
<t>Applications to the registry can request specific values that have yet to
be assigned.</t>
</section>
</section>
<section title='Security Considerations'>
<t>The security of the protocols described in this document relies on the
security of DNSSEC as used by the client requesting A/AAAA and TLSA
records.</t>
<t>A DNS administrator who goes rogue and changes both the A/AAAA and TLSA
records for a domain name can cause the user to go to an unauthorized server
that will appear authorized, unless the client performs certificate validation
and rejects the certificate. That administrator could probably get a
certificate issued anyway, so this is not an additional threat.</t>
<t>If the authentication mechanism for adding or changing TLSA data in a zone
is weaker than the authentication mechanism for changing the A/AAAA records, a
man-in-the-middle who can redirect traffic to their site may be able to
impersonate the attacked host in TLS if they can use the weaker authentication
mechanism. A better design for authenticating DNS would be to have the same
level of authentication used for all DNS additions and changes for a
particular host.</t>
<t>SSL proxies can sometimes act as a man-in-the-middle for TLS clients. In
these scenarios, the clients add a new trust anchor whose private key is kept
on the SSL proxy; the proxy intercepts TLS requests, creates a new TLS session
with the intended host, and sets up a TLS session with the client using a
certificate that chains to the trust anchor installed in the client by the
proxy. In such environments, the TLSA protocol will prevent the SSL proxy from
functioning as expected because the TLS client will get a certificate
association from the DNS that will not match the certificate that the SSL
proxy uses with the client. The client, seeing the proxy's new certificate for
the supposed destination will not set up a TLS session. Thus, such proxies
might choose to aggressively block TLSA requests and/or responses.</t>
<t>Client treatment of any information included in the trust anchor is a
matter of local policy. This specification does not mandate that such
information be inspected or validated by the domain name administrator.</t>
<t>If a server's certificate is revoked, or if an intermediate CA in a chain
between the end entity and a trust anchor has its certificate revoked, a TLSA
record with a certificate type of 2 that matches the revoked certificate would
in essence override the revocation because the client would treat that revoked
certificate as a trust anchor and thus not check its revocation status.
Because of this, domain administrators need to be responsible for being sure
that the key or certificate used in TLSA records with a certificate type of 2
are in fact able to be used as reliable trust anchors.</t>
</section>
<section title='Acknowledgements'>
<t>Many of the ideas in this document have been discussed over many years.
More recently, the ideas have been discussed by the authors and others in a
more focused fashion. In particular, some of the ideas here originated with
Paul Vixie, Dan Kaminsky, Jeff Hodges, Phill Hallam-Baker, Simon Josefsson,
Warren Kumari, Adam Langley, Ben Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit,
Ondrej Sury, Richard Barnes, Jim Schaad, and Stephen Farrell.</t>
<t>This document has also been greatly helped by many active participants
of the DANE Working Group.</t>
</section>
</middle>
<back>
<references title="Normative References">
<reference anchor='RFC4347bis'>
<front>
<title>Datagram Transport Layer Security version 1.2</title>
<author initials='E.' surname='Rescorla' fullname='Eric Rescorla'>
<organization /></author>
<author initials='N.' surname='Modadugu' fullname='Nagendra Modadugu'>
<organization /></author>
<date year='2010' month='July' />
</front>
<seriesInfo name='Internet-Draft' value='draft-ietf-tls-rfc4347-bis' />
</reference>
<reference anchor="DANEUSECASES">
<front>
<title>Use Cases and Requirements for DNS-based Authentication of Named Entities (DANE)</title>
<author initials="R." surname="Barnes"> <organization/> </author>
<date year='2011'/>
</front>
<seriesInfo name='Internet-Draft' value='draft-ietf-dane-use-cases' />
</reference>
&rfc2119;
&rfc4033;
&rfc4034;
&rfc4035;
&rfc5246;
&rfc5280;
&rfc6125;
</references>
<references title="Informative References">
&rfc2782;
&rfc2818;
&rfc2845;
&rfc2931;
&rfc4025;
&rfc4255;
&rfc6071;
</references>
<section title="Operational Considerations for Deploying TLSA Records">
<!-- BEGIN Text from Ondrej Mikle -->
<section title="Creating TLSA Records">
<t>When creating TLSA records with certificate usage type 0 or 2, care needs to
be taken when choosing between selector type 0 (full certificate) and 1
(SubjectPublicKeyInfo) because of the algorithms that
various TLS clients employ to build their trust-chain. The following outlines
some important cases and discusses implications of the choice of selector
type.</t>
<t>Note that certificate usage 2 is not affected by this discussion if the association is made to an end entity
certificate.</t>
<section title="Ambiguities and Corner Cases When TLS Clients Build Trust Chains">
<t>TLS clients are known to implement methods that may cause any certificate
(except the end entity certificate in the original certificate chain sent by server)
to be exchanged or removed from the trust chain when client builds trust chain.</t>
<t>Certificates the client can use to replace certificates from original chain
include:
<list style="symbols">
<t>Client's trust anchors</t>
<t>Certificates cached locally</t>
<t>Certificates retrieved from a URI listed in an Authority Information Access
X.509v3 extension</t>
</list>
</t>
<t>CAs frequently reissue certificates with a different validity period, a hash in
the signature algorithm or PKIX extensions; only the public key, issuer and subject remain
intact. Thes reissued certificates are certificates that the TLS client can use in place of
original certificate.</t>
<t>Clients are known to exchange or remove certificates that could
cause TLSA association that rely on the full certificate to fail. For example:
<list style="symbols">
<t>The client considers the hash in signature algorithm of a certificate no longer
sufficiently secure</t>
<t>A cross-certificate issued to CA2 by CA1 is represented by a self-signed
root certificate of CA2 as a trust anchor in client's trust store</t>
<t>A CA certificate above the cross-certificate in original chain may be removed
from the chain because the client found a trust anchor below that CA certificate</t>
</list>
</t>
</section>
<section title="Choosing a Selector Type">
<section title="Selector Type 0">
<t>The "Full certificate" selector provides most precise specification of a
trust anchor. Such non-ambiguity foils a class of hypothetical future attacks on
a CA where the CA issues new certificate with an identical SubjectPublicKeyInfo, but
a different issuer, subject, or extensions that would allow redirection of a trust
chain. This "Full certificate" selector would also foil bad practices or negligence of a CA if the
CA uses the same key for unrelated CA certificates.</t>
<t>For a DNS administrator, the best course to avoid false-positive failures at
client's side when using this selector is:
<list style="symbols">
<t>Do not associate to CA certificates that have a signature algorithm with hash
that is considered weak if that CA has issued a replacement certificate.</t>
<t>Determine how common client applications process the TLSA association using a fresh
client installation, that is, with the local certificate cache empty.</t>
</list>
</t>
</section>
<section title="Selector Type 1">
<t>A SubjectPublicKeyInfo selector gives greater flexibility in avoiding many false-positive
failures caused by trust-chain-building algorithms used in many clients.</t>
<t>One specific use-case should be noted: creating a TLSA association to
certificate I1 that directly signed end entity certificate S1 of the server. Because
the key used to sign S1 is fixed, the association to I1 must succeed: if the client
swaps I1 for I2 (a different certificate), I2's SubjectPublicKeyInfo must match the
SubjectPublicKeyInfo of I1. Such
association would not suffer from false-positive failure on the client
if the client uses a reissued CA certificate I2 in place of I1.</t>
<t>The attack surface is a bit broader compared to "full certificate"
selector:
<list style="symbols">
<t>The administrator must know or trust the CA not to engage in bad practices, such as not
sharing key of I1 for unrelated CA certificates leading to trust-chain redirect</t>
<t>The administrator should understand whether some PKIX extension may
adversely affect security of the association. If possible, administrators
should review all CA certificates that share the SubjectPublicKeyInfo.</t>
</list>
</t>
<t>Using the SubjectPublicKeyInfo selector for association with a certificate in a chain above I1 needs
to be decided on a case-by-case basis: there are too many possibilities based on the
issuing CA's practices. Unless the full implications of such an association are understood by the
administrator, using selector type 0 is a better option from a security perspective.</t>
<!-- following paragraph might need update (according to Ondrej Mikle )-->
<t>In practice, sharing keys in differently-purposed CA certificates is rare,
but certainly happens sometimes. An attack on an association by SubjectPublicKeyInfo would require
either gross negligence on the part of the CA or an attacker gaining control of CA.</t>
</section>
</section>
</section>
<!-- END Text from Ondrej Mikle -->
<section title="Provisioning TLSA Records in DNS">
<section title="Provisioning TLSA Records with Aliases">
<t>The TLSA resource record is not special in the DNS; it acts exactly like
any other RRtype where the queried name has one or more labels prefixed to the
base name, such as the SRV RRtype <xref target="RFC2782"/>. This affects the
way that the TLSA resource record is used when aliasing in the DNS.</t>
<t>Note that the IETF sometimes adds new types of aliasing in the DNS. If that
happens in the future, those aliases might affect TLSA records, hopefully in a
good way.</t>
<section title="Provisioning TLSA Records with CNAME Records">
<t>Using CNAME to alias in DNS only aliases from the exact name given, not any
zones below the given name. For example, assume that a zone file has only the
following:
<figure><artwork><![CDATA[
sub1.example.com. IN CNAME sub2.example.com.
]]></artwork></figure>
In this case, a request for the A record at "bottom.sub1.example.com" would
not return any records because the CNAME given only aliases the name given.
Assume, instead, the zone file has the following:
<figure><artwork><![CDATA[
sub3.example.com. IN CNAME sub4.example.com.
bottom.sub3.example.com. IN CNAME bottom.sub4.example.com.
]]></artwork></figure>
In this case, a request for the A record at bottom.sub3.example.com would in
fact return whatever value for the A record exists at
bottom.sub4.example.com.</t>
<t>Application implementations and full-service resolvers request DNS records
using libraries that automatically follow CNAME (and DNAME) aliasing. This
allows hosts to put TLSA records in their own zones or to use CNAME to do
redirection.</t>
<t>If the owner of the original domain wants a TLSA record for the same, they
simply enter it under the defined prefix:
<figure><artwork><![CDATA[
; No TLSA record in target domain
;
sub5.example.com. IN CNAME sub6.example.com.
_443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab...
sub6.example.com. IN A 10.0.0.0
]]></artwork></figure>
</t>
<t>If the owner of the orginal domain wants to have the target domain host the
TLSA record, the original domain uses a CNAME record:
<figure><artwork><![CDATA[
; TLSA record for original domain has CNAME to target domain
;
sub5.example.com. IN CNAME sub6.example.com.
_443._tcp.sub5.example.com. IN CNAME _443._tcp.sub6.example.com.
sub6.example.com. IN A 10.0.0.0
_443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4...
]]></artwork></figure>
</t>
<t>Note that it is acceptable for both the original domain and the target domain
to have TLSA records, but the two records are unrelated. Consider the following:
<figure><artwork><![CDATA[
; TLSA record in both the original and target domain
;
sub5.example.com. IN CNAME sub6.example.com.
_443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab...
sub6.example.com. IN A 10.0.0.0
_443._tcp.sub6.example.com. IN TLSA 1 1 1 ac49d9ba4570ac49...
]]></artwork></figure>
In this example,
someone looking for the TLSA record for sub5.example.com would always get the
record whose value starts "308202c5308201ab"; the TLSA record whose value
starts "ac49d9ba4570ac49" would only be sought by someone who is looking for
the TLSA record for sub6.example.com, and never for sub5.example.com.</t>
<t>Note that these methods use the normal method for DNS aliasing using CNAME:
the DNS client requests the record type that they actually want.</t>
</section>
<section title="Provisioning TLSA Records with DNAME Records">
<t>Using DNAME records allows a zone owner to alias an entire subtree of names
below the name that has the DNAME. This allows the wholesale aliasing of
prefixed records such as those used by TLSA, SRV, and so on without aliasing
the name itself. However, because DNAME can only be used for subtrees of a
base name, it is rarely used to alias individual hosts that might also be
running TLS.</t>
<figure><artwork><![CDATA[
; TLSA record in target domain, visible in original domain via DNAME
;
sub5.example.com. IN CNAME sub6.example.com.
_tcp.sub5.example.com. IN DNAME _tcp.sub6.example.com.
sub6.example.com. IN A 10.0.0.0
_443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4...
]]></artwork></figure>
</section>
<section title="Provisioning TLSA Records with Wildcards">
<t>Wildcards are generally not terribly useful for RRtypes that require
prefixing because you can only wildcard at a layer below the host name. For
example, if you want to have the same TLSA record for every TCP port for
www.example.com, you might have
<figure><artwork><![CDATA[
*._tcp.www.example.com. IN TLSA 1 1 1 5c1502a6549c423b...
]]></artwork></figure>
This is possibly useful in some scenarios where the same service is offered on
many ports.</t>
</section>
</section>
<section title="Provisioning with NS Records">
<t>[[ This was proposed, and questioned, and not yet followed through on. ]]</t>
</section>
</section>
<section title="Securing the Last Hop">
<t>[[ Need to add text here about the various ways that a client who is
pulling in TLSA records can be sure that they are protected by DNSSEC. ]]</t>
</section>
<section title="Handling Certificate Rollover">
<t>[[ Need to add text here about how to handle a change in certificate.
It would cover using two TLSA records at the same time, the TTL on the RRset, and
coordinating that with the use of the certificates in the TLS server. ]]</t>
</section>
</section>
<section title="Pseudocode for Using TLSA">
<t>This appendix describes the interactions given earlier in this
specification in pseudocode format. This appendix is non-normative. If the
steps below disagree with the text earlier in the document, the steps earlier
in the document should be considered correct and this text incorrect.</t>
<section title="Helper Functions">
<t><figure><artwork><![CDATA[
// implement the function for exiting
function Finish (F) = {
if (F == 0) {
abort the TLS handshake or prevent TLS from starting
exit
}
if (F == 1) {
fall back to non-TLSA certificate validation
exit
}
if (F == 2) {
accept the TLS connection
exit
}
// unreachable
}
// implement the selector function
function Select (S, X) = {
// Full certificate
if (S == 0) {
return X
}
// SubjectPublicKeyInfo
if (S == 1) {
return X.SubjectPublicKeyInfo
}
return undef
}
// implement the matching function
function Match (M, X, Y) {
// Exact match on selected content
if (M == 0) {
return (X == Y)
}
// SHA-256 hash of selected content
if (M == 1) {
return (SHA-256(X) == Y)
}
// SHA-512 hash of selected content
if (M == 2) {
return (SHA-512(X) == Y)
}
return undef
}
]]></artwork></figure></t>
</section>
<section title="Main TLSA Pseudo Code">
<t>TLS connect using [transport] to [name] on [port] and receiving end
entity cert C for the TLS server:</t>
<t><figure><artwork><![CDATA[
(TLSArecords, ValState) = DNSSECValidatedLookup(
domainname=_[port]._[transport].[name], RRtype=TLSA, class=IN)
// check for states that would change processing
if (ValState == BOGUS) {
Finish(0)
}
if ((ValState == INDETERMINATE) or (ValState == INSECURE)) {
Finish(1)
}
// if here, ValState must be SECURE
for each R in TLSArecords {
// unusable records include unknown certUsage, unknown
// selectorType, unknown matchingType, and erroneous RDATA
if (R is unusable) remove it from TLSArecords
}
if (length(TLSArecords) == 0) {
Finish(1)
}
// A TLS client might have multiple trust anchors that it might use
// when validating the TLS server's end entity certificate. Also,
// there can be multiple PKIX validation chains for the
// certificates given by the server in TLS. Thus, there are
// possibly many chains that might need to be tested during
// PKIX validation.
for each R in TLSArecords {
// pass PKIX validation and chain through CA cert from TLSA
if (R.certUsage == 0) {
for each PKIX validation chain H {
if (C passes PKIX validation in H) {
for each D in H {
if (D is a CA certificate) and
Match(matchingType, Select(selectorType, D), R) {
Finish(2)
}
}
}
}
// pass PKIX validation and match EE cert from TLSA
if (R.certUsage == 1) {
for each PKIX validation chain H {
if (C passes PKIX validation in H) {
if (Match(matchingType, Select(selectorType, C), R)) {
Finish(2)
}
}
}
}
// pass PKIX validation using TLSA record as trust anchor
if (R.certUsage == 2) {
for each PKIX validation chain H that has R as the trust anchor {
if (C passes PKIX validation in H) {
Finish(2)
}
}
}
}
// if here, the none of the TLSA records was sufficient for TLS
Finish(0)
]]></artwork></figure></t>
</section>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-22 20:41:15 |