One document matched: draft-ietf-dane-smtp-with-dane-06.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC1035 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml">
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC3207 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3207.xml">
<!ENTITY RFC4033 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4033.xml">
<!ENTITY RFC4034 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4034.xml">
<!ENTITY RFC4035 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4035.xml">
<!ENTITY RFC5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY RFC5280 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5280.xml">
<!ENTITY RFC5321 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5321.xml">
<!ENTITY RFC5598 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5598.xml">
<!ENTITY RFC6125 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6125.xml">
<!ENTITY RFC6186 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6186.xml">
<!ENTITY RFC6394 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6394.xml">
<!ENTITY RFC6409 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6409.xml">
<!ENTITY RFC6066 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6066.xml">
<!ENTITY RFC6672 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6672.xml">
<!ENTITY RFC6698 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6698.xml">
<!ENTITY RFC6895 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6895.xml">
<!ENTITY I-D.ietf-dane-srv SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-dane-srv.xml">
<!ENTITY I-D.ietf-dane-smtp SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-dane-smtp.xml">
<!ENTITY I-D.ietf-dane-ops SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-dane-ops.xml">
<!ENTITY I-D.ietf-dane-registry-acronyms SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-dane-registry-acronyms.xml">
]>
<!-- rfc xmlns:x="http://purl.org/net/xml2rfc/ext" category="std" -->
<rfc category="std" docName="draft-ietf-dane-smtp-with-dane-06" ipr="trust200902">
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<?rfc strict="yes" ?>
<?rfc toc="yes"?>
<?rfc tocdepth="3"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<front>
<title>SMTP security via opportunistic DANE TLS</title>
<author fullname="Viktor Dukhovni" initials="V." surname="Dukhovni">
<organization>Unaffiliated</organization>
<address>
<email>ietf-dane@dukhovni.org</email>
</address>
</author>
<author initials="W.H." surname="Hardaker" fullname="Wes Hardaker">
<organization>Parsons</organization>
<address>
<postal>
<street>P.O. Box 382</street>
<city>Davis</city>
<region>CA</region>
<code>95617</code>
<country>US</country>
</postal>
<email>ietf@hardakers.net</email>
</address>
</author>
<date month="February" year="2014"/>
<area>sec</area>
<workgroup>DANE</workgroup>
<keyword>DANE</keyword>
<keyword>TLSA</keyword>
<keyword>SMTP</keyword>
<abstract> <t>
This memo describes a downgrade-resistant protocol for SMTP transport
security between Mail Transfer Agents (MTAs) based on the DNS-Based
Authentication of Named Entities (DANE) TLSA DNS record. Adoption
of this protocol enables an incremental transition of the Internet
email backbone to one using encrypted and authenticated Transport
Layer Security (TLS).
</t> </abstract>
</front>
<middle>
<section title="Introduction">
<t>
This memo specifies a new connection security model for Message
Transfer Agents (MTAs). This model is motivated by key features
of inter-domain SMTP delivery, in particular the fact that the
destination server is selected indirectly via DNS Mail Exchange
(MX) records and that with MTA to MTA SMTP the use of TLS is
generally opportunistic.
</t>
<t>
We note that the SMTP protocol is also used between Message User
Agents (MUAs) and Message Submission Agents (MSAs). In <xref
target="RFC6186"/> a protocol is specified that enables an MUA to
dynamically locate the MSA based on the user's email address. SMTP
connection security requirements for MUAs implementing <xref
target="RFC6186"/> are largely analogous to connection security
requirements for MTAs, and this specification could be applied
largely verbatim with DNS MX records replaced by corresponding DNS
Service (SRV) records.
</t>
<t>
However, until MUAs begin to adopt the dynamic configuration
mechanisms of <xref target="RFC6186"/> they are adequately served
by more traditional static TLS security policies. This document will not
discuss the MUA use case further, leaving specification
of DANE TLS for MUAs to future documents that focus specifically
on SMTP security between MUAs and MSAs. The rest of this memo will
focus on securing MTA to MTA SMTP connections.
</t>
<section title="Terminology" anchor="terms">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119"/>.
</t>
<t>
The following terms or concepts are used through the document:
</t>
<t>
<list style="hanging">
<t hangText="secure, bogus, insecure, indeterminate:">
DNSSEC validation results, as defined in Section 4.3 of <xref
target="RFC4035"/>. </t>
<t hangText="Validating Security-Aware Stub Resolver and
Non-Validating Security-Aware Stub Resolver:">
Capabilities of the stub resolver in use as defined in <xref
target="RFC4033" />; note that this specification requires the
use of a Security-Aware Stub Resolver; Security-Oblivious
stub-resolvers MUST NOT be used. </t>
<t hangText="opportunistic DANE TLS:">
Best-effort use of TLS, resistant to downgrade attacks for
destinations with DNSSEC-validated TLSA records. When opportunistic
DANE TLS is determined to be unavailable, clients should fall
back to opportunistic TLS below. Opportunistic DANE TLS requires
support for DNSSEC, DANE and STARTTLS on the client side and
STARTTLS plus a DNSSEC published TLSA record on the server side. </t>
<t hangText="(pre-DANE) opportunistic TLS:">
Best-effort use of TLS that is generally vulnerable to DNS
forgery and STARTTLS downgrade attacks. When a TLS-encrypted
communication channel is not available, message transmission
takes place in the clear. MX record indirection generally
precludes authentication even when TLS is available. </t>
<t hangText="MX hostname:">
The RRDATA of an MX record consists of a 16 bit preference
followed by a Mail Exchange domain name (see <xref target="RFC1035"/>,
Section 3.3.9). We will use the term "MX hostname" to refer
to the latter, that is, the DNS domain name found after the
preference value in an MX record. Thus an "MX hostname" is
specifically a reference to a DNS domain name, rather than any
host that bears that name. </t>
<t hangText="SMTP server:">
An SMTP server whose name appears in an MX record for a particular
domain. Used to refer specifically to the host and SMTP service
itself, not its DNS name.
</t>
<t hangText="delayed delivery:">
Email delivery is a multi-hop store & forward process. When
an MTA is unable forward a message that may become deliverable
later, the message is queued and delivery is retried periodically.
Some MTAs may be configured with a fallback next-hop destination
that handles messages that the MTA would otherwise queue and
retry. In these cases, messages that would otherwise have to
be delayed, may be sent to the fallback next-hop destination
instead. The fallback destination may itself be subject to
opportunistic or mandatory DANE TLS as though it were the
original message destination. </t>
<t hangText="original next hop destination: ">
The logical destination for mail delivery. By default this is
the domain portion of the recipient address, but MTAs may be
configured to forward mail for some or all recipients via
designated relays. The original next hop destination is,
respectively, either the recipient domain or the associated
configured relay. </t>
<t hangText="MTA: ">
Message Transfer Agent (<xref target="RFC5598" />, Section 4.3.2). </t>
<t hangText="MSA: ">
Message Submission Agent (<xref target="RFC5598" />, Section 4.3.1). </t>
<t hangText="MUA: ">
Message User Agent (<xref target="RFC5598" />, Section 4.2.1).
</t>
<t hangText="RR: ">A DNS Resource Record</t>
<t hangText="RRset: ">A set of DNS Resource Records for a particular
class, domain and record type.</t>
</list>
</t>
</section><!-- Terminology -->
<section title="Background">
<t>
The Domain Name System Security Extensions (DNSSEC) add data origin
authentication, data integrity and data non-existence proofs to the
Domain Name System (DNS). DNSSEC is defined in <xref target="RFC4033"/>,
<xref target="RFC4034"/> and <xref target="RFC4035"/>.
</t>
<t>
As described in the introduction of <xref target="RFC6698"/>, TLS
authentication via the existing public Certificate Authority (CA)
PKI suffers from an over-abundance of trusted certificate authorities
capable of issuing certificates for any domain of their choice.
DANE leverages the DNSSEC infrastructure to publish trusted public
keys and certificates for use with the Transport Layer Security
(TLS) <xref target="RFC5246"/> protocol via a new "TLSA" DNS record
type. With DNSSEC each domain can only vouch for the keys of its
directly delegated sub-domains.
</t>
<t>
The TLS protocol enables secure TCP communication. In the context of this memo,
channel security is assumed to be provided by TLS. Used without
authentication, TLS provides only privacy protection against
eavesdropping attacks. With authentication, TLS also provides data
integrity protection to guard against man-in-the-middle (MITM)
attacks.
</t>
</section><!-- Background -->
<section title="SMTP channel security" anchor="channelsecurity">
<t>
With HTTPS, Transport Layer Security (TLS) employs X.509 certificates
issued by one of the many Certificate Authorities (CAs) bundled
with popular web browsers to allow users to authenticate their
"secure" websites. Before we specify a new DANE TLS security model
for SMTP, we will explain why a new security model is needed. In
the process, we will explain why the familiar HTTPS security model
is inadequate to protect inter-domain SMTP traffic.
</t>
<t>
The subsections below outline four key problems with applying
traditional PKI to SMTP that are addressed by this specification.
Since SMTP channel security policy is not explicitly specified in
either the recipient address or the MX record, a new signaling
mechanism is required to indicate when channel security is possible
and should be used. The publication of TLSA records allows server
operators to securely signal to SMTP clients that TLS is available
and should be used. DANE TLSA makes it possible to simultaneously
discover which destination domains support secure delivery via TLS
and how to verify the authenticity of the associated SMTP services,
providing a path forward to ubiquitous SMTP channel security.
</t>
<section title="STARTTLS downgrade attack" anchor="starttls">
<t>
The Simple Mail Transfer Protocol (SMTP) <xref target="RFC5321"/>
is a single-hop protocol in a multi-hop store & forward email
delivery process. SMTP envelope recipient addresses are not transport
addresses and are security-agnostic. Unlike the Hypertext Transfer
Protocol (HTTP) and its corresponding secured version, HTTPS, there
is no URI scheme for email addresses to designate whether communication
with the SMTP server should be conducted via a cleartext or a
TLS-encrypted channel. Indeed, no such URI scheme could work well
with SMTP since TLS encryption of SMTP protects email traffic on a
hop-by-hop basis while email addresses could only express end-to-end
policy.
</t>
<t>
With no mechanism available to signal transport security policy,
SMTP relays employ a best-effort "opportunistic" security model for
TLS. A single SMTP server TCP listening endpoint can serve both
TLS and non-TLS clients; the use of TLS is negotiated via the SMTP
STARTTLS command (<xref target="RFC3207"/>). The server signals
TLS support to the client over a cleartext SMTP connection, and, if
the client also supports TLS, it may negotiate a TLS encrypted
channel to use for email transmission. The server's indication of
TLS support can be easily suppressed by a man in the middle attacker.
Thus pre-DANE SMTP TLS security can be subverted by simply downgrading
a connection to cleartext. No TLS security feature, such as the
use of PKIX, can prevent this. The attacker can simply bypass TLS.
</t>
</section><!-- STARTTLS downgrade attack -->
<section title="Insecure server name without DNSSEC">
<t>
With SMTP, DNS Mail Exchange (MX) records abstract the next-hop
transport endpoint and allow administrators to specify a set of
target servers to which SMTP traffic should be directed for a given
domain.
</t>
<t>
A PKIX TLS client is vulnerable to man in the middle (MITM) attacks
unless it verifies that the server's certificate binds its public
key to its name. However, with SMTP server names are obtained
indirectly via MX records. Without DNSSEC, the MX lookup is
vulnerable to MITM and DNS cache poisoning attacks. Active attackers
can forge DNS replies with fake MX records and can redirect email
to servers with names of their choice. Therefore, secure verification
of SMTP TLS certificates is not possible without DNSSEC.
</t>
<t>
One might try to harden the use of TLS with SMTP against DNS attacks
by requiring each SMTP server to possess a trusted certificate for
the envelope recipient domain rather than the MX hostname.
Unfortunately, this is impractical, as email for many domains is
handled by third parties that are not in a position to obtain
certificates for all the domains they serve. Deployment of the
Server Name Indication (SNI) extension to TLS (see <xref
target="RFC6066"/> Section 3) is no panacea, since SNI key management
is operationally challenging except when the email service provider
is also the domain's registrar and its certificate issuer; this is
rarely the case for email.
</t>
<t>
Since the recipient domain name cannot be used as the SMTP server
authentication identity, and neither can the MX hostname without
DNSSEC, large-scale deployment of authenticated TLS for SMTP requires
that the DNS be secure.
</t>
<t>
Since SMTP security depends critically on DNSSEC, it is important
to point out that consequently SMTP with DANE is the most conservative
possible trust model. It trusts only what must be trusted and no
more. Adding any other trusted actors to the mix can only reduce
SMTP security. A sender may choose to harden DNSSEC for selected
high value receiving domains, by configuring explicit trust anchors
for those domains instead of relying on the chain of trust from the
root domain. In such a case there is not an "additional" trusted
authority, rather the root trust anchor is replaced with a more
specific trust anchor for each of the domains in question. Detailed
discussion of DNSSEC security practices is out of scope for this
document.
</t>
</section><!-- Insecure server name without DNSSEC -->
<section title="Sender policy does not scale">
<t>
Sending systems are in some cases explicitly configured to use TLS
for mail sent to specifically selected peer domains. This
requires MTAs to be configured with appropriate subject
names or certificate content digests to expect in the presented
host certificates. Because of the heavy administrative
burden, such statically configured SMTP secure channels
are used rarely (generally only between domains that make bilateral
arrangements with their business partners). Internet email, on the
other hand, requires regularly contacting new domains for which
security configurations cannot be established in advance.
</t>
<t>
The abstraction of the SMTP transport endpoint via DNS MX records,
often across organization boundaries, limits the use of public CA
PKI with SMTP to a small set of sender-configured peer domains.
With little opportunity to use TLS authentication, sending MTAs are
rarely configured with a comprehensive list of trusted CAs. SMTP
services that support STARTTLS often use X.509 certificates that are
self-signed or issued by a private CA.
</t>
</section><!-- Sender policy does not scale -->
<section title="Too many certificate authorities">
<t>
Even if it were generally possible to determine a secure server name,
the SMTP client would still need to verify that the server's certificate
chain is issued by a trusted certificate authority (a trust anchor).
MTAs are not interactive applications where a human operator can make
a decision (wisely or otherwise) to selectively disable TLS security
policy when certificate chain verification fails. With no user to
"click OK", the MTAs list of public CA trust anchors would need to
be comprehensive in order to avoid bouncing mail addressed to sites
that employ unknown certificate authorities.
</t>
<t>
On the other hand, each trusted CA can issue certificates for any
domain. If even one of the configured CAs is compromised or operated
by an adversary, it can subvert TLS security for all destinations.
Any set of CAs is simultaneously both overly inclusive and not
inclusive enough.
</t>
</section><!-- Too many certificate authorities -->
</section><!-- SMTP channel security -->
</section><!-- Introduction -->
<section title="Hardening (pre-DANE) Opportunistic TLS">
<t>
Neither email addresses nor MX hostnames (or submission SRV records)
signal a requirement for either secure or cleartext transport.
Therefore, SMTP transport security is of necessity generally
opportunistic (barring manually configured exceptions).
</t>
<t>
This specification uses the presence of DANE TLSA records to
securely signal TLS support and to publish the means by which SMTP
clients can successfully authenticate legitimate SMTP servers. This
becomes "opportunistic DANE TLS" and is resistant to downgrade and MITM attacks,
and enables an incremental transition of the email backbone to
authenticated TLS delivery, with increased global protection as
adoption increases.
</t>
<t>
With opportunistic DANE TLS, traffic from SMTP clients to domains
that publish "usable" DANE TLSA records in accordance with this
memo is authenticated and encrypted. Traffic from non-compliant
clients or to domains that do not publish TLSA records will continue
to be sent in the same manner as before, via manually configured
security, (pre-DANE) opportunistic TLS or just cleartext SMTP.
</t>
<section title="DNS errors, bogus and indeterminate responses" anchor="dnserr">
<t>
An SMTP client that implements opportunistic DANE TLS per this
specification depends critically on the integrity of DNSSEC lookups,
as discussed in <xref target="channelsecurity" />.
This section lists the DNS resolver requirements needed to avoid
downgrade attacks when using opportunistic DANE TLS.
</t>
<t>
A DNS lookup may signal an error or return a definitive answer. A
security-aware resolver must be used for this specification.
Security-aware resolvers will indicate the security status of a
DNS RRset with one of four possible values defined in
Section 4.3 of <xref target="RFC4035"/>: "secure", "insecure", "bogus"
and "indeterminate". In <xref target="RFC4035"/> the meaning of the
"indeterminate" security status is:
</t>
<figure>
<artwork>
An RRset for which the resolver is not able to determine whether
the RRset should be signed, as the resolver is not able to obtain
the necessary DNSSEC RRs. This can occur when the security-aware
resolver is not able to contact security-aware name servers for
the relevant zones.
</artwork>
</figure>
<t>
Note, the "indeterminate" security status has a conflicting definition
in section 5 of <xref target="RFC4033"/>.
</t>
<figure>
<artwork>
There is no trust anchor that would indicate that a specific
portion of the tree is secure.
</artwork>
</figure>
<t>
SMTP clients following this specification SHOULD NOT distinguish
between "insecure" and "indeterminate" in the <xref target="RFC4033"/>
sense. Both "insecure" and RFC4033 "indeterminate" are handled
identically: in either case unvalidated data for the query domain
is all that is and can be available, and authentication using the
data is impossible. In what follows, when we say
"insecure", we include also DNS results for domains that lie in a
portion of the DNS tree for which there is no applicable trust
anchor. With the DNS root zone signed, we expect that validating
resolvers used by Internet-facing MTAs will be configured with trust
anchor data for the root zone. Therefore, RFC4033-style "indeterminate"
domains should be rare in practice. From here on, when we say
"indeterminate", it is exclusively in the sense of <xref
target="RFC4035"/>.
</t>
<t>
As noted in section 4.3 of <xref target="RFC4035"/>, a security-aware
DNS resolver MUST be able to determine whether a given non-error
DNS response is "secure", "insecure", "bogus" or "indeterminate".
It is expected that most security-aware stub resolvers will not
signal an "indeterminate" security status in the RFC4035-sense to the
application, and will signal a "bogus" or error result instead. If
a resolver does signal an RFC4035 "indeterminate" security status,
this MUST be treated by the SMTP client as though a "bogus" or error
result had been returned.
</t>
<t>
An MTA making use of a non-validating security-aware stub resolver
MAY use the stub resolver's ability, if available, to signal DNSSEC
validation status based on information the stub resolver has learned
from an upstream validating recursive resolver. In accordance with
section 4.9.3 of <xref target="RFC4035"/>:
</t>
<figure>
<artwork>
... a security-aware stub resolver MUST NOT place any reliance on
signature validation allegedly performed on its behalf, except
when the security-aware stub resolver obtained the data in question
from a trusted security-aware recursive name server via a secure
channel.
</artwork>
</figure>
<t>
To avoid much repetition in the text below, we will pause to explain
the handling of "bogus" or "indeterminate" DNSSEC query responses.
These are not necessarily the result of a malicious actor; they
can, for example, occur when network packets are corrupted or lost
in transit. Therefore, "bogus" or "indeterminate" replies are equated
in this memo with lookup failure.
</t>
<t>
There is an important non-failure condition we need to highlight
in addition to the obvious case of the DNS client obtaining a
non-empty "secure" or "insecure" RRset of the requested type.
Namely, it is not an error when either "secure" or "insecure"
non-existence is determined for the requested data. When a DNSSEC
response with a validation status that is either "secure" or
"insecure" reports either no records of the requested type or
non-existence of the query domain, the response is not a DNS error
condition. The DNS client has not been left without an answer; it
has learned that records of the requested type do not exist.
</t>
<t>
Security-aware stub resolvers will, of course, also signal DNS lookup
errors in other cases, for example when processing a "ServFail" RCODE,
which will not have an associated DNSSEC status. All lookup errors
are treated the same way by this specification, regardless of whether
they are from a "bogus" or "indeterminate" DNSSEC status or from a more
generic DNS error: the information that was requested can not be obtained
by the security-aware resolver at this time. A lookup error is thus a
failure to obtain the relevant RRset if it exists, or to determine that
no such RRset exists when it does not.
</t>
<t>
In contrast to a "bogus" or an "indeterminate" response, an "insecure"
DNSSEC response is not an error, rather it indicates that the target
DNS zone is either securely opted out of DNSSEC validation or is
not connected with the DNSSEC trust anchors being used. Insecure
results will leave the SMTP client with degraded channel security,
but do not stand in the way of message delivery. See section <xref
target="discovery"/> for further details.
</t>
<t>
When a stub resolver receives a response containing a CNAME alias,
it will generally restart the query at the target of the alias, and
should do so recursively up to some configured or implementation-dependent
recursion limit. If at any stage of recursive CNAME expansion a
query fails, the stub resolver's lookup of the original requested
records will result in a failure status being returned. If at any
stage of recursive expansion the response is "insecure", then it
and all subsequent results (in particular, the final result) MUST
be considered "insecure" regardless of whether the other responses
received were deemed "secure". If at any stage of recursive expansion
the validation status is "bogus" or "indeterminate" or associated
with another DNS lookup error, the resolution of the requested
records MUST be considered to have failed.
</t>
<t>
When a DNS lookup failure (error or "bogus" or "indeterminate" as
defined above) prevents an SMTP client from determining which SMTP
server or servers it should connect to, message delivery MUST be
delayed. This naturally includes, for example, the case when a
"bogus" or "indeterminate" response is encountered during MX
resolution. When multiple MX hostnames are obtained from a successful
MX lookup, but a later DNS lookup failure prevents network address
resolution for a given MX hostname, delivery may proceed via any
remaining MX hosts.
</t>
<t>
When a particular SMTP server is selected as the delivery destination,
a set of DNS lookups must be performed to discover any related
TLSA records. If any DNS queries used to locate TLSA records fail
(be it due to "bogus" or "indeterminate" records, timeouts, malformed
replies, ServFails, etc.), then the SMTP client MUST treat that server as
unreachable and MUST NOT deliver the message via that server. If
no servers are reachable, delivery is delayed.
</t>
<t>
In what follows, we will only describe what happens when all relevant
DNS queries succeed. If any DNS failure occurs, the SMTP client MUST
behave as described in this section, by skipping the problem SMTP server,
or the problem destination. Queries for candidate TLSA records are
explicitly part of "all relevant DNS queries" and SMTP clients MUST
NOT continue to connect to an SMTP server or destination whose TLSA record
lookup fails.
</t>
</section><!-- DNS lookup errors and bogus responses -->
<section title="TLS discovery" anchor="discovery">
<t>
As noted previously (in <xref target="starttls" />), opportunistic
TLS with SMTP servers that advertise TLS support via STARTTLS is
subject to an MITM downgrade attack. Also some SMTP servers that
are not, in fact, TLS capable erroneously advertise STARTTLS by
default and clients need to be prepared to retry cleartext delivery
after STARTTLS fails. In contrast, DNSSEC validated TLSA records
MUST NOT be published for servers that do not support TLS. Clients
can safely interpret their presence as a commitment by the server
operator to implement TLS and STARTTLS.
</t>
<t>
This memo defines four actions to be taken after the search for a
TLSA record returns secure usable results, secure unusable results,
insecure or no results or an error signal. The term "usable" in
this context is in the sense of Section 4.1 of <xref target="RFC6698"/>.
Specifically, if the DNS lookup for a TLSA record returns:
<list style="hanging">
<t hangText="A secure TLSA RRset with at least one usable record:"> A
connection to the MTA MUST be made using authenticated and encrypted
TLS, using the techniques discussed in the rest of this document.
Failure to establish an authenticated TLS connection MUST result
in falling back to the next SMTP server or delayed delivery.
</t>
<t hangText="A Secure non-empty TLSA RRset where all the records are unusable:">
A connection to the MTA MUST be made via TLS, but authentication
is not required. Failure to establish an encrypted TLS connection
MUST result in falling back to the next SMTP server or delayed delivery. </t>
<t hangText="An insecure TLSA RRset or DNSSEC validated proof-of-non-existent TLSA records:">
A connection to the MTA SHOULD be made using (pre-DANE) opportunistic
TLS, this includes using cleartext delivery when the remote SMTP
server does not appear to support TLS. The MTA may optionally
retry in cleartext when a TLS handshake fails.</t>
<t hangText="Any lookup error:"> Lookup errors, including "bogus" and
"indeterminate", as explained in <xref target="dnserr"/> MUST result
in falling back to the next SMTP server or delayed delivery.</t>
</list>
</t>
<t>
An SMTP client MAY be configured to require DANE verified delivery for
some destinations. We will call such a configuration "mandatory DANE
TLS". With mandatory DANE TLS, delivery proceeds only when "secure"
TLSA records are used to establish an encrypted and authenticated TLS
channel with the SMTP server.
</t>
<t>
An operational error on the sending or receiving side that cannot
be corrected in a timely manner may, at times, lead to consistent
failure to deliver time-sensitive email. The sending MTA administrator
may have to choose between letting email queue until the error is
resolved and disabling opportunistic or mandatory DANE TLS for one
or more destinations. The choice to disable DANE TLS security
should not be made lightly. Every reasonable effort should be made
to determine that problems with mail delivery are the result of an
operational error, and not an attack. A fallback strategy
may be to configure explicit out-of-band TLS security settings if
supported by the sending MTA.
</t>
<t>
A note about DNAME aliases: a query for a domain name whose ancestor
domain is a DNAME alias returns the DNAME RR for the ancestor domain,
along with a CNAME that maps the query domain to the corresponding
sub-domain of the target domain of the DNAME alias. Therefore,
whenever we speak of CNAME aliases, we implicitly allow for the
possibility that the alias in question is the result of an ancestor
domain DNAME record. Consequently, no explicit support for DNAME
records is needed in SMTP software, it is sufficient to process the
resulting CNAME aliases. DNAME records only require special
processing in the validating stub-resolver library that checks the
integrity of the combined DNAME + CNAME reply. When DNSSEC validation
is handled by a local caching resolver, rather than the MTA itself,
even that part of the DNAME support logic is outside the MTA.
</t>
<t>
When the original next-hop destination is an address literal, rather
than a DNS domain, DANE TLS does not apply. Delivery proceeds using
any relevant security policy configured by the MTA administrator.
Similarly, when an MX RRset incorrectly lists an network address in lieu
of an MX hostname, if the MTA chooses to connect to the network address
DANE TLSA does not apply for such a connection.
</t>
<t>
In the subsections that follow we explain how to locate the SMTP
servers and the associated TLSA records for a given next-hop
destination domain. We also explain which name or names are to be
used in identity checks of the SMTP server certificate.
</t>
<section title="MX resolution" anchor="mx">
<t>
In this section we consider next-hop domains that are subject to
MX resolution and have MX records. The TLSA records and the associated
base domain are derived separately for each MX hostname that is used
to attempt message delivery. Clearly, if DANE TLS security is to
apply to message delivery via any of the SMTP servers, the MX records
must be obtained securely via a DNSSEC validated MX lookup.
</t>
<t>
MX records MUST be sorted by preference; an MX hostname with a worse
(numerically higher) MX preference that has TLSA records MUST NOT
preempt an MX hostname with a better (numerically lower) preference
that has no TLSA records. In other words, prevention of delivery
loops by obeying MX preferences MUST take precedence over channel
security considerations. Even with two equal preference MX records, an MTA
is not obligated to choose the MX hostname that offers more security.
Domains that want secure inbound mail delivery need to ensure that all
their SMTP servers and MX records are configured accordingly.
</t>
<t>
In the language of <xref target="RFC5321"/> Section 5.1, the original
next-hop domain is the "initial name". If the MX lookup of the
initial name results in a CNAME alias, the MTA replaces the initial
name with the resulting name and performs a new lookup with the new name.
MTAs typically support recursion in CNAME expansion, so this
replacement is performed repeatedly until the ultimate non-CNAME
domain is found.
</t>
<t>
If the MX RRset (or any CNAME leading to it) is "insecure" (see
<xref target="dnserr"/>), DANE TLS does not apply, and delivery
proceeds via pre-DANE opportunistic TLS. Otherwise (assuming no DNS
errors or "bogus"/"indeterminate" responses), the MX RRset is
"secure", and the SMTP client MUST treat each MX hostname as a
separate non-MX destination for opportunistic DANE TLS as described in
<xref target="non-mx"/>. When, for a given MX hostname, no TLSA
records are found, or only "insecure" TLSA records are found, DANE
TLSA is not applicable with the SMTP server in question and delivery
proceeds to that host as with pre-DANE opportunistic TLS. To avoid
downgrade attacks, any errors during TLSA lookups MUST, as explained
in <xref target="dnserr"/>, cause the SMTP server in question to be
treated as unreachable.
</t>
</section><!-- MX resolution -->
<section title="Non-MX destinations" anchor="non-mx">
<t>
This section describes the algorithm used to locate the TLSA records
and associated TLSA base domain for an input domain not subject to
MX resolution. Such domains include:
</t>
<t>
<list style="symbols">
<t> Each MX hostname used in a message delivery attempt for an
original next-hop destination domain subject to MX resolution.
Note, MTAs are not obligated to support CNAME expansion of MX
hostnames. </t>
<t> Any administrator configured relay hostname, not subject to MX
resolution. This frequently involves configuration set by the MTA
administrator to handle some or all mail. </t>
<t> A next-hop destination domain subject to MX resolution that has
no MX records. In this case the domain's name is implicitly also
the hostname of its sole SMTP server. </t>
</list>
</t>
<t>
Note that DNS queries with type TLSA are mishandled by load balancing
nameservers that serve the MX hostnames of some large email providers.
The DNS zones served by these nameservers are not signed and contain
no TLSA records, but queries for TLSA records fail, rather than
returning the non-existence of the requested TLSA records.
</t>
<t>
To avoid problems delivering mail to domains whose SMTP servers are
served by the problem nameservers the SMTP client MUST perform any
A and/or AAAA queries for the destination before attempting to locate
the associated TLSA records. This lookup is needed in any case
to determine whether the destination domain is reachable and the
DNSSEC validation status of each stage of the chain of CNAME queries
required to reach the final result.
</t>
<t>
If no address records are found, the destination is unreachable.
If address records are found, but the DNSSEC validation status of
the first query response is "insecure" (there may be additional
queries if the initial response is a CNAME alias), the SMTP client
SHOULD NOT proceed to search for any associated TLSA records. With
the problem domains, TLSA queries will lead to DNS lookup errors
and cause messages to be consistently delayed and ultimately
returned to the sender. We don't expect to find any "secure" TLSA
records associated with a TLSA base domain that lies in an unsigned
DNS zone. Therefore, skipping TLSA lookups in this case will also
reduce latency with no detrimental impact on security.
</t>
<t>
If the A and/or AAAA lookup of the "initial name" yields a
CNAME, we replace it with the resulting name as if it were the
initial name and perform a lookup again using the new name. This
replacement is performed recursively.
</t>
<t> We consider the following cases for handling a DNS response for an
A or AAAA DNS lookup: </t>
<t>
<list style="hanging">
<t hangText="Not found: ">
When the DNS queries for A and/or AAAA records yield neither a list
of addresses nor a CNAME (or CNAME expansion is not supported) the
destination is unreachable.
</t>
<t hangText="Non-CNAME: ">
The answer is not a CNAME alias. If the address
RRset is "secure", TLSA lookups are performed as described in <xref
target="tlsa-lookup"/> with the initial name as the candidate TLSA
base domain. If no "secure" TLSA records are found, DANE TLS is
not applicable and mail delivery proceeds with pre-DANE opportunistic
TLS (which, being best-effort, degrades to cleartext delivery when
STARTTLS is not available or the TLS handshake fails).
</t>
<t hangText="Insecure CNAME: ">
The input domain is a CNAME alias, but the ultimate network address
RRset is "insecure" (see <xref target="dnserr"/>). If the initial
CNAME response is also "insecure", DANE TLS does not apply. Otherwise,
this case is treated just like the non-CNAME case above, where a
search is performed for a TLSA record with the original input domain
as the candidate TLSA base domain.
</t>
<t hangText="Secure CNAME: ">
The input domain is a CNAME alias, and the ultimate network address
RRset is "secure" (see <xref target="dnserr"/>). Two candidate TLSA
base domains are tried: the fully CNAME-expanded initial name and,
failing that, then the initial name itself.
</t>
</list>
</t>
<t>
In summary, if it is possible to securely obtain the full,
CNAME-expanded, DNSSEC-validated address records for the input domain,
then that name is the preferred TLSA base domain. Otherwise, the
unexpanded input-MX domain is the candidate TLSA base domain. When no
"secure" TLSA records are found at either the CNAME-expanded or
unexpanded domain, then DANE TLS does not apply for mail delivery via
the input domain in question. And, as always, errors, bogus or
indeterminate results for any query in the process MUST result in
delaying or abandoning delivery.
</t>
</section><!-- Non-MX destinations -->
<section title="TLSA record lookup" anchor="tlsa-lookup">
<t>
Each candidate TLSA base domain (the original or fully
CNAME-expanded name of a non-MX destination or a particular MX
hostname of an MX destination) is in turn prefixed with service
labels of the form "_<port>._tcp". The resulting domain
name is used to issue a DNSSEC query with the query type set to
TLSA (<xref target="RFC6698"/> Section 7.1).
</t>
<t>
For SMTP, the destination TCP port is typically 25, but this may
be different with custom routes specified by the MTA administrator
in which case the SMTP client MUST use the appropriate number in the "_<port>"
prefix in place of "_25". If, for example, the candidate base
domain is "mail.example.com", and the SMTP connection is to port
25, the TLSA RRset is obtained via a DNSSEC query of the form:
</t>
<figure>
<artwork>
_25._tcp.mail.example.com. IN TLSA ?
</artwork>
</figure>
<t>
The query response may be a CNAME, or the actual TLSA RRset. If the
response is a CNAME, the SMTP client (through the use of its
security-aware stub resolver) restarts the TLSA query at the target
domain, following CNAMEs as appropriate and keeping track of whether
the entire chain is "secure". If any "insecure" records are
encountered, or the TLSA records don't exist, the next candidate TLSA
base is tried instead.
</t>
<t>
If the ultimate response is a "secure" TLSA RRset, then the candidate
TLSA base domain will be the actual TLSA base domain and the TLSA RRset will
constitute the TLSA records for the destination. If none of the
candidate TLSA base domains yield "secure" TLSA records then delivery
should proceed via pre-DANE opportunistic TLS.
</t>
<t>
TLSA record publishers may leverage CNAMEs to reference a single
authoritative TLSA RRset specifying a common certificate authority
or a common end entity certificate to be used with multiple TLS
services. Such CNAME expansion does not change the SMTP client's
notion of the TLSA base domain; thus, when _25._tcp.mail.example.com
is a CNAME, the base domain remains mail.example.com and is still
the name used in peer certificate name checks.
</t>
<t>
Note, shared end entity certificate associations expose the publishing
domain to substitution attacks, where an MITM attacker can reroute
traffic to a different server that shares the same end entity
certificate. Such shared end entity records should be avoided
unless the servers in question are interchangeable.
</t>
<t>
For example, given the DNSSEC validated records below:
</t>
<figure>
<artwork>
example.com. IN MX 0 mail.example.com.
example.com. IN MX 0 mail2.example.com.
_25._tcp.mail.example.com. IN CNAME tlsa211._dane.example.com.
_25._tcp.mail2.example.com. IN CNAME tlsa211._dane.example.com.
tlsa211._dane.example.com. IN TLSA 2 1 1 e3b0c44298fc1c14....
</artwork>
</figure>
<t>
The SMTP servers mail.example.com and mail2.example.com will be expected
to have certificates issued under a common trust anchor, but each
MX hostname's TLSA base domain remains unchanged despite the above
CNAME records. Each SMTP server's certificate subject name (or one of
the subject alternative names) is expected to match either the
corresponding MX hostname or else "example.com".
</t>
<t>
If, during TLSA resolution (including possible CNAME indirection),
at least one "secure" TLSA record is found (even if not usable
because it is unsupported by the implementation or support is
administratively disabled), then the corresponding host has signaled
its commitment to implement TLS. The SMTP client SHOULD NOT deliver
mail via the corresponding host unless a TLS session is negotiated
via STARTTLS. This is required to avoid MITM STARTTLS downgrade
attacks.
</t>
<t>
As noted previously (in Section <xref target="non-mx"/>), when no
"secure" TLSA records are found at the fully CNAME-expanded name, the
original unexpanded name MUST be tried instead. This supports
customers of hosting providers where the provider's zone cannot be
validated with DNSSEC, but the customer has shared appropriate key
material with the hosting provider to enable TLS via SNI.
Intermediate names that arise during CNAME expansion that are neither
the original, nor the final name, are never candidate TLSA base
domains, even if "secure".
</t>
</section><!-- TLSA record lookup -->
</section><!-- TLS discovery -->
<section title="DANE authentication">
<t>
This section describes which TLSA records are applicable to SMTP
opportunistic DANE TLS and how to apply such records to authenticate
the SMTP server. With opportunistic DANE TLS, both the TLS support
implied by the presence of DANE TLSA records and the verification
parameters necessary to authenticate the TLS peer are obtained
together, therefore authentication via this protocol is expected
to be less prone to connection failure caused by incompatible
configuration of the client and server.
</t>
<section title="TLSA certificate usages">
<t>
The DANE TLSA specification <xref target="RFC6698"/> defines multiple
TLSA RR types via combinations of 3 numeric parameters. The numeric
values of these parameters were later given symbolic names in <xref
target="I-D.ietf-dane-registry-acronyms"/>. The rest of the TLSA
record is the "certificate association data field", which specifies
the full or digest value of a certificate or public key. The
parameters are:
</t>
<t>
<list style='hanging'>
<t hangText="The TLSA Certificate Usage field:"> Section 2.1.1 of <xref
target="RFC6698"/> specifies 4 values: PKIX-TA(0), PKIX-EE(1), DANE-TA(2),
and DANE-EE(3). There is an additional private-use value: PrivCert(255).
All other values are reserved for use by future specifications. </t>
<t hangText="The selector field:"> Section 2.1.2 of <xref
target="RFC6698"/> specifies 2 values: Cert(0), SPKI(1). There is
an additional private-use value: PrivSel(255). All other values are
reserved for use by future specifications. </t>
<t hangText="The matching type field:"> Section 2.1.3 of <xref
target="RFC6698"/> specifies 3 values: Full(0), SHA2-256(1), SHA2-512(2).
There is an additional private-use value: PrivMatch(255). All other
values are reserved for use by future specifications. </t>
</list>
</t>
<t>
We may think of TLSA Certificate Usage values 0 through 3 as a
combination of two one-bit flags. The low bit chooses between
trust anchor (TA) and end entity (EE) certificates. The high bit
chooses between public PKI issued and domain-issued certificates.
</t>
<t>
The selector field specifies whether the TLSA RR matches the whole
certificate: Cert(0), or just its subjectPublicKeyInfo: SPKI(1).
The subjectPublicKeyInfo is an ASN.1 DER encoding of the certificate's
algorithm id, any parameters and the public key data.
</t>
<t>
The matching type field specifies how the TLSA RR Certificate Association
Data field is to be compared with the certificate or public key. A value
of Full(0) means an exact match: the full DER encoding of the certificate
or public key is given in the TLSA RR. A value of SHA2-256(1) means
that the association data matches the SHA2-256 digest of the certificate
or public key, and likewise SHA2-512(2) means a SHA2-512 digest is used.
</t>
<t>
The certificate usage element of a TLSA record plays a critical
role in determining how the corresponding certificate association
data field is used to authenticate server's certificate chain. The
next two subsections explain the process for certificate usages
DANE-EE(3) and DANE-TA(2). The third subsection briefly explains why
certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable
with opportunistic DANE TLS.
</t>
<section title="Certificate usage DANE-EE(3)" anchor="cert3">
<t>
Since opportunistic DANE TLS will be used by non-interactive MTAs,
with no user to "press OK" when authentication fails, reliability
of peer authentication is paramount.
</t>
<t>
Authentication via certificate usage DANE-EE(3) TLSA records involves
simply checking that the server's leaf certificate matches the TLSA
record. Other than extracting the relevant certificate elements
for comparison, no other use is made of the certificate content.
Authentication via certificate usage DANE-EE(3) TLSA records involves
no certificate authority signature checks. It also involves no
server name checks, and thus does not impose any new requirements
on the names contained in the server certificate (SNI is not required
when the TLSA record matches the server's default certificate).
</t>
<t>
Two TLSA records MUST be published before updating a server's
public key, one matching the currently deployed key and the other
matching the new key scheduled to replace it. Once sufficient time
has elapsed for all DNS caches to expire the previous TLSA RRset and
related signature RRsets, the server may be reconfigured to
use the new private key and associated public key certificate. Once
the server is using the new key, the TLSA RR that matches the retired
key can be removed from DNS, leaving only the RR that matches the
new key.
</t>
<t>
TLSA records published for SMTP servers SHOULD, in most cases, be
"DANE-EE(3) SPKI(1) SHA2-256(1)" records.
Since all DANE implementations are required to support SHA2-256,
this record works for all clients and need not change across
certificate renewals with the same key.
</t>
</section><!-- Certificate usage 3 -->
<section title="Certificate usage DANE-TA(2)">
<t>
Some domains may prefer to avoid the operational complexity of
publishing unique TLSA RRs for each TLS service. If the domain
employs a common issuing Certificate Authority to create certificates
for multiple TLS services, it may be simpler to publish the issuing
authority as a trust anchor (TA) for the certificate chains of all
relevant services. The TLSA query domain (TLSA base domain with
port and protocol prefix labels) for each service issued by the
same TA may then be set to a CNAME alias that points to a
common TLSA RRset that matches the TA.
</t>
<t>
SMTP servers that rely on certificate usage DANE-TA(2) TLSA records
for TLS authentication MUST include the TA certificate as part of
the certificate chain presented in the TLS handshake server certificate
message even when it is a self-signed root certificate. At this
time, many SMTP servers are not configured with a comprehensive
list of trust anchors, nor are they expected to at any point in the
future. Some MTAs will ignore all locally trusted certificates
when processing usage DANE-TA(2) TLSA records. Thus even when the
TA happens to be a public Certificate Authority known to the SMTP
client, authentication is likely to fail unless the TA is included
in the TLS server certificate message.
</t>
<t>
TLSA Publishers should publish either "DANE-TA(2) SPKI(1) Full(0)" or
"DANE-TA(2) Cert(0) SHA2-256(1)" TLSA parameters.
As with leaf certificate rollover discussed in <xref
target="cert3" />, two such TLSA RRs need to be published to
facilitate TA certificate rollover.
</t>
</section><!-- Certificate usage 2 -->
<section title="Certificate usages PKIX-TA(0) and PKIX-EE(1)">
<t>
SMTP servers SHOULD NOT publish TLSA RRs with certificate usage "PKIX-TA(0)"
or "PKIX-EE(1)". SMTP clients cannot be expected to be configured with a
suitably complete set of trusted public CAs. Even with a full set
of public CAs, SMTP clients cannot (without relying on DNSSEC for
secure MX records and DANE for STARTTLS support signalling) perform
<xref target="RFC6125"/> server identity verification or prevent
STARTTLS downgrade attacks. The use of trusted public CAs
offers no added security since an attacker capable of compromising
DNSSEC is free to replace any PKIX-TA(0) or PKIX-EE(1) TLSA records with
records bearing any convenient non-PKIX certificate usage.
</t>
<t>
SMTP client treatment of TLSA RRs with certificate usages "PKIX-TA(0)"
or "PKIX-EE(1)" is undefined. For example, clients MAY (will likely) treat such TLSA
records as unusable.
</t>
</section><!-- Certificate usages 0 and 1 -->
</section><!-- TLSA certificate usages -->
<section title="Certificate matching" anchor="matching">
<t>
When at least one usable "secure" TLSA record is found, the SMTP
client SHOULD use TLSA records to authenticate the SMTP server.
Messages SHOULD NOT be delivered via the SMTP server if authentication
fails, otherwise the SMTP client is vulnerable to MITM attacks.
</t>
<t>
To match a server via a TLSA record with certificate usage DANE-TA(2), the
client MUST perform name checks to ensure that it has reached the
correct server. In all cases the SMTP client MUST accept the TLSA
base domain as a valid DNS name in the server certificate.
<list style="hanging">
<t hangText="TLSA records for MX hostnames:">
If the TLSA base domain was obtained indirectly via an MX lookup
(including any CNAME-expanded name of an MX hostname), then the
original next-hop domain used in the MX lookup MUST be accepted in
the peer certificate. The CNAME-expanded original next-hop domain
MUST also be accepted if different from the initial query name. </t>
<t hangText="TLSA records for Non-MX hostnames:">
If MX records were not used (e.g., if none exist) and the TLSA base
domain is the CNAME-expanded original next-hop domain, then the
original next-hop domain MUST also be accepted. </t>
</list>
</t>
<t>
Accepting certificates with the original next-hop domain in addition
to the MX hostname allows a domain with multiple MX hostnames to field
a single certificate bearing a single domain name (i.e., the email
domain) across all the SMTP servers. This also aids inter-operability
with pre-DANE SMTP clients that are configured to look for the email
domain name in server certificates. For example, with "secure" DNS
records as below:
</t>
<figure>
<artwork>
exchange.example.org. IN CNAME mail.example.org.
mail.example.org. IN CNAME example.com.
example.com. IN MX 10 mx10.example.com.
example.com. IN MX 15 mx15.example.com.
example.com. IN MX 20 mx20.example.com.
;
mx10.example.com. IN A 192.0.2.10
_25._tcp.mx10.example.com. IN TLSA 2 0 1 ...
;
mx15.example.com. IN CNAME mxbackup.example.com.
mxbackup.example.com. IN A 192.0.2.15
; _25._tcp.mxbackup.example.com. IN TLSA ? (NXDOMAIN)
_25._tcp.mx15.example.com. IN TLSA 2 0 1 ...
;
mx20.example.com. IN CNAME mxbackup.example.net.
mxbackup.example.net. IN A 198.51.100.20
_25._tcp.mxbackup.example.net. IN TLSA 2 0 1 ...
</artwork>
</figure>
<t>
Certificate name checks for delivery of mail to exchange.example.org
via any of the associated SMTP servers MUST accept at least the names
"exchange.example.org" and "example.com", which are respectively
the original and fully expanded next-hop domain. When the SMTP server
is mx10.example.com, name checks MUST accept the TLSA base domain
"mx10.example.com". If, despite the fact that MX hostnames are
required to not be aliases, the MTA supports delivery via
"mx15.example.com" or "mx20.example.com" then name checks MUST accept
the respective TLSA base domains "mx15.example.com" and
"mxbackup.example.net".
</t>
<t>
The SMTP client MUST NOT perform certificate usage name checks with
certificate usage DANE-EE(3), since with usage DANE-EE(3) the
server is authenticated directly by matching the TLSA RRset to its
certificate or public key without resorting to any issuing authority.
The certificate content is ignored except to
match the certificate or public key (ASN.1 DER encoding or its digest)
with the TLSA RRset.
</t>
<t>
To ensure that the server sends the right certificate chain, the
SMTP client MUST send the TLS SNI extension containing the TLSA
base domain. This precludes the use of the backward compatible
SSL 2.0 compatible SSL HELLO by the SMTP client. The minimum SSL/TLS
client HELLO version for SMTP clients performing DANE authentication is
SSL 3.0, but a client that offers SSL 3.0 MUST also offer at least
TLS 1.0 and MUST include the SNI extension. Servers that don't make
use of SNI MAY negotiate SSL 3.0 if offered by the client.
</t>
<t>
Each SMTP server MUST present a certificate chain (see <xref
target="RFC5246"/> Section 7.4.2) that matches at least
one of the TLSA records. The server MAY rely on SNI to determine
which certificate chain to present to the client. Clients that
don't send SNI information may not see the expected certificate
chain.
</t>
<t>
If the server's TLSA RRset includes records with a matching type
indicating a digest record (i.e., a value other than Full(0)), a
TLSA record with a SHA2-256(1) matching type SHOULD be provided
along with any other digest published, since some SMTP clients may
support only SHA2-256(1).
</t>
<t>
If the server's TLSA records match the server's default certificate
chain, the server need not support SNI. In either case, the server
need not include the SNI extension in its TLS HELLO as simply returning a
matching certificate chain is sufficient. Servers MUST NOT enforce
the use of SNI by clients, as the client may be using unauthenticated
opportunistic TLS and may not expect any particular certificate from
the server. If the client sends no SNI extension, or sends an SNI
extension for an unsupported domain, the server MUST simply send its
default certificate chain. The reason for not enforcing strict
matching of the requested SNI hostname is that DANE TLS clients are
typically willing to accept multiple server names, but can only
send one name in the SNI extension. The server's default certificate
may match a different name acceptable to the client, e.g., the
original next-hop domain.
</t>
<t>
An SMTP client employing pre-DANE opportunistic TLS MAY include
some anonymous TLS cipher suites in its TLS HELLO in addition to
at least one non-anonymous cipher suite (since servers often do
support any of the anonymous ones).
Therefore, an SMTP server MUST either select some suitable non-anonymous
cipher suite offered by the client, or if it selects an anonymous
cipher suite, it MUST NOT fail to complete the handshake merely
because an anonymous cipher suite was chosen.
</t>
<t>
Note that while SMTP server operators are under no obligation to
enable anonymous cipher suites, no security is gained by sending
certificates to clients that will ignore them. Indeed support for
anonymous cipher suites in the server makes audit trails more
informative. Log entries that record connections that employed an
anonymous cipher suite record the fact that the clients did not
care to authenticate the server.
</t>
</section><!-- Certificate matching -->
<section title="Digest algorithm agility" anchor="agility">
<t>
While <xref target="RFC6698"/> specifies multiple digest algorithms,
it does not specify a protocol by which the SMTP client and TLSA
record publisher can agree on the strongest shared algorithm. Such
a protocol would allow the client and server to avoid exposure to
any deprecated weaker algorithms that are published for compatibilty
with less capable clients, but should be ignored when possible. We
specify such a protocol below.
</t>
<t>
Suppose that a DANE TLS client authenticating a TLS server considers
digest algorithm BETTER stronger than digest algorithm WORSE. Suppose
further that a server's TLSA RRset contains some records with BETTER
as the digest algorithm. Finally, suppose that for every raw public
key or certificate object that is included in the server's TLSA
RRset in digest form, whenever that object appears with algorithm
WORSE with some usage and selector it also appears with algorithm
BETTER with the same usage and selector. In that case our client can
safely ignore TLSA records with the weaker algorithm WORSE, because it
suffices to check the records with the stronger algorithm BETTER.
</t>
<t>
Server operators MUST ensure that for any given usage and selector,
each object (certificate or public key), for which a digest association
exists in the TLSA RRset, is published with the SAME SET of digest
algorithms as all other objects that published with that usage and
selector. In other words, for each usage and selector, the records
with non-zero matching types will correspond to on a cross-product
of a set of underlying objects and a fixed set of digest algorithms
that apply uniformly to all the objects.
</t>
<t>
To achieve digest algorithm agility, all published TLSA RRsets for use
with opportunistic DANE TLS for SMTP MUST conform to the above
requirements. Then, for each combination of usage and selector, SMTP
clients can simply ignore all digest records except those that employ
the strongest digest algorithm. The ordering of digest algorithms by
strength is not specified in advance, it is entirely up to the SMTP
client. SMTP client implementations SHOULD make the
digest algorithm preference order configurable. Only the future will
tell which algorithms might be weakened by new attacks and when.
</t>
<t>
Note, TLSA records with a matching type of Full(0), that publish the
full value of a certificate or public key object, play no role in
digest algorithm agility. They neither trump the processing of
records that employ digests, nor are they ignored in the presence
of any records with a digest (i.e. non-zero) matching type.
</t>
<t>
SMTP clients SHOULD use digest algorithm agility when processing
the DANE TLSA records of an SMTP server. Algorithm agility is to
be applied after first discarding any unusable or malformed records
(unsupported digest algorithm, or incorrect digest length). Thus,
for each usage and selector, the client SHOULD process only any
usable records with a matching type of Full(0) and the usable records
whose digest algorithm is believed to be the strongest among usable
records with the given usage and selector.
</t>
<t>
The main impact of this requirement is on key rotation, when the
TLSA RRset is pre-populated with digests of new certificates or
public keys, before these replace or augment their predecessors.
Were the newly introduced RRs to include previously unused digest
algorithms, clients that employ this protocol could potentially
ignore all the digests corresponding to the current keys or
certificates, causing connectivity issues until the new keys or
certificates are deployed. Similarly, publishing new records with
fewer digests could cause problems for clients using cached TLSA
RRsets that list both the old and new objects once the new keys are
deployed.
</t>
<t>
To avoid problems, server operators SHOULD apply the following strategy:
<list style="symbols">
<t> When changing the set of objects published via the TLSA RRset
(e.g. during key rotation), DO NOT change the set of digest algorithms
used; change just the list of objects. </t>
<t> When changing the set of digest algorithms, change only the set
of algorithms, and generate a new RRset in which all the current objects
are re-published with the new set of digest algorithms. </t>
</list>
</t>
<t>After either of these two changes are made, the new TLSA RRset
should be left in place long enough that the older TLSA RRset can be
flushed from caches before making another change.</t>
</section><!-- Digest algorithm agility -->
</section><!-- DANE authentication -->
</section><!-- Hardening Opportunistic TLS -->
<section title="Mandatory TLS Security">
<t>
An MTA implementing this protocol may require a stronger security
assurance when sending email to selected destinations. The
sending organization may need to send sensitive email and/or may have regulatory
obligations to protect its content. This protocol is not in conflict
with such a requirement, and in fact can often simplify authenticated
delivery to such destinations.
</t>
<t>
Specifically, with domains that publish DANE TLSA records for their MX
hostnames, a sending MTA can be configured to use the receiving
domains's DANE TLSA records to authenticate the corresponding SMTP
server. Authentication via DANE TLSA records is easier to manage, as
changes in the receiver's expected certificate properties are made on
the receiver end and don't require manually communicated configuration
changes. With mandatory DANE TLS, when no usable TLSA records are
found, message delivery is delayed. Thus, mail is only sent when an
authenticated TLS channel is established to the remote SMTP server.
</t>
<t>
Administrators of mail servers that employ mandatory DANE TLS, need
to carefully monitor their mail logs and queues. If a partner
domain unwittingly misconfigures their TLSA records, disables DNSSEC,
or misconfigures SMTP server certificate chains, mail will be delayed.
</t>
</section><!-- Mandatory TLS Security -->
<section anchor="Operational" title="Operational Considerations">
<section anchor="opclients" title="Client Operational Considerations">
<t>
SMTP clients may deploy opportunistic DANE TLS incrementally by
enabling it only for selected sites, or may occasionally need to
disable opportunistic DANE TLS for peers that fail to interoperate due
to misconfiguration or software defects on either end. Unless local
policy specifies that opportunistic DANE TLS is not to be used for a
particular destination, an SMTP client MUST NOT deliver mail via a server
whose certificate chain fails to match at least one TLSA record when
usable TLSA records are found for that server.
</t>
</section>
<section anchor="oppublishers" title="Publisher Operational Considerations">
<t>
SMTP servers that publish certificate usage DANE-TA(2)
associations MUST include the TA certificate in their TLS server
certificate chain, even when that TA certificate is a self-signed
root certificate.
</t>
<t>
TLSA Publishers must follow the digest agility guidelines in <xref
target="agility"/> and must make sure that all objects published in
digest form for a particular usage and selector are published with
the same set of digest algorithms.
</t>
<t>
TLSA Publishers should follow the TLSA publication size guidance
found in <xref target="I-D.ietf-dane-ops" /> about "DANE DNS Record
Size Guidelines".
</t>
</section>
</section>
<section anchor="Security" title="Security Considerations">
<t>
This protocol leverages DANE TLSA records to implement MITM resistant
opportunistic channel security for SMTP. For destination domains
that sign their MX records and publish signed TLSA records for their
MX hostnames, this protocol allows sending MTAs to securely discover
both the availability of TLS and how to authenticate the destination.
</t>
<t>
This protocol does not aim to secure all SMTP traffic, as that is
not practical until DNSSEC and DANE adoption are universal. The
incremental deployment provided by following this specification is
a best possible path for securing SMTP. This protocol coexists and
interoperates with the existing insecure Internet email backbone.
</t>
<t>
The protocol does not preclude existing non-opportunistic SMTP TLS
security arrangements, which can continue to be used as before via
manual configuration with negotiated out-of-band key and TLS
configuration exchanges.
</t>
<t>
Opportunistic SMTP TLS depends critically on DNSSEC for downgrade
resistance and secure resolution of the destination name. If DNSSEC
is compromised, it is not possible to fall back on the public CA
PKI to prevent MITM attacks. A successful breach of DNSSEC enables
the attacker to publish TLSA usage 3 certificate associations, and
thereby bypass any security benefit the legitimate domain owner
might hope to gain by publishing usage 0 or 1 TLSA RRs. Given the
lack of public CA PKI support in existing MTA deployments, avoiding
certificate usages 0 and 1 simplifies implementation and deployment
with no adverse security consequences.
</t>
<t>
Implementations must strictly follow the portions of this
specification that indicate when it is appropriate to initiate a
non-authenticated connection or cleartext connection to a SMTP
server. Specifically, in order to prevent downgrade attacks on this
protocol, implementation must not initiate a connection when this
specification indicates a particular SMTP server must be considered
unreachable.
</t>
</section><!-- Security Considerations -->
<section title="IANA considerations">
<t>This specification requires no support from IANA.</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>
The authors would like to extend great thanks to Tony Finch, who
started the original version of a DANE SMTP document. His work is
greatly appreciated and has been incorporated into this document.
The authors would like to additionally thank Phil Pennock for his
comments and advice on this document.
</t>
<t>
Acknowledgments from Viktor: Thanks to Paul Hoffman who motivated
me to begin work on this memo and provided feedback on early drafts.
Thanks to Patrick Koetter, Perry Metzger and Nico Williams for
valuable review comments. Thanks also to Wietse Venema who created
Postfix, and whose advice and feedback were essential to the
development of the Postfix DANE implementation.
</t>
</section><!-- Acknowledgements -->
</middle>
<back>
<references title="Normative References">
&RFC1035;
&RFC2119;
&RFC3207;
&RFC4033;
&RFC4034;
&RFC4035;
&RFC5246;
&RFC5280;
&RFC5321;
&RFC6125;
&RFC6186;
&RFC6409;
&RFC6066;
&RFC6672;
&RFC6698;
&I-D.ietf-dane-ops;
</references>
<references title="Informative References">
&RFC5598;
&RFC6394;
&RFC6895;
&I-D.ietf-dane-srv;
&I-D.ietf-dane-smtp;
&I-D.ietf-dane-registry-acronyms;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 01:19:12 |