summaryrefslogtreecommitdiff
path: root/doc/doc-txt/draft-ietf-dane-ops-06
blob: 6fc89689bcfb464d2e2eb3fa7110d9202ed5c80a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
DANE                                                         V. Dukhovni
Internet-Draft                                              Unaffiliated
Intended status: Standards Track                             W. Hardaker
Expires: February 18, 2015                                       Parsons
                                                         August 17, 2014


       Updates to and Operational Guidance for the DANE Protocol
                         draft-ietf-dane-ops-06

Abstract

   This memo clarifies and updates the DANE TLSA protocol based on
   implementation experience since the publication of the original DANE
   specification in [RFC6698].  It also contains guidance for DANE
   implementers and operators.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 18, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Dukhovni & Hardaker     Expires February 18, 2015               [Page 1]

Internet-Draft               DANE operations                 August 2014


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  DANE TLSA Record Overview . . . . . . . . . . . . . . . . . .   4
     2.1.  Example TLSA record . . . . . . . . . . . . . . . . . . .   6
   3.  DANE TLS Requirements . . . . . . . . . . . . . . . . . . . .   6
   4.  Certificate-Usage-Specific DANE Updates and Guidelines  . . .   7
     4.1.  Certificate Usage DANE-EE(3)  . . . . . . . . . . . . . .   7
     4.2.  Certificate Usage DANE-TA(2)  . . . . . . . . . . . . . .   8
     4.3.  Certificate Usage PKIX-EE(1)  . . . . . . . . . . . . . .  11
     4.4.  Certificate Usage PKIX-TA(0)  . . . . . . . . . . . . . .  12
     4.5.  Opportunistic Security and PKIX usages  . . . . . . . . .  12
   5.  Service Provider and TLSA Publisher Synchronization . . . . .  13
   6.  TLSA Base Domain and CNAMEs . . . . . . . . . . . . . . . . .  15
   7.  TLSA Publisher Requirements . . . . . . . . . . . . . . . . .  16
     7.1.  Key rollover with fixed TLSA Parameters . . . . . . . . .  17
     7.2.  Switching to DANE-TA from DANE-EE . . . . . . . . . . . .  18
     7.3.  Switching to New TLSA Parameters  . . . . . . . . . . . .  18
     7.4.  TLSA Publisher Requirements Summary . . . . . . . . . . .  19
   8.  Digest Algorithm Agility  . . . . . . . . . . . . . . . . . .  19
   9.  General DANE Guidelines . . . . . . . . . . . . . . . . . . .  20
     9.1.  DANE DNS Record Size Guidelines . . . . . . . . . . . . .  21
     9.2.  Certificate Name Check Conventions  . . . . . . . . . . .  21
     9.3.  Design Considerations for Protocols Using DANE  . . . . .  23
   10. Interaction with Certificate Transparency . . . . . . . . . .  23
   11. Note on DNSSEC Security . . . . . . . . . . . . . . . . . . .  24
   12. Summary of Updates to RFC6698 . . . . . . . . . . . . . . . .  25
   13. Security Considerations . . . . . . . . . . . . . . . . . . .  26
   14. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  26
   15. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  26
   16. References  . . . . . . . . . . . . . . . . . . . . . . . . .  27
     16.1.  Normative References . . . . . . . . . . . . . . . . . .  27
     16.2.  Informative References . . . . . . . . . . . . . . . . .  28
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  28

1.  Introduction

   [RFC6698] specifies a new DNS resource record "TLSA" that associates
   a public certificate or public key of a trusted leaf or issuing
   authority with the corresponding TLS transport endpoint.  These DANE
   TLSA records, when validated by DNSSEC, can be used to augment or
   replace the trust model of the existing public Certification
   Authority (CA) Public Key Infrastructure (PKI).

   [RFC6698] defines three TLSA record fields with respectively 4, 2 and
   3 currently specified values.  These yield 24 distinct combinations
   of TLSA record types.  This many options have lead to implementation



Dukhovni & Hardaker     Expires February 18, 2015               [Page 2]

Internet-Draft               DANE operations                 August 2014


   and operational complexity.  This memo will recommend best-practice
   choices to help simplify implementation and deployment given these
   plethora of choices.

   Implementation complexity also arises from the fact that the TLS
   transport endpoint is often specified indirectly via Service Records
   (SRV), Mail Exchange (MX) records, CNAME records or other mechanisms
   that map an abstract service domain to a concrete server domain.
   With service indirection there are multiple potential places for
   clients to find the relevant TLSA records.  Service indirection is
   often used to implement "virtual hosting", where a single Service
   Provider transport endpoint simultaneously supports multiple hosted
   domain names.  With services that employ TLS, such hosting
   arrangements may require the Service Provider to deploy multiple
   pairs of private keys and certificates with TLS clients signaling the
   desired domain via the Server Name Indication (SNI) extension
   ([RFC6066], section 3).  This memo provides operational guidelines
   intended to maximize interoperability between DANE TLS clients and
   servers.

   In the context of this memo, channel security is assumed to be
   provided by TLS or DTLS.  The Transport Layer Security (TLS)
   [RFC5246] and Datagram Transport Layer Security (DTLS) [RFC6347]
   protocols provide secured TCP and UDP communication over IP.  By
   convention, "TLS" will be used throughout this document and, unless
   otherwise specified, the text applies equally well to the DTLS
   protocol.  Used without authentication, TLS provides protection only
   against eavesdropping through its use of encryption.  With
   authentication, TLS also provides integrity protection and
   authentication, which protect the transport against man-in-the-middle
   (MITM) attacks.

   Other related documents that build on [RFC6698] are
   [I-D.ietf-dane-srv] and [I-D.ietf-dane-smtp-with-dane].  In
   Section 12 we summarize the updates this document makes to [RFC6698].

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   [RFC2119].

   The following terms are used throughout this document:

   Service Provider:  A company or organization that offers to host a
      service on behalf of a Customer Domain.  The original domain name
      associated with the service often remains under the control of the



Dukhovni & Hardaker     Expires February 18, 2015               [Page 3]

Internet-Draft               DANE operations                 August 2014


      customer.  Connecting applications may be directed to the Service
      Provider via a redirection resource record.  Example redirection
      records include MX, SRV, and CNAME.  The Service Provider
      frequently provides services for many customers and must carefully
      manage any TLS credentials offered to connecting applications to
      ensure name matching is handled easily by the applications.

   Customer Domain:  As described above, a client may be interacting
      with a service that is hosted by a third party.  We will refer to
      the domain name used to locate the service prior to any
      redirection, as the "Customer Domain".

   TLSA Publisher:  The entity responsible for publishing a TLSA record
      within a DNS zone.  This zone will be assumed DNSSEC-signed and
      validatable to a trust anchor, unless otherwise specified.  If the
      Customer Domain is not outsourcing their DNS service, the TLSA
      Publisher will be the customer themselves.  Otherwise, the TLSA
      Publisher is sometimes the operator of the outsourced DNS service.

   public key:  The term "public key" is short-hand for the
      subjectPublicKeyInfo component of a PKIX [RFC5280] certificate.

   SNI:  The "Server Name Indication" (SNI) TLS protocol extension
      allows a TLS client to request a connection to a particular
      service name of a TLS server ([RFC6066], section 3).  Without this
      TLS extension, a TLS server has no choice but to offer a PKIX
      certificate with a default list of server names, making it
      difficult to host multiple Customer Domains at the same IP-
      addressed based TLS service endpoint (i.e., "secure virtual
      hosting").

   TLSA parameters:  In [RFC6698] the TLSA record is defined to consist
      of four fields.  The first three of these are numeric parameters
      that specify the meaning of the data in fourth and final field.
      To avoid language contortions when we need to distinguish between
      the first three fields that together define a TLSA record "type"
      and the fourth that provides a data value of that type, we will
      call the first three fields "TLSA parameters", or sometimes just
      "parameters" when obvious from context.

2.  DANE TLSA Record Overview










Dukhovni & Hardaker     Expires February 18, 2015               [Page 4]

Internet-Draft               DANE operations                 August 2014


   DANE TLSA [RFC6698] specifies a protocol for publishing TLS server
   certificate associations via DNSSEC [RFC4033] [RFC4034] [RFC4035].
   The DANE TLSA specification defines multiple TLSA RR types via
   combinations of numeric values of the first three fields of the TLSA
   record (i.e. the "TLSA parameters").  The numeric values of these
   parameters were later given symbolic names in [RFC7218].  These
   parameters are:

   The Certificate Usage field:  Section 2.1.1 of [RFC6698] specifies 4
      values: PKIX-TA(0), PKIX-EE(1), DANE-TA(2), and DANE-EE(3).  There
      is an additional private-use value: PrivCert(255).  All other
      values are reserved for use by future specifications.

   The selector field:  Section 2.1.2 of [RFC6698] specifies 2 values:
      Cert(0), SPKI(1).  There is an additional private-use value:
      PrivSel(255).  All other values are reserved for use by future
      specifications.

   The matching type field:  Section 2.1.3 of [RFC6698] specifies 3
      values: Full(0), SHA2-256(1), SHA2-512(2).  There is an additional
      private-use value: PrivMatch(255).  All other values are reserved
      for use by future specifications.

   We may think of TLSA Certificate Usage values 0 through 3 as a
   combination of two one-bit flags.  The low-bit chooses between trust
   anchor (TA) and end entity (EE) certificates.  The high bit chooses
   between PKIX, or public PKI issued, and DANE, or domain-issued trust
   anchors:

   o  When the low bit is set (PKIX-EE(1) and DANE-EE(3)) the TLSA
      record matches an EE certificate (also commonly referred to as a
      leaf or server certificate.)

   o  When the low bit is not set (PKIX-TA(0) and DANE-TA(2)) the TLSA
      record matches a trust anchor (a Certification Authority) that
      issued one of the certificates in the server certificate chain.

   o  When the high bit is set (DANE-TA(2) and DANE-EE(3)), the server
      certificate chain is domain-issued and may be verified without
      reference to any pre-existing public certification authority PKI.
      Trust is entirely placed on the content of the TLSA records
      obtained via DNSSEC.









Dukhovni & Hardaker     Expires February 18, 2015               [Page 5]

Internet-Draft               DANE operations                 August 2014


   o  When the high bit is not set (PKIX-TA(0) and PKIX-EE(1)), the TLSA
      record publishes a server policy stating that its certificate
      chain must pass PKIX validation [RFC5280] and the DANE TLSA record
      is used to signal an additional requirement that the PKIX
      validated server certificate chain also contains the referenced CA
      or EE certificate.

   The selector field specifies whether the TLSA RR matches the whole
   certificate (Cert(0)) or just its subjectPublicKeyInfo (SPKI(1)).
   The subjectPublicKeyInfo is an ASN.1 DER encoding of the
   certificate's algorithm id, any parameters and the public key data.

   The matching type field specifies how the TLSA RR Certificate
   Association Data field is to be compared with the certificate or
   public key.  A value of Full(0) means an exact match: the full DER
   encoding of the certificate or public key is given in the TLSA RR.  A
   value of SHA2-256(1) means that the association data matches the
   SHA2-256 digest of the certificate or public key, and likewise
   SHA2-512(2) means a SHA2-512 digest is used.  Of the two digest
   algorithms, for now only SHA2-256(1) is mandatory to implement.
   Clients SHOULD implement SHA2-512(2), but servers SHOULD NOT
   exclusively publish SHA2-512(2) digests.  The digest algorithm
   agility protocol defined in Section 8 SHOULD be used by clients to
   decide how to process TLSA RRsets that employ multiple digest
   algorithms.  Server operators MUST publish TLSA RRsets that are
   compatible with digest algorithm agility.

2.1.  Example TLSA record

   In the example TLSA record below:

   _25._tcp.mail.example.com. IN TLSA PKIX-TA Cert SHA2-256 (
                              E8B54E0B4BAA815B06D3462D65FBC7C0
                              CF556ECCF9F5303EBFBB77D022F834C0 )

   The TLSA Certificate Usage is DANE-TA(2), the selector is Cert(0) and
   the matching type is SHA2-256(1).  The last field is the Certificate
   Association Data Field, which in this case contains the SHA2-256
   digest of the server certificate.

3.  DANE TLS Requirements

   [RFC6698] does not discuss what versions of TLS are required when
   using DANE records.  This document specifies that TLS clients that
   support DANE/TLSA MUST support at least TLS 1.0 and SHOULD support
   TLS 1.2.  TLS clients and servers using DANE SHOULD support the
   "Server Name Indication" (SNI) extension of TLS.




Dukhovni & Hardaker     Expires February 18, 2015               [Page 6]

Internet-Draft               DANE operations                 August 2014


4.  Certificate-Usage-Specific DANE Updates and Guidelines

   The four Certificate Usage values from the TLSA record, DANE-EE(3),
   DANE-TA(2), PKIX-EE(1) and PKIX-TA(0), are discussed below.

4.1.  Certificate Usage DANE-EE(3)

   In this section the meaning of DANE-EE(3) is updated from [RFC6698]
   to specify that peer identity matching and that validity interval
   compliance is based solely on the TLSA RRset properties.  We also
   extend [RFC6698] to cover the use of DANE authentication of raw
   public keys [I-D.ietf-tls-oob-pubkey] via TLSA records with
   Certificate Usage DANE-EE(3) and selector SPKI(1).

   Authentication via certificate usage DANE-EE(3) TLSA records involves
   simply checking that the server's leaf certificate matches the TLSA
   record.  In particular, the binding of the server public key to its
   name is based entirely on the TLSA record association.  The server
   MUST be considered authenticated even if none of the names in the
   certificate match the client's reference identity for the server.

   Similarly, with DANE-EE(3), the expiration date of the server
   certificate MUST be ignored.  The validity period of the TLSA record
   key binding is determined by the validity interval of the TLSA record
   DNSSEC signatures.

   With DANE-EE(3) servers that know all the connecting clients are
   making use of DANE, they need not employ SNI (i.e., the may ignore
   the client's SNI message) even when the server is known under
   multiple domain names that would otherwise require separate
   certificates.  It is instead sufficient for the TLSA RRsets for all
   the domain names in question to match the server's primary
   certificate.  For application protocols where the server name is
   obtained indirectly via SRV, MX or similar records, it is simplest to
   publish a single hostname as the target server name for all the
   hosted domains.

   In organizations where it is practical to make coordinated changes in
   DNS TLSA records before server key rotation, it is generally best to
   publish end-entity DANE-EE(3) certificate associations in preference
   to other choices of certificate usage.  DANE-EE(3) TLSA records
   support multiple server names without SNI, don't suddenly stop
   working when leaf or intermediate certificates expire, and don't fail
   when a server operator neglects to include all the required issuer
   certificates in the server certificate chain.

   TLSA records published for DANE servers SHOULD, as a best practice,
   be "DANE-EE(3) SPKI(1) SHA2-256(1)" records.  Since all DANE



Dukhovni & Hardaker     Expires February 18, 2015               [Page 7]

Internet-Draft               DANE operations                 August 2014


   implementations are required to support SHA2-256, this record type
   works for all clients and need not change across certificate renewals
   with the same key.  This TLSA record type easily supports hosting
   arrangements with a single certificate matching all hosted domains.
   It is also the easiest to implement correctly in the client.

   Another advantage of "DANE-EE(3) SPKI(1)" (with any suitable matching
   type) TLSA records is that they are compatible with the raw public
   key TLS extension specified in [I-D.ietf-tls-oob-pubkey].  DANE
   clients that support this extension can use the TLSA record to
   authenticate servers that negotiate the use of raw public keys in
   place of X.509 certificate chains.  Provided the server adheres to
   the requirements of Section 7, the fact that raw public keys are not
   compatible with any other TLSA record types will not get in the way
   of successful authentication.  Clients that employ DANE to
   authenticate the peer server SHOULD NOT negotiate the use of raw
   public keys unless the server's TLSA RRset includes compatible TLSA
   records.

   While it is, in principle, also possible to authenticate raw public
   keys via "DANE-EE(3) Cert(0) Full(0)" records by extracting the
   public key from the certificate in DNS, this is in conflict with the
   indicated selector and requires extra logic on clients that not all
   implementations are expected to provide.  Servers SHOULD NOT rely on
   "DANE-EE(3) Cert(0) Full(0)" TLSA records to publish authentication
   data for raw public keys.

4.2.  Certificate Usage DANE-TA(2)

   This section updates [RFC6698] by specifying a new operational
   requirement for servers publishing TLSA records with a usage of DANE-
   TA(2): such servers MUST include the trust-anchor certificate in
   their TLS server certificate message.

   Some domains may prefer to avoid the operational complexity of
   publishing unique TLSA RRs for each TLS service.  If the domain
   employs a common issuing Certification Authority to create
   certificates for multiple TLS services, it may be simpler to publish
   the issuing authority as a trust anchor (TA) for the certificate
   chains of all relevant services.  The TLSA query domain (TLSA base
   domain with port and protocol prefix labels) for each service issued
   by the same TA may then be set to a CNAME alias that points to a
   common TLSA RRset that matches the TA.  For example:








Dukhovni & Hardaker     Expires February 18, 2015               [Page 8]

Internet-Draft               DANE operations                 August 2014


   www1.example.com.            IN A 192.0.2.1
   www2.example.com.            IN A 192.0.2.2
   _443._tcp.www1.example.com.  IN CNAME tlsa201._dane.example.com.
   _443._tcp.www2.example.com.  IN CNAME tlsa201._dane.example.com.
   tlsa201._dane.example.com.   IN TLSA 2 0 1 e3b0c44298fc1c14...

   With usage DANE-TA(2) the server certificates will need to have names
   that match one of the client's reference identifiers (see [RFC6125]).
   The server SHOULD employ SNI to select the appropriate certificate to
   present to the client.

4.2.1.  Recommended record combinations

   TLSA records with selector Full(0) are NOT RECOMMENDED.  While these
   potentially obviate the need to transmit the TA certificate in the
   TLS server certificate message, client implementations may not be
   able to augment the server certificate chain with the data obtained
   from DNS, especially when the TLSA record supplies a bare key
   (selector SPKI(1)).  Since the server will need to transmit the TA
   certificate in any case, server operators SHOULD publish TLSA records
   with a selector other than Full(0) and avoid potential DNS
   interoperability issues with large TLSA records containing full
   certificates or keys (see Section 9.1.1).

   TLSA Publishers employing DANE-TA(2) records SHOULD publish records
   with a selector of Cert(0).  Such TLSA records are associated with
   the whole trust anchor certificate, not just with the trust anchor
   public key.  In particular, the client SHOULD then apply any relevant
   constraints from the trust anchor certificate, such as, for example,
   path length constraints.

   While a selector of SPKI(1) may also be employed, the resulting TLSA
   record will not specify the full trust anchor certificate content,
   and elements of the trust anchor certificate other than the public
   key become mutable.  This may, for example, enable a subsidiary CA to
   issue a chain that violates the trust anchor's path length or name
   constraints.

4.2.2.  Trust anchor digests and server certificate chain

   With DANE-TA(2) (these TLSA records are expected to match the digest
   of a TA certificate or public key), a complication arises when the TA
   certificate is omitted from the server's certificate chain, perhaps
   on the basis of Section 7.4.2 of [RFC5246]:







Dukhovni & Hardaker     Expires February 18, 2015               [Page 9]

Internet-Draft               DANE operations                 August 2014


   The sender's certificate MUST come first in the list.  Each
   following certificate MUST directly certify the one preceding
   it.  Because certificate validation requires that root keys be
   distributed independently, the self-signed certificate that
   specifies the root certification authority MAY be omitted from
   the chain, under the assumption that the remote end must
   already possess it in order to validate it in any case.

   With TLSA Certificate Usage DANE-TA(2), there is no expectation that
   the client is pre-configured with the trust anchor certificate.  In
   fact, client implementations are free to ignore all locally
   configured trust anchors when processing usage DANE-TA(2) TLSA
   records and may rely exclusively on the certificates provided in the
   server's certificate chain.  But, with a digest in the TLSA record,
   the TLSA record contains neither the full trust anchor certificate
   nor the full public key.  If the TLS server's certificate chain does
   not contain the trust anchor certificate, DANE clients will be unable
   to authenticate the server.

   TLSA Publishers that publish TLSA Certificate Usage DANE-TA(2)
   associations with a selector of SPKI(1) or using a digest-based
   matching type (not Full(0)) MUST ensure that the corresponding server
   is configured to also include the trust anchor certificate in its TLS
   handshake certificate chain, even if that certificate is a self-
   signed root CA and would have been optional in the context of the
   existing public CA PKI.

4.2.3.  Trust anchor public keys

   TLSA records with TLSA Certificate Usage DANE-TA(2), selector SPKI(1)
   and a matching type of Full(0) will publish the full public key of a
   trust anchor via DNS.  In section 6.1.1 of [RFC5280] the definition
   of a trust anchor consists of the following four parts:

   1.  the trusted issuer name,

   2.  the trusted public key algorithm,

   3.  the trusted public key, and

   4.  optionally, the trusted public key parameters associated with the
       public key.

   Items 2-4 are precisely the contents of the subjectPublicKeyInfo
   published in the TLSA record.  The issuer name is not included in the
   subjectPublicKeyInfo.





Dukhovni & Hardaker     Expires February 18, 2015              [Page 10]

Internet-Draft               DANE operations                 August 2014


   With TLSA Certificate Usage DANE-TA(2), the client may not have the
   associated trust anchor certificate, and cannot generally verify
   whether a particular certificate chain is "issued by" the trust
   anchor described in the TLSA record.

   When the server certificate chain includes a CA certificate whose
   public key matches the TLSA record, the client can match that CA as
   the intended issuer.  Otherwise, the client can only check that the
   topmost certificate in the server's chain is "signed by" the trust
   anchor's public key in the TLSA record.  Such a check may be
   difficult to implement, and cannot be expected to be supported by all
   clients.

   Thus, servers should not rely on "DANE-TA(2) SPKI(1) Full(0)" TLSA
   records to be sufficient to authenticate chains issued by the
   associated public key in the absence of a corresponding certificate
   in the server's TLS certificate message.  Servers SHOULD include the
   TA certificate in their certificate chain.

   If none of the server's certificate chain elements match a public key
   specified in a TLSA record, and at least one "DANE-TA(2) SPKI(1)
   Full(0)" TLSA record is available, clients are encouraged to check
   whether the topmost certificate in the chain is signed by the
   provided public key and has not expired, and in that case consider
   the server authenticated, provided the rest of the chain passes
   validation including leaf certificate name checks.

4.3.  Certificate Usage PKIX-EE(1)

   This Certificate Usage is similar to DANE-EE(3), but in addition PKIX
   verification is required.  Therefore, name checks, certificate
   expiration, etc., apply as they would without DANE.  When, for a
   given application protocol, DANE clients support both DANE-EE(3) and
   PKIX-EE(1) usages, it should be noted that an attacker who can
   compromise DNSSEC can replace these with usage DANE-EE(3) or DANE-
   TA(2) TLSA records of their choosing, and thus bypass any PKIX
   verification requirements.

   Therefore, except when applications support only the PKIX Certificate
   Usages (0 and 1), this Certificate Usage offers only illusory
   incremental security over usage DANE-EE(3).  It provides lower
   operational reliability than DANE-EE(3) since some clients may not be
   configured with the required root CA, the server's chain may be
   incomplete or name checks may fail.  PKIX-EE(1) also requires more
   complex coordination between the Customer Domain and the Service
   Provider in hosting arrangements.  This certificate usage is NOT
   RECOMMENDED.




Dukhovni & Hardaker     Expires February 18, 2015              [Page 11]

Internet-Draft               DANE operations                 August 2014


4.4.  Certificate Usage PKIX-TA(0)

   This section updates [RFC6698] by specifying new client
   implementation requirements.  Clients that trust intermediate
   certificates MUST be prepared to construct longer PKIX chains than
   would be required for PKIX alone.

   TLSA Certificate Usage PKIX-TA(0) allows a domain to publish
   constraints on the set of PKIX certification authorities trusted to
   issue certificates for its TLS servers.  This TLSA record matches
   PKIX-verified trust chains which contain an issuer certificate (root
   or intermediate) that matches its association data field (typically a
   certificate or digest).

   As with PKIX-EE(1) case, an attacker who can compromise DNSSEC can
   replace these with usage DANE-EE(3) or DANE-TA(2) TLSA records of his
   choosing and thus bypass the PKIX verification requirements.
   Therefore, except when applications support only the PKIX Certificate
   Usages (0 and 1), this Certificate Usage offers only illusory
   incremental security over usage DANE-TA(2).  It provides lower
   operational reliability than DANE-TA(2) since some clients may not be
   configured with the required root CA.  PKIX-TA(0) also requires more
   complex coordination between the Customer Domain and the Service
   Provider in hosting arrangements.  This certificate usage is NOT
   RECOMMENDED.

   TLSA Publishers who publish TLSA records for a particular public root
   CA, will expect that clients will then only accept chains anchored at
   that root.  It is possible, however, that the client's trusted
   certificate store includes some intermediate CAs, either with or
   without the corresponding root CA.  When a client constructs a trust
   chain leading from a trusted intermediate CA to the server leaf
   certificate, such a "truncated" chain might not contain the trusted
   root published in the server's TLSA record.

   If the omitted root is also trusted, the client may erroneously
   reject the server chain if it fails to determine that the shorter
   chain it constructed extends to a longer trusted chain that matches
   the TLSA record.  Thus, when matching a usage PKIX-TA(0) TLSA record,
   a client SHOULD NOT always stop extending the chain when the first
   locally trusted certificate is found.  If no TLSA records have
   matched any of the elements of the chain, and the trusted certificate
   found is not self-issued, the client MUST attempt to build a longer
   chain in the hope that a certificate closer to the root may in fact
   match the server's TLSA record.

4.5.  Opportunistic Security and PKIX usages




Dukhovni & Hardaker     Expires February 18, 2015              [Page 12]

Internet-Draft               DANE operations                 August 2014


   When the client's protocol design is based on Opportunistic Security
   (OS, [I-D.dukhovni-opportunistic-security]), and authentication is
   opportunistically employed based on the presence of server TLSA
   records, it is especially important to avoid the PKIX-EE(1) and PKIX-
   TA(0) certificate usages.  This is because the client has no way to
   know in advance that it and the server both trust the requisite root
   CA.  Use of authentication in OS needs to be employed only when the
   client can be confident of success, absent an attack, or an
   operational error on the server side.

5.  Service Provider and TLSA Publisher Synchronization

   Complications arise when the TLSA Publisher is not the same entity as
   the Service Provider.  In this situation, the TLSA Publisher and the
   Service Provider must cooperate to ensure that TLSA records published
   by the TLSA Publisher don't fall out of sync with the server
   certificate used by the Service Provider.

   Whenever possible, the TLSA Publisher and the Service Provider should
   be the same entity.  Otherwise, changes in the service certificate
   chain must be carefully coordinated between the parties involved.
   Such coordination is difficult and service outages will result when
   coordination fails.

   Having the master TLSA record in the Service Provider's zone avoids
   the complexity of bilateral coordination of server certificate
   configuration and TLSA record management.  Even when the TLSA RRset
   must be published in the Customer Domain's DNS zone (perhaps the
   client application does not "chase" CNAMEs to the TLSA base domain),
   it is possible to employ CNAME records to delegate the content of the
   TLSA RRset to a domain operated by the Service Provider.  Certificate
   name checks generally constrain the applicability of TLSA CNAMEs
   across organizational boundaries to Certificate Usages DANE-EE(3) and
   DANE-TA(2):

   Certificate Usage DANE-EE(3):  In this case the Service Provider can
      publish a single TLSA RRset that matches the server certificate or
      public key digest.  The same RRset works for all Customer Domains
      because name checks do not apply with DANE-EE(3) TLSA records (see
      Section 4.1).  A Customer Domain can create a CNAME record
      pointing to the TLSA RRset published by the Service Provider.

   Certificate Usage DANE-TA(2):  When the Service Provider operates a
      private certification authority, the Service Provider is free to
      issue a certificate bearing any customer's domain name.  Without
      DANE, such a certificate would not pass trust verification, but
      with DANE, the customer's TLSA RRset that is aliased to the
      provider's TLSA RRset can delegate authority to the provider's CA



Dukhovni & Hardaker     Expires February 18, 2015              [Page 13]

Internet-Draft               DANE operations                 August 2014


      for the corresponding service.  The Service Provider can generate
      appropriate certificates for each customer and use the SNI
      information provided by clients to select the right certificate
      chain to present to each client.

   Below are example DNS records (assumed "secure" and shown without the
   associated DNSSEC information, such as record signatures) that
   illustrate both of of the above models in the case of an HTTPS
   service whose clients all support DANE TLS.  These examples work even
   with clients that don't "chase" CNAMEs when constructing the TLSA
   base domain (see Section 6 below).

   ; The hosted web service is redirected via a CNAME alias.
   ; The associated TLSA RRset is also redirected via a CNAME alias.
   ;
   ; A single certificate at the provider works for all Customer
   ; Domains due to the use of the DANE-EE(3) Certificate Usage.
   ;
   www1.example.com.            IN CNAME w1.example.net.
   _443._tcp.www1.example.com.  IN CNAME _443._tcp.w1.example.net.
   _443._tcp.w1.example.net.    IN TLSA DANE-EE SPKI SHA2-256 (
                                   8A9A70596E869BED72C69D97A8895DFA
                                   D86F300A343FECEFF19E89C27C896BC9 )

   ;
   ; A CA at the provider can also issue certificates for each Customer
   ; Domain, and use the DANE-TA(2) Certificate Usage type to
   ; indicate a trust anchor.
   ;
   www2.example.com.            IN CNAME w2.example.net.
   _443._tcp.www2.example.com.  IN CNAME _443._tcp.w2.example.net.
   _443._tcp.w2.example.net.    IN TLSA DANE-TA Cert SHA2-256 (
                                   C164B2C3F36D068D42A6138E446152F5
                                   68615F28C69BD96A73E354CAC88ED00C )

   With protocols that support explicit transport redirection via DNS MX
   records, SRV records, or other similar records, the TLSA base domain
   is based on the redirected transport end-point, rather than the
   origin domain.  With SMTP, for example, when an email service is
   hosted by a Service Provider, the Customer Domain's MX hostnames will
   point at the Service Provider's SMTP hosts.  When the Customer
   Domain's DNS zone is signed, the MX hostnames can be securely used as
   the base domains for TLSA records that are published and managed by
   the Service Provider.  For example (without the required DNSSEC
   information, such as record signatures):






Dukhovni & Hardaker     Expires February 18, 2015              [Page 14]

Internet-Draft               DANE operations                 August 2014


   ; Hosted SMTP service
   ;
   example.com.               IN MX 0 mx1.example.net.
   example.com.               IN MX 0 mx2.example.net.
   _25._tcp.mx1.example.net.  IN TLSA DANE-EE SPKI SHA2-256 (
                                 8A9A70596E869BED72C69D97A8895DFA
                                 D86F300A343FECEFF19E89C27C896BC9 )
   _25._tcp.mx2.example.net.  IN TLSA DANE-EE SPKI SHA2-256 (
                                 C164B2C3F36D068D42A6138E446152F5
                                 68615F28C69BD96A73E354CAC88ED00C )

   If redirection to the Service Provider's domain (via MX or SRV
   records or any similar mechanism) is not possible, and aliasing of
   the TLSA record is not an option, then more complex coordination
   between the Customer Domain and Service Provider will be required.
   Either the Customer Domain periodically provides private keys and a
   corresponding certificate chain to the Provider (after making
   appropriate changes in its TLSA records), or the Service Provider
   periodically generates the keys and certificates and must wait for
   matching TLSA records to be published by its Customer Domains before
   deploying newly generated keys and certificate chains.  In Section 6
   below, we describe an approach that employs CNAME "chasing" to avoid
   the difficulties of coordinating key management across organization
   boundaries.

   For further information about combining DANE and SRV, please see
   [I-D.ietf-dane-srv].

6.  TLSA Base Domain and CNAMEs

   When the application protocol does not support service location
   indirection via MX, SRV or similar DNS records, the service may be
   redirected via a CNAME.  A CNAME is a more blunt instrument for this
   purpose, since unlike an MX or SRV record, it remaps the entire
   origin domain to the target domain for all protocols.

   The complexity of coordinating key management is largely eliminated
   when DANE TLSA records are found in the Service Provider's domain, as
   discussed in Section 5.  Therefore, DANE TLS clients connecting to a
   server whose domain name is a CNAME alias SHOULD follow the CNAME
   hop-by-hop to its ultimate target host (noting at each step whether
   the CNAME is DNSSEC-validated).  If at each stage of CNAME expansion
   the DNSSEC validation status is "secure", the final target name
   SHOULD be the preferred base domain for TLSA lookups.

   Implementations failing to find a TLSA record using a base name of
   the final target of a CNAME expansion SHOULD issue a TLSA query using
   the original destination name.  That is, the preferred TLSA base



Dukhovni & Hardaker     Expires February 18, 2015              [Page 15]

Internet-Draft               DANE operations                 August 2014


   domain should be derived from the fully expanded name, and failing
   that should be the initial domain name.

   When the TLSA base domain is the result of "secure" CNAME expansion,
   the resulting domain name MUST be used as the HostName in SNI, and
   MUST be the primary reference identifier for peer certificate
   matching with certificate usages other than DANE-EE(3).

   Protocol-specific TLSA specifications may provide additional guidance
   or restrictions when following CNAME expansions.

   Though CNAMEs are illegal on the right hand side of most indirection
   records, such as MX and SRV records, they are supported by some
   implementations.  For example, if the MX or SRV host is a CNAME
   alias, some implementations may "chase" the CNAME.  If they do, they
   SHOULD use the target hostname as the preferred TLSA base domain as
   described above (and if the TLSA records are found there, use the
   CNAME expanded domain also in SNI and certificate name checks).

7.  TLSA Publisher Requirements

   This section updates [RFC6698] by specifying a requirement on the
   TLSA Publisher to ensure that each combination of Certificate Usage,
   selector and matching type in the server's TLSA RRset MUST include at
   least one record that matches the server's current certificate chain.
   TLSA records that match recently retired or yet to be deployed
   certificate chains will be present during key rollover.  Such past or
   future records must never be the only records published for any given
   combination of usage, selector and matching type.  We describe a TLSA
   record update algorithm that ensures this requirement is met.

   While a server is to be considered authenticated when its certificate
   chain is matched by any of the published TLSA records, not all
   clients support all combinations of TLSA record parameters.  Some
   clients may not support some digest algorithms, others may either not
   support, or may exclusively support, the PKIX Certificate Usages.
   Some clients may prefer to negotiate [I-D.ietf-tls-oob-pubkey] raw
   public keys, which are only compatible with TLSA records whose
   Certificate Usage is DANE-EE(3) with selector SPKI(1).












Dukhovni & Hardaker     Expires February 18, 2015              [Page 16]

Internet-Draft               DANE operations                 August 2014


   A consequence of the above uncertainty as to which TLSA parameters
   are supported by any given client is that servers need to ensure that
   each and every parameter combination that appears in the TLSA RRset
   is, on its own, sufficient to match the server's current certificate
   chain.  In particular, when deploying new keys or new parameter
   combinations some care is required to not generate parameter
   combinations that only match past or future certificate chains (or
   raw public keys).  The rest of this section explains how to update
   the TLSA RRset in a manner that ensures the above requirement is met.

7.1.  Key rollover with fixed TLSA Parameters

   The simplest case is key rollover while retaining the same set of
   published parameter combinations.  In this case, TLSA records
   matching the existing server certificate chain (or raw public keys)
   are first augmented with corresponding records matching the future
   keys, at least two TTLs or longer before the the new chain is
   deployed.  This allows the obsolete RRset to age out of client caches
   before the new chain is used in TLS handshakes.  Once sufficient time
   has elapsed and all clients performing DNS lookups are retrieving the
   updated TLSA records, the server administrator may deploy the new
   certificate chain, verify that it works, and then remove any obsolete
   records matching the no longer active chain:

   ; The initial TLSA RRset
   ;
   _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...

   ; The transitional TLSA RRset published at least 2*TTL seconds
   ; before the actual key change
   ;
   _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
   _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...

   ; The final TLSA RRset after the key change
   ;
   _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...

   The next case to consider is adding or switching to a new combination
   of TLSA parameters.  In this case publish the new parameter
   combinations for the server's existing certificate chain first, and
   only then deploy new keys if desired:









Dukhovni & Hardaker     Expires February 18, 2015              [Page 17]

Internet-Draft               DANE operations                 August 2014


   ; Initial TLSA RRset
   ;
   _443._tcp.www.example.org. IN TLSA 1 1 1 01d09d19c2139a46...

   ; New TLSA RRset, same key re-published as DANE-EE(3)
   ;
   _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...

7.2.  Switching to DANE-TA from DANE-EE

   A more complex involves switching to a trust-anchor or PKIX usage
   from a chain that is either self-signed, or issued by a private CA
   and thus not compatible with PKIX.  Here the process is to first add
   TLSA records matching the future chain that is issued by the desired
   future CA (private or PKIX), but initially with the same parameters
   as the legacy chain.  Then, after deploying the new keys, switch to
   the new TLSA parameter combination.

   ; The initial TLSA RRset
   ;
   _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...

   ; A transitional TLSA RRset, published at least 2*TTL before the
   ; actual key change.  The new keys are issued by a DANE-TA(2) CA,
   ; but for now specified via a DANE-EE(3) association.
   ;
   _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
   _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...

   ; The final TLSA RRset after the key change.  Now that the old
   ; self-signed EE keys are not an impediment, specify the issuing
   ; TA of the new keys.
   ;
   _443._tcp.www.example.org. IN TLSA 2 0 1 c57bce38455d9e3d...

7.3.  Switching to New TLSA Parameters

   When employing a new digest algorithm in the TLSA RRset, for
   compatibility with digest agility specified in Section 8 below,
   administrators should publish the new digest algorithm with each
   combinations of Certificate Usage and selector for each associated
   key or chain used with any other digest algorithm.  When removing an
   algorithm, remove it entirely.  Each digest algorithm employed should
   match the same set of chains (or raw public keys).







Dukhovni & Hardaker     Expires February 18, 2015              [Page 18]

Internet-Draft               DANE operations                 August 2014


   ; The initial TLSA RRset with EE SHA2-256 associations for two keys.
   ;
   _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
   _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...

   ; The new TLSA RRset also with SHA2-512 associations for each key
   ;
   _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
   _443._tcp.www.example.org. IN TLSA 3 1 2 d9947c35089310bc...
   _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...
   _443._tcp.www.example.org. IN TLSA 3 1 2 89a7486a4b6ae714...

7.4.  TLSA Publisher Requirements Summary

   In summary, server operators updating TLSA records should make one
   change at a time.  The individual safe changes are:

   o  Pre-publish new certificate associations that employ the same TLSA
      parameters (usage, selector and matching type) as existing TLSA
      records, but match certificate chains that will be deployed in the
      near future.  Wait for stale TLSA RRsets to expire from DNS caches
      before configuring servers to use the new certificate chain.

   o  Remove TLSA records matching no longer deployed certificate
      chains.

   o  Extend the TLSA RRset with a new combination of parameters (usage,
      selector and matching type) that is used to generate matching
      associations for all certificate chains that are published with
      some other parameter combination.

   The above steps are intended to ensure that at all times and for each
   combination of usage, selector and matching type at least one TLSA
   record corresponds to the server's current certificate chain.  No
   combination of Certificate Usage, selector and matching type in a
   server's TLSA RRset should ever match only some combination of future
   or past certificate chains.  As a result, no matter what combinations
   of usage, selector and matching type may be supported by a given
   client, they will be sufficient to authenticate the server.

8.  Digest Algorithm Agility










Dukhovni & Hardaker     Expires February 18, 2015              [Page 19]

Internet-Draft               DANE operations                 August 2014


   While [RFC6698] specifies multiple digest algorithms, it does not
   specify a protocol by which the TLS client and TLSA record publisher
   can agree on the strongest shared algorithm.  Such a protocol would
   allow the client and server to avoid exposure to any deprecated
   weaker algorithms that are published for compatibility with less
   capable clients, but should be ignored when possible.  We specify
   such a protocol below.

   Suppose that a DANE TLS client authenticating a TLS server considers
   digest algorithm "BetterAlg" stronger than digest algorithm
   "WorseAlg".  Suppose further that a server's TLSA RRset contains some
   records with "BetterAlg" as the digest algorithm.  Suppose also that
   the server adheres to the requirements of Section 7 and ensures that
   each combination of TLSA parameters contains at least one record that
   matches the server's current certificate chain (or raw public keys).
   Under the above assumptions the client can safely ignore TLSA records
   with the weaker algorithm "WorseAlg", because it suffices to only
   check the records with the stronger algorithm "BetterAlg".

   To make digest algorithm agility possible, all published TLSA RRsets
   for use with DANE TLS MUST conform to the requirements of Section 7.
   With servers publishing compliant TLSA RRsets, TLS clients can, for
   each combination of usage and selector, ignore all digest records
   except those that employ their notion of the strongest digest
   algorithm.  (The server should only publish algorithms it deems
   acceptable at all.)  The ordering of digest algorithms by strength is
   not specified in advance; it is entirely up to the TLS client.  TLS
   client implementations SHOULD make the digest algorithm preference
   ordering a configurable option.

   Note, TLSA records with a matching type of Full(0) that publish an
   entire certificate or public key object play no role in digest
   algorithm agility.  They neither trump the processing of records that
   employ digests, nor are they ignored in the presence of any records
   with a digest (i.e. non-zero) matching type.

   TLS clients SHOULD use digest algorithm agility when processing the
   DANE TLSA records of an TLS server.  Algorithm agility is to be
   applied after first discarding any unusable or malformed records
   (unsupported digest algorithm, or incorrect digest length).  Thus,
   for each usage and selector, the client SHOULD process only any
   usable records with a matching type of Full(0) and the usable records
   whose digest algorithm is considered by the client to be the
   strongest among usable records with the given usage and selector.

9.  General DANE Guidelines





Dukhovni & Hardaker     Expires February 18, 2015              [Page 20]

Internet-Draft               DANE operations                 August 2014


   These guidelines provide guidance for using or designing protocols
   for DANE.

9.1.  DANE DNS Record Size Guidelines

   Selecting a combination of TLSA parameters to use requires careful
   thought.  One important consideration to take into account is the
   size of the resulting TLSA record after its parameters are selected.

9.1.1.  UDP and TCP Considerations

   Deployments SHOULD avoid TLSA record sizes that cause UDP
   fragmentation.

   Although DNS over TCP would provide the ability to more easily
   transfer larger DNS records between clients and servers, it is not
   universally deployed and is still prohibited by some firewalls.
   Clients that request DNS records via UDP typically only use TCP upon
   receipt of a truncated response in the DNS response message sent over
   UDP.  Setting the TC bit alone will be insufficient if the response
   containing the TC bit is itself fragmented.

9.1.2.  Packet Size Considerations for TLSA Parameters

   Server operators SHOULD NOT publish TLSA records using both a TLSA
   Selector of Cert(0) and a TLSA Matching Type of Full(0), as even a
   single certificate is generally too large to be reliably delivered
   via DNS over UDP.  Furthermore, two TLSA records containing full
   certificates will need to be published simultaneously during a
   certificate rollover, as discussed in Section 7.1.

   While TLSA records using a TLSA Selector of SPKI(1) and a TLSA
   Matching Type of Full(0) (which publish the bare public keys without
   the overhead of a containing X.509 certificate) are generally more
   compact, these too should be used with caution as they are still
   larger than necessary.  Rather, servers SHOULD publish digest-based
   TLSA Matching Types in their TLSA records.  The complete
   corresponding certificate should, instead, be transmitted to the
   client in-band during the TLS handshake, which can be easily verified
   using the digest value.

   In summary, the use of a TLSA Matching Type of Full(0) is NOT
   RECOMMENDED and the use of a digest-based matching type, such as
   SHA2-256(1) SHOULD be used.

9.2.  Certificate Name Check Conventions





Dukhovni & Hardaker     Expires February 18, 2015              [Page 21]

Internet-Draft               DANE operations                 August 2014


   Certificates presented by a TLS server will generally contain a
   subjectAltName (SAN) extension or a Common Name (CN) element within
   the subject distinguished name (DN).  The TLS server's DNS domain
   name is normally published within these elements, ideally within the
   subjectAltName extension.  (The use of the CN field for this purpose
   is deprecated.)

   When a server hosts multiple domains at the same transport endpoint,
   the server's ability to respond with the right certificate chain is
   predicated on correct SNI information from the client.  DANE clients
   MUST send the SNI extension with a HostName value of the base domain
   of the TLSA RRset.

   Except with TLSA Certificate Usage DANE-EE(3), where name checks are
   not applicable (see Section 4.1), DANE clients MUST verify that the
   client has reached the correct server by checking that the server
   name is listed in the server certificate's SAN or CN.  The server
   name used for this comparison SHOULD be the base domain of the TLSA
   RRset.  Additional acceptable names may be specified by protocol-
   specific DANE standards.  For example, with SMTP both the destination
   domain name and the MX host name are acceptable names to be found in
   the server certificate (see [I-D.ietf-dane-smtp-with-dane]).

   It is the responsibility of the service operator, in coordination
   with the TLSA Publisher, to ensure that at least one of the TLSA
   records published for the service will match the server's certificate
   chain (either the default chain or the certificate that was selected
   based on the SNI information provided by the client).

   Given the DNSSEC validated DNS records below:

   example.com.               IN MX 0 mail.example.com.
   mail.example.com.          IN A 192.0.2.1
   _25._tcp.mail.example.com. IN TLSA DANE-TA Cert SHA2-256  (
                                 E8B54E0B4BAA815B06D3462D65FBC7C0
                                 CF556ECCF9F5303EBFBB77D022F834C0 )

   The TLSA base domain is "mail.example.com" and is required to be the
   HostName in the client's SNI extension.  The server certificate chain
   is required to be be signed by a trust anchor with the above
   certificate SHA2-256 digest.  Finally, one of the DNS names in the
   server certificate is required to be be either "mail.example.com" or
   "example.com" (this additional name is a concession to compatibility
   with prior practice, see [I-D.ietf-dane-smtp-with-dane] for details).

   The semantics of wildcards in server certificates are left to
   individual application protocol specifications.




Dukhovni & Hardaker     Expires February 18, 2015              [Page 22]

Internet-Draft               DANE operations                 August 2014


9.3.  Design Considerations for Protocols Using DANE

   When a TLS client goes to the trouble of authenticating a certificate
   chain presented by a TLS server, it will typically not continue to
   use that server in the event of authentication failure, or else
   authentication serves no purpose.  Some clients may, at times,
   operate in an "audit" mode, where authentication failure is reported
   to the user or in logs as a potential problem, but the connection
   proceeds despite the failure.  Nevertheless servers publishing TLSA
   records MUST be configured to allow correctly configured clients to
   successfully authenticate their TLS certificate chains.

   A service with DNSSEC-validated TLSA records implicitly promises TLS
   support.  When all the TLSA records for a service are found
   "unusable", due to unsupported parameter combinations or malformed
   associated data, DANE clients cannot authenticate the service
   certificate chain.  When authenticated TLS is dictated by the
   application, the client SHOULD NOT connect to the associated server.
   If, on the other hand, the use of TLS is "opportunistic", then the
   client SHOULD generally use the server via an unauthenticated TLS
   connection, but if TLS encryption cannot be established, the client
   MUST NOT use the server.  Standards for DANE specific to the
   particular application protocol may modify the above requirements, as
   appropriate, to specify whether the connection should be established
   anyway without relying on TLS security, with only encryption but not
   authentication, or whether to refuse to connect entirely.
   Application protocols need to specify when to prioritize security
   over the ability to connect under adverse conditions.

9.3.1.  Design Considerations for non-PKIX Protocols

   For some application protocols (such as SMTP to MX with opportunistic
   TLS), the existing public CA PKI is not a viable alternative to DANE.
   For these (non-PKIX) protocols, new DANE standards SHOULD NOT suggest
   publishing TLSA records with TLSA Certificate Usage PKIX-TA(0) or
   PKIX-EE(1), as TLS clients cannot be expected to perform [RFC5280]
   PKIX validation or [RFC6125] identity verification.

   Protocols designed for non-PKIX use SHOULD choose to treat any TLSA
   records with TLSA Certificate Usage PKIX-TA(0) or PKIX-EE(1) as
   unusable.  After verifying that the only available TLSA Certificate
   Usage types are PKIX-TA(0) or PKIX-EE(1), protocol specifications MAY
   instruct clients to either refuse to initiate a connection or to
   connect via unauthenticated TLS if no alternative authentication
   mechanisms are available.

10.  Interaction with Certificate Transparency




Dukhovni & Hardaker     Expires February 18, 2015              [Page 23]

Internet-Draft               DANE operations                 August 2014


   Certificate Transparency (CT) [RFC6962] defines an experimental
   approach to mitigate the risk of rogue or compromised public CAs
   issuing unauthorized certificates.  This section clarifies the
   interaction of CT and DANE.  CT is an experimental protocol and
   auditing system that applies only to public CAs, and only when they
   are free to issue unauthorized certificates for a domain.  If the CA
   is not a public CA, or a DANE-EE(3) TLSA RR directly specifies the
   end entity certificate, there is no role for CT, and clients need not
   apply CT checks.

   When a server is authenticated via a DANE TLSA RR with TLSA
   Certificate Usage DANE-EE(3), the domain owner has directly specified
   the certificate associated with the given service without reference
   to any PKIX certification authority.  Therefore, when a TLS client
   authenticates the TLS server via a TLSA certificate association with
   usage DANE-EE(3), CT checks SHOULD NOT be performed.  Publication of
   the server certificate or public key (digest) in a TLSA record in a
   DNSSEC signed zone by the domain owner assures the TLS client that
   the certificate is not an unauthorized certificate issued by a rogue
   CA without the domain owner's consent.

   When a server is authenticated via a DANE TLSA RR with TLSA usage
   DANE-TA(2) and the server certificate does not chain to a known
   public root CA, CT cannot apply (CT logs only accept chains that
   start with a known, public root).  Since TLSA Certificate Usage DANE-
   TA(2) is generally intended to support non-PKIX trust anchors, TLS
   clients SHOULD NOT perform CT checks with usage DANE-TA(2) using
   unknown root CAs.

   A server operator who wants clients to perform CT checks should
   publish TLSA RRs with usage PKIX-TA(0) or PKIX-EE(1).

11.  Note on DNSSEC Security

   Clearly the security of the DANE TLSA PKI rests on the security of
   the underlying DNSSEC infrastructure.  While this memo is not a guide
   to DNSSEC security, a few comments may be helpful to TLSA
   implementers.

   With the existing public CA PKI, name constraints are rarely used,
   and a public root CA can issue certificates for any domain of its
   choice.  With DNSSEC, under the Registry/Registrar/Registrant model,
   the situation is different: only the registrar of record can update a
   domain's DS record in the registry parent zone (in some cases,
   however, the registry is the sole registrar).  With many gTLDs, for
   which multiple registrars compete to provide domains in a single
   registry, it is important to make sure that rogue registrars cannot
   easily initiate an unauthorized domain transfer, and thus take over



Dukhovni & Hardaker     Expires February 18, 2015              [Page 24]

Internet-Draft               DANE operations                 August 2014


   DNSSEC for the domain.  DNS Operators SHOULD use a registrar lock of
   their domains to offer some protection against this possibility.

   When the registrar is also the DNS operator for the domain, one needs
   to consider whether the registrar will allow orderly migration of the
   domain to another registrar or DNS operator in a way that will
   maintain DNSSEC integrity.  TLSA Publishers SHOULD ensure their
   registrar publishes a suitable domain transfer policy.

   DNSSEC signed RRsets cannot be securely revoked before they expire.
   Operators should plan accordingly and not generate signatures with
   excessively long duration periods.  For domains publishing high-value
   keys, a signature lifetime of a few days is reasonable, and the zone
   should be resigned daily.  For domains with less critical data, a
   reasonable signature lifetime is a couple of weeks to a month, and
   the zone should be resigned weekly.  Monitoring of the signature
   lifetime is important.  If the zone is not resigned in a timely
   manner, one risks a major outage and the entire domain will become
   bogus.

12.  Summary of Updates to RFC6698

   Authors note: is this section needed?  Or is it sufficiently clear
   above that we don't need to restate things here?

   o  In Section 3 we update [RFC6698] to specify a requirement for
      clients to support at least TLS 1.0, and to support SNI.

   o  In Section 4.1 we update [RFC6698] to specify peer identity
      matching and certificate validity interval based solely on the
      basis of the TLSA RRset.  We also specify DANE authentication of
      raw public keys [I-D.ietf-tls-oob-pubkey] via TLSA records with
      Certificate Usage DANE-EE(3) and selector SPKI(1).

   o  In Section 4.2 we update [RFC6698] to require that servers
      publishing digest TLSA records with a usage of DANE-TA(2) MUST
      include the trust-anchor certificate in their TLS server
      certificate message.  This extends to the case of "2 1 0" TLSA
      records which publish a full public key.

   o  In Section 4.3 and Section 4.4, we explain that PKIX-EE(1) and
      PKIX-TA(0) are generally NOT RECOMMENDED.  With usage PKIX-TA(0)
      we note that clients may need to processes extended trust chains
      beyond the first trusted issuer, when that issuer is not self-
      signed.






Dukhovni & Hardaker     Expires February 18, 2015              [Page 25]

Internet-Draft               DANE operations                 August 2014


   o  In Section 6, we recommend that DANE application protocols specify
      that when possible securely CNAME expanded names be used to derive
      the TLSA base domain.

   o  In Section 7, we specify a strategy for managing TLSA records that
      interoperates with DANE clients regardless of what subset of the
      possible TLSA record types (combinations of TLSA parameters) is
      supported by the client.

   o  In Section 8, we propose a digest algorithm agility protocol.
      [Note: This section does not yet represent the rough consensus of
      the DANE working group and requires further discussion.  Perhaps
      this belongs in a separate document.]

   o  In Section 9.1 we recommend against the use of Full(0) TLSA
      records, as digest records are generally much more compact.

13.  Security Considerations

   Application protocols that cannot make use of the existing public CA
   PKI (so called non-PKIX protocols), may choose not to implement
   certain PKIX-dependent TLSA record types defined in [RFC6698].  If
   such records are published despite not being supported by the
   application protocol, they are treated as "unusable".  When TLS is
   opportunistic, the client may proceed to use the server with
   mandatory unauthenticated TLS.  This is stronger than opportunistic
   TLS without DANE, since in that case the client may also proceed with
   a plaintext connection.  When TLS is not opportunistic, the client
   MUST NOT connect to the server.

   Therefore, when TLSA records are used with protocols where PKIX does
   not apply, the recommended policy is for servers to not publish PKIX-
   dependent TLSA records, and for opportunistic TLS clients to use them
   to enforce the use of (albeit unauthenticated) TLS, but otherwise
   treat them as unusable.  Of course, when PKIX validation is supported
   by the application protocol, clients SHOULD perform PKIX validation
   per [RFC6698].

14.  IANA Considerations

   This specification requires no support from IANA.

15.  Acknowledgements

   The authors would like to thank Phil Pennock for his comments and
   advice on this document.





Dukhovni & Hardaker     Expires February 18, 2015              [Page 26]

Internet-Draft               DANE operations                 August 2014


   Acknowledgments from Viktor: Thanks to Tony Finch who finally prodded
   me into participating in DANE working group discussions.  Thanks to
   Paul Hoffman who motivated me to produce this memo and provided
   feedback on early drafts.  Thanks also to Samuel Dukhovni for
   editorial assistance.

16.  References

16.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements", RFC
              4033, March 2005.

   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for the DNS Security Extensions",
              RFC 4034, March 2005.

   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", RFC 4035, March 2005.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.

   [RFC6066]  Eastlake, D., "Transport Layer Security (TLS) Extensions:
              Extension Definitions", RFC 6066, January 2011.

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, March 2011.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

   [RFC6698]  Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
              of Named Entities (DANE) Transport Layer Security (TLS)
              Protocol: TLSA", RFC 6698, August 2012.



Dukhovni & Hardaker     Expires February 18, 2015              [Page 27]

Internet-Draft               DANE operations                 August 2014


   [RFC7218]  Gudmundsson, O., "Adding Acronyms to Simplify
              Conversations about DNS-Based Authentication of Named
              Entities (DANE)", RFC 7218, April 2014.

16.2.  Informative References

   [I-D.dukhovni-opportunistic-security]
              Dukhovni, V., "Opportunistic Security: Some Protection
              Most of the Time", draft-dukhovni-opportunistic-
              security-03 (work in progress), August 2014.

   [I-D.ietf-dane-smtp-with-dane]
              Dukhovni, V. and W. Hardaker, "SMTP security via
              opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-11
              (work in progress), August 2014.

   [I-D.ietf-dane-srv]
              Finch, T., Miller, M., and P. Saint-Andre, "Using DNS-
              Based Authentication of Named Entities (DANE) TLSA Records
              with SRV Records", draft-ietf-dane-srv-07 (work in
              progress), July 2014.

   [I-D.ietf-tls-oob-pubkey]
              Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., and
              T. Kivinen, "Using Raw Public Keys in Transport Layer
              Security (TLS) and Datagram Transport Layer Security
              (DTLS)", draft-ietf-tls-oob-pubkey-11 (work in progress),
              January 2014.

   [RFC6962]  Laurie, B., Langley, A., and E. Kasper, "Certificate
              Transparency", RFC 6962, June 2013.

Authors' Addresses

   Viktor Dukhovni
   Unaffiliated

   Email: ietf-dane@dukhovni.org


   Wes Hardaker
   Parsons
   P.O. Box 382
   Davis, CA  95617
   US

   Email: ietf@hardakers.net




Dukhovni & Hardaker     Expires February 18, 2015              [Page 28]