summaryrefslogtreecommitdiff
path: root/doc/doc-txt/rfc6698-dane.txt
blob: 95e7cf4f5cd6aa8ff7c893e59d86379789cc336c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
Internet Engineering Task Force (IETF)                        P. Hoffman
Request for Comments: 6698                                VPN Consortium
Category: Standards Track                                    J. Schlyter
ISSN: 2070-1721                                                 Kirei AB
                                                             August 2012


         The DNS-Based Authentication of Named Entities (DANE)
             Transport Layer Security (TLS) Protocol: TLSA

Abstract

   Encrypted communication on the Internet often uses Transport Layer
   Security (TLS), which depends on third parties to certify the keys
   used.  This document improves on that situation by enabling the
   administrators of domain names to specify the keys used in that
   domain's TLS servers.  This requires matching improvements in TLS
   client software, but no change in TLS server software.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6698.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.




Hoffman & Schlyter           Standards Track                    [Page 1]

RFC 6698            DNS-Based Authentication for TLS         August 2012


Table of Contents

   1. Introduction ....................................................3
      1.1. Background and Motivation ..................................3
      1.2. Securing the Association of a Domain Name with a
           Server's Certificate .......................................4
      1.3. Method for Securing Certificate Associations ...............5
      1.4. Terminology ................................................6
   2. The TLSA Resource Record ........................................7
      2.1. TLSA RDATA Wire Format .....................................7
           2.1.1. The Certificate Usage Field .........................7
           2.1.2. The Selector Field ..................................8
           2.1.3. The Matching Type Field .............................9
           2.1.4. The Certificate Association Data Field ..............9
      2.2. TLSA RR Presentation Format ................................9
      2.3. TLSA RR Examples ..........................................10
   3. Domain Names for TLSA Certificate Associations .................10
   4. Use of TLSA Records in TLS .....................................11
      4.1. Usable Certificate Associations ...........................11
   5. TLSA and DANE Use Cases and Requirements .......................13
   6. Mandatory-to-Implement Features ................................15
   7. IANA Considerations ............................................15
      7.1. TLSA RRtype ...............................................15
      7.2. TLSA Certificate Usages ...................................15
      7.3. TLSA Selectors ............................................16
      7.4. TLSA Matching Types .......................................16
   8. Security Considerations ........................................16
      8.1. Comparing DANE to Public CAs ..............................18
           8.1.1. Risk of Key Compromise .............................19
           8.1.2. Impact of Key Compromise ...........................20
           8.1.3. Detection of Key Compromise ........................20
           8.1.4. Spoofing Hostnames .................................20
      8.2. DNS Caching ...............................................21
      8.3. External DNSSEC Validators ................................21
   9. Acknowledgements ...............................................22
   10. References ....................................................22
      10.1. Normative References .....................................22
      10.2. Informative References ...................................23
   Appendix A. Operational Considerations for Deploying TLSA
               Records ...............................................25
     A.1. Creating TLSA Records ......................................25
       A.1.1. Ambiguities and Corner Cases When TLS Clients
              Build Trust Chains .....................................26
       A.1.2. Choosing a Selector Type ...............................26
     A.2. Provisioning TLSA Records in DNS ...........................28
       A.2.1. Provisioning TLSA Records with Aliases .................28
     A.3. Securing the Last Hop ......................................30
     A.4. Handling Certificate Rollover ..............................31



Hoffman & Schlyter           Standards Track                    [Page 2]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   Appendix B. Pseudocode for Using TLSA .............................32
     B.1. Helper Functions ...........................................32
     B.2. Main TLSA Pseudocode .......................................33
   Appendix C. Examples ..............................................35

1.  Introduction

1.1.  Background and Motivation

   Applications that communicate over the Internet often need to prevent
   eavesdropping, tampering, or forgery of their communications.  The
   Transport Layer Security (TLS) protocol provides this kind of
   communications security over the Internet, using channel encryption.

   The security properties of encryption systems depend strongly on the
   keys that they use.  If secret keys are revealed, or if public keys
   can be replaced by fake keys (that is, a key not corresponding to the
   entity identified in the certificate), these systems provide little
   or no security.

   TLS uses certificates to bind keys and names.  A certificate combines
   a published key with other information such as the name of the
   service that uses the key, and this combination is digitally signed
   by another key.  Having a key in a certificate is only helpful if one
   trusts the other key that signed the certificate.  If that other key
   was itself revealed or substituted, then its signature is worthless
   in proving anything about the first key.

   On the Internet, this problem has been solved for years by entities
   called "Certification Authorities" (CAs).  CAs protect their secret
   key vigorously, while supplying their public key to the software
   vendors who build TLS clients.  They then sign certificates, and
   supply those to TLS servers.  TLS client software uses a set of these
   CA keys as "trust anchors" to validate the signatures on certificates
   that the client receives from TLS servers.  Client software typically
   allows any CA to usefully sign any other certificate.

   The public CA model upon which TLS has depended is fundamentally
   vulnerable because it allows any of these CAs to issue a certificate
   for any domain name.  A single trusted CA that betrays its trust,
   either voluntarily or by providing less-than-vigorous protection for
   its secrets and capabilities, can undermine the security offered by
   any certificates employed with TLS.  This problem arises because a
   compromised CA can issue a replacement certificate that contains a
   fake key.  Recent experiences with compromises of CAs or their
   trusted partners have led to very serious security problems, such as
   the governments of multiple countries attempting to wiretap and/or
   subvert major TLS-protected web sites trusted by millions of users.



Hoffman & Schlyter           Standards Track                    [Page 3]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   The DNS Security Extensions (DNSSEC) provide a similar model that
   involves trusted keys signing the information for untrusted keys.
   However, DNSSEC provides three significant improvements.  Keys are
   tied to names in the Domain Name System (DNS), rather than to
   arbitrary identifying strings; this is more convenient for Internet
   protocols.  Signed keys for any domain are accessible online through
   a straightforward query using the standard DNSSEC protocol, so there
   is no problem distributing the signed keys.  Most significantly, the
   keys associated with a domain name can only be signed by a key
   associated with the parent of that domain name; for example, the keys
   for "example.com" can only be signed by the keys for "com", and the
   keys for "com" can only be signed by the DNS root.  This prevents an
   untrustworthy signer from compromising anyone's keys except those in
   their own subdomains.  Like TLS, DNSSEC relies on public keys that
   come built into the DNSSEC client software, but these keys come only
   from a single root domain rather than from a multiplicity of CAs.

   DNS-Based Authentication of Named Entities (DANE) offers the option
   to use the DNSSEC infrastructure to store and sign keys and
   certificates that are used by TLS.  DANE is envisioned as a
   preferable basis for binding public keys to DNS names, because the
   entities that vouch for the binding of public key data to DNS names
   are the same entities responsible for managing the DNS names in
   question.  While the resulting system still has residual security
   vulnerabilities, it restricts the scope of assertions that can be
   made by any entity, consistent with the naming scope imposed by the
   DNS hierarchy.  As a result, DANE embodies the security "principle of
   least privilege" that is lacking in the current public CA model.

1.2.  Securing the Association of a Domain Name with a Server's
      Certificate

   A TLS client begins a connection by exchanging messages with a TLS
   server.  For many application protocols, it looks up the server's
   name using the DNS to get an Internet Protocol (IP) address
   associated with the name.  It then begins a connection to a
   particular port at that address, and sends an initial message there.
   However, the client does not yet know whether an adversary is
   intercepting and/or altering its communication before it reaches the
   TLS server.  It does not even know whether the real TLS server
   associated with that domain name has ever received its initial
   messages.

   The first response from the server in TLS may contain a certificate.
   In order for the TLS client to authenticate that it is talking to the
   expected TLS server, the client must validate that this certificate
   is associated with the domain name used by the client to get to the
   server.  Currently, the client must extract the domain name from the



Hoffman & Schlyter           Standards Track                    [Page 4]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   certificate and must successfully validate the certificate, including
   chaining to a trust anchor.

   There is a different way to authenticate the association of the
   server's certificate with the intended domain name without trusting
   an external CA.  Given that the DNS administrator for a domain name
   is authorized to give identifying information about the zone, it
   makes sense to allow that administrator to also make an authoritative
   binding between the domain name and a certificate that might be used
   by a host at that domain name.  The easiest way to do this is to use
   the DNS, securing the binding with DNSSEC.

   There are many use cases for such functionality.  [RFC6394] lists the
   ones to which the DNS RRtype in this document apply.  [RFC6394] also
   lists many requirements, most of which this document is believed to
   meet.  Section 5 covers the applicability of this document to the use
   cases in detail.  The protocol in this document can generally be
   referred to as the "DANE TLSA" protocol.  ("TLSA" does not stand for
   anything; it is just the name of the RRtype.)

   This document applies to both TLS [RFC5246] and Datagram TLS (DTLS)
   [RFC6347].  In order to make the document more readable, it mostly
   only talks about "TLS", but in all cases, it means "TLS or DTLS".
   Although the references in this paragraph are to TLS and DTLS
   version 1.2, the DANE TLSA protocol can also be used with earlier
   versions of TLS and DTLS.

   This document only relates to securely associating certificates for
   TLS and DTLS with host names; retrieving certificates from DNS for
   other protocols is handled in other documents.  For example, keys for
   IPsec are covered in [RFC4025], and keys for Secure SHell (SSH) are
   covered in [RFC4255].

1.3.  Method for Securing Certificate Associations

   A certificate association is formed from a piece of information
   identifying a certificate and the domain name where the server
   application runs.  The combination of a trust anchor and a domain
   name can also be a certificate association.

   A DNS query can return multiple certificate associations, such as in
   the case of a server that is changing from one certificate to another
   (described in more detail in Appendix A.4).

   This document only applies to PKIX [RFC5280] certificates, not
   certificates of other formats.





Hoffman & Schlyter           Standards Track                    [Page 5]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   This document defines a secure method to associate the certificate
   that is obtained from the TLS server with a domain name using DNS;
   the DNS information needs to be protected by DNSSEC.  Because the
   certificate association was retrieved based on a DNS query, the
   domain name in the query is by definition associated with the
   certificate.  Note that this document does not cover how to associate
   certificates with domain names for application protocols that depend
   on SRV, NAPTR, and similar DNS resource records.  It is expected that
   future documents will cover methods for making those associations,
   and those documents may or may not need to update this one.

   DNSSEC, which is defined in [RFC4033], [RFC4034], and [RFC4035], uses
   cryptographic keys and digital signatures to provide authentication
   of DNS data.  Information that is retrieved from the DNS and that is
   validated using DNSSEC is thereby proved to be the authoritative
   data.  The DNSSEC signature needs to be validated on all responses
   that use DNSSEC in order to assure the proof of origin of the data.

   This document does not specify how DNSSEC validation occurs because
   there are many different proposals for how a client might get
   validated DNSSEC results, such as from a DNSSEC-aware resolver that
   is coded in the application, from a trusted DNSSEC resolver on the
   machine on which the application is running, or from a trusted DNSSEC
   resolver with which the application is communicating over an
   authenticated and integrity-protected channel or network.  This is
   described in more detail in Section 7 of [RFC4033].

   This document only relates to getting the DNS information for the
   certificate association securely using DNSSEC; other secure DNS
   mechanisms are out of scope.

1.4.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

   This document also makes use of standard PKIX, DNSSEC, TLS, and DNS
   terminology.  See [RFC5280], [RFC4033], [RFC5246], and STD 13
   [RFC1034] [RFC1035], respectively, for these terms.  In addition,
   terms related to TLS-protected application services and DNS names are
   taken from [RFC6125].









Hoffman & Schlyter           Standards Track                    [Page 6]

RFC 6698            DNS-Based Authentication for TLS         August 2012


2.  The TLSA Resource Record

   The TLSA DNS resource record (RR) is used to associate a TLS server
   certificate or public key with the domain name where the record is
   found, thus forming a "TLSA certificate association".  The semantics
   of how the TLSA RR is interpreted are given later in this document.

   The type value for the TLSA RR type is defined in Section 7.1.

   The TLSA RR is class independent.

   The TLSA RR has no special Time to Live (TTL) requirements.

2.1.  TLSA RDATA Wire Format

   The RDATA for a TLSA RR consists of a one-octet certificate usage
   field, a one-octet selector field, a one-octet matching type field,
   and the certificate association data field.

                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Cert. Usage  |   Selector    | Matching Type |               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               /
   /                                                               /
   /                 Certificate Association Data                  /
   /                                                               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2.1.1.  The Certificate Usage Field

   A one-octet value, called "certificate usage", specifies the provided
   association that will be used to match the certificate presented in
   the TLS handshake.  This value is defined in a new IANA registry (see
   Section 7.2) in order to make it easier to add additional certificate
   usages in the future.  The certificate usages defined in this
   document are:

      0 -- Certificate usage 0 is used to specify a CA certificate, or
      the public key of such a certificate, that MUST be found in any of
      the PKIX certification paths for the end entity certificate given
      by the server in TLS.  This certificate usage is sometimes
      referred to as "CA constraint" because it limits which CA can be
      used to issue certificates for a given service on a host.  The
      presented certificate MUST pass PKIX certification path
      validation, and a CA certificate that matches the TLSA record MUST
      be included as part of a valid certification path.  Because this
      certificate usage allows both trust anchors and CA certificates,



Hoffman & Schlyter           Standards Track                    [Page 7]

RFC 6698            DNS-Based Authentication for TLS         August 2012


      the certificate might or might not have the basicConstraints
      extension present.

      1 -- Certificate usage 1 is used to specify an end entity
      certificate, or the public key of such a certificate, that MUST be
      matched with the end entity certificate given by the server in
      TLS.  This certificate usage is sometimes referred to as "service
      certificate constraint" because it limits which end entity
      certificate can be used by a given service on a host.  The target
      certificate MUST pass PKIX certification path validation and MUST
      match the TLSA record.

      2 -- Certificate usage 2 is used to specify a certificate, or the
      public key of such a certificate, that MUST be used as the trust
      anchor when validating the end entity certificate given by the
      server in TLS.  This certificate usage is sometimes referred to as
      "trust anchor assertion" and allows a domain name administrator to
      specify a new trust anchor -- for example, if the domain issues
      its own certificates under its own CA that is not expected to be
      in the end users' collection of trust anchors.  The target
      certificate MUST pass PKIX certification path validation, with any
      certificate matching the TLSA record considered to be a trust
      anchor for this certification path validation.

      3 -- Certificate usage 3 is used to specify a certificate, or the
      public key of such a certificate, that MUST match the end entity
      certificate given by the server in TLS.  This certificate usage is
      sometimes referred to as "domain-issued certificate" because it
      allows for a domain name administrator to issue certificates for a
      domain without involving a third-party CA.  The target certificate
      MUST match the TLSA record.  The difference between certificate
      usage 1 and certificate usage 3 is that certificate usage 1
      requires that the certificate pass PKIX validation, but PKIX
      validation is not tested for certificate usage 3.

   The certificate usages defined in this document explicitly only apply
   to PKIX-formatted certificates in DER encoding [X.690].  If TLS
   allows other formats later, or if extensions to this RRtype are made
   that accept other formats for certificates, those certificates will
   need their own certificate usage values.

2.1.2.  The Selector Field

   A one-octet value, called "selector", specifies which part of the TLS
   certificate presented by the server will be matched against the
   association data.  This value is defined in a new IANA registry (see
   Section 7.3).  The selectors defined in this document are:




Hoffman & Schlyter           Standards Track                    [Page 8]

RFC 6698            DNS-Based Authentication for TLS         August 2012


      0 -- Full certificate: the Certificate binary structure as defined
      in [RFC5280]

      1 -- SubjectPublicKeyInfo: DER-encoded binary structure as defined
      in [RFC5280]

   (Note that the use of "selector" in this document is completely
   unrelated to the use of "selector" in DomainKeys Identified Mail
   (DKIM) [RFC6376].)

2.1.3.  The Matching Type Field

   A one-octet value, called "matching type", specifies how the
   certificate association is presented.  This value is defined in a new
   IANA registry (see Section 7.4).  The types defined in this document
   are:

      0 -- Exact match on selected content

      1 -- SHA-256 hash of selected content [RFC6234]

      2 -- SHA-512 hash of selected content [RFC6234]

   If the TLSA record's matching type is a hash, having the record use
   the same hash algorithm that was used in the signature in the
   certificate (if possible) will assist clients that support a small
   number of hash algorithms.

2.1.4.  The Certificate Association Data Field

   This field specifies the "certificate association data" to be
   matched.  These bytes are either raw data (that is, the full
   certificate or its SubjectPublicKeyInfo, depending on the selector)
   for matching type 0, or the hash of the raw data for matching types 1
   and 2.  The data refers to the certificate in the association, not to
   the TLS ASN.1 Certificate object.

2.2.  TLSA RR Presentation Format

   The presentation format of the RDATA portion (as defined in
   [RFC1035]) is as follows:

   o  The certificate usage field MUST be represented as an 8-bit
      unsigned integer.

   o  The selector field MUST be represented as an 8-bit unsigned
      integer.




Hoffman & Schlyter           Standards Track                    [Page 9]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   o  The matching type field MUST be represented as an 8-bit unsigned
      integer.

   o  The certificate association data field MUST be represented as a
      string of hexadecimal characters.  Whitespace is allowed within
      the string of hexadecimal characters, as described in [RFC1035].

2.3.  TLSA RR Examples

   In the following examples, the domain name is formed using the rules
   in Section 3.

   An example of a hashed (SHA-256) association of a PKIX CA
   certificate:

   _443._tcp.www.example.com. IN TLSA (
      0 0 1 d2abde240d7cd3ee6b4b28c54df034b9
            7983a1d16e8a410e4561cb106618e971 )

   An example of a hashed (SHA-512) subject public key association of a
   PKIX end entity certificate:

   _443._tcp.www.example.com. IN TLSA (
      1 1 2 92003ba34942dc74152e2f2c408d29ec
            a5a520e7f2e06bb944f4dca346baf63c
            1b177615d466f6c4b71c216a50292bd5
            8c9ebdd2f74e38fe51ffd48c43326cbc )

   An example of a full certificate association of a PKIX end entity
   certificate:

   _443._tcp.www.example.com. IN TLSA (
      3 0 0 30820307308201efa003020102020... )

3.  Domain Names for TLSA Certificate Associations

   Unless there is a protocol-specific specification that is different
   than this one, TLSA resource records are stored at a prefixed DNS
   domain name.  The prefix is prepared in the following manner:

   1.  The decimal representation of the port number on which a TLS-
       based service is assumed to exist is prepended with an underscore
       character ("_") to become the left-most label in the prepared
       domain name.  This number has no leading zeros.







Hoffman & Schlyter           Standards Track                   [Page 10]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   2.  The protocol name of the transport on which a TLS-based service
       is assumed to exist is prepended with an underscore character
       ("_") to become the second left-most label in the prepared domain
       name.  The transport names defined for this protocol are "tcp",
       "udp", and "sctp".

   3.  The base domain name is appended to the result of step 2 to
       complete the prepared domain name.  The base domain name is the
       fully qualified DNS domain name [RFC1035] of the TLS server, with
       the additional restriction that every label MUST meet the rules
       of [RFC0952].  The latter restriction means that, if the query is
       for an internationalized domain name, it MUST use the A-label
       form as defined in [RFC5890].

   For example, to request a TLSA resource record for an HTTP server
   running TLS on port 443 at "www.example.com",
   "_443._tcp.www.example.com" is used in the request.  To request a
   TLSA resource record for an SMTP server running the STARTTLS protocol
   on port 25 at "mail.example.com", "_25._tcp.mail.example.com" is
   used.

4.  Use of TLSA Records in TLS

   Section 2.1 of this document defines the mandatory matching rules for
   the data from the TLSA certificate associations and the certificates
   received from the TLS server.

   The TLS session that is to be set up MUST be for the specific port
   number and transport name that was given in the TLSA query.

   Some specifications for applications that run over TLS, such as
   [RFC2818] for HTTP, require that the server's certificate have a
   domain name that matches the host name expected by the client.  Some
   specifications, such as [RFC6125], detail how to match the identity
   given in a PKIX certificate with those expected by the user.

   If a TLSA record has certificate usage 2, the corresponding TLS
   server SHOULD send the certificate that is referenced just like it
   currently sends intermediate certificates.

4.1.  Usable Certificate Associations

   An implementation of this protocol makes a DNS query for TLSA
   records, validates these records using DNSSEC, and uses the resulting
   TLSA records and validation status to modify its responses to the TLS
   server.





Hoffman & Schlyter           Standards Track                   [Page 11]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   Determining whether a TLSA RRSet can be used MUST be based on the
   DNSSEC validation state (as defined in [RFC4033]).

   o  A TLSA RRSet whose DNSSEC validation state is secure MUST be used
      as a certificate association for TLS unless a local policy would
      prohibit the use of the specific certificate association in the
      secure TLSA RRSet.

   o  If the DNSSEC validation state on the response to the request for
      the TLSA RRSet is bogus, this MUST cause TLS not to be started or,
      if the TLS negotiation is already in progress, MUST cause the
      connection to be aborted.

   o  A TLSA RRSet whose DNSSEC validation state is indeterminate or
      insecure cannot be used for TLS and MUST be considered unusable.

   Clients that validate the DNSSEC signatures themselves MUST use
   standard DNSSEC validation procedures.  Clients that rely on another
   entity to perform the DNSSEC signature validation MUST use a secure
   mechanism between themselves and the validator.  Examples of secure
   transports to other hosts include TSIG [RFC2845], SIG(0) [RFC2931],
   and IPsec [RFC6071].  Note that it is not sufficient to use secure
   transport to a DNS resolver that does not do DNSSEC signature
   validation.  See Section 8.3 for more security considerations related
   to external validators.

   If a certificate association contains a certificate usage, selector,
   or matching type that is not understood by the TLS client, that
   certificate association MUST be considered unusable.  If the
   comparison data for a certificate is malformed, the certificate
   association MUST be considered unusable.

   If a certificate association contains a matching type or certificate
   association data that uses a cryptographic algorithm that is
   considered too weak for the TLS client's policy, the certificate
   association MUST be considered unusable.

   If an application receives zero usable certificate associations from
   a DNS request or from its cache, it processes TLS in the normal
   fashion without any input from the TLSA records.  If an application
   receives one or more usable certificate associations, it attempts to
   match each certificate association with the TLS server's end entity
   certificate until a successful match is found.  During the TLS
   handshake, if none of the certificate associations matches the
   certificate given by the TLS server, the TLS client MUST abort the
   handshake.





Hoffman & Schlyter           Standards Track                   [Page 12]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   An attacker who is able to divert a user to a server under his
   control is also likely to be able to block DNS requests from the user
   or DNS responses being sent to the user.  Thus, in order to achieve
   any security benefit from certificate usage 0 or 1, an application
   that sends a request for TLSA records needs to get either a valid
   signed response containing TLSA records or verification that the
   domain is insecure or indeterminate.  If a request for a TLSA record
   does not meet one of those two criteria but the application continues
   with the TLS handshake anyway, the application has gotten no benefit
   from TLSA and SHOULD NOT make any internal or external indication
   that TLSA was applied.  If an application has a configuration setting
   that has turned on TLSA use, or has any indication that TLSA is in
   use (regardless of whether or not this is configurable), that
   application either MUST NOT start a TLS connection or it MUST abort a
   TLS handshake if both of the two criteria above are not met.

   The application can perform the TLSA lookup before initiating the TLS
   handshake, or do it during the TLS handshake: the choice is up to the
   client.

5.  TLSA and DANE Use Cases and Requirements

   The different types of certificate associations defined in TLSA are
   matched with various sections of [RFC6394].  The use cases from
   Section 3 of [RFC6394] are covered in this document as follows:

   3.1 CA Constraints -- Implemented using certificate usage 0.

   3.2 Certificate Constraints -- Implemented using certificate usage 1.

   3.3 Trust Anchor Assertion and Domain-Issued Certificates --
      Implemented using certificate usages 2 and 3, respectively.

   The requirements from Section 4 of [RFC6394] are covered in this
   document as follows:

   Multiple Ports -- The TLSA records for different application services
      running on a single host can be distinguished through the service
      name and port number prefixed to the host name (see Section 3).

   No Downgrade -- Section 4 specifies the conditions under which a
      client can process and act upon TLSA records.  Specifically, if
      the DNSSEC status for the TLSA resource record set is determined
      to be bogus, the TLS connection (if started) will fail.

   Encapsulation -- Encapsulation is covered in the TLSA response
      semantics.




Hoffman & Schlyter           Standards Track                   [Page 13]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   Predictability -- The appendices of this specification provide
      operational considerations and implementation guidance in order to
      enable application developers to form a consistent interpretation
      of the recommended client behavior.

   Opportunistic Security -- If a client conformant to this
      specification can reliably determine the presence of a TLSA
      record, it will attempt to use this information.  Conversely, if a
      client can reliably determine the absence of any TLSA record, it
      will fall back to processing TLS in the normal fashion.  This is
      discussed in Section 4.

   Combination -- Multiple TLSA records can be published for a given
      host name, thus enabling the client to construct multiple TLSA
      certificate associations that reflect different assertions.  No
      support is provided to combine two TLSA certificate associations
      in a single operation.

   Roll-over -- TLSA records are processed in the normal manner within
      the scope of the DNS protocol, including the TTL expiration of the
      records.  This ensures that clients will not latch onto assertions
      made by expired TLSA records, and will be able to transition from
      using one public key or certificate usage to another.

   Simple Key Management -- The SubjectPublicKeyInfo selector in the
      TLSA record provides a mode that enables a domain holder to only
      have to maintain a single long-lived public/private key pair
      without the need to manage certificates.  Appendix A outlines the
      usefulness and the potential downsides to using this mode.

   Minimal Dependencies -- This specification relies on DNSSEC to
      protect the origin authenticity and integrity of the TLSA resource
      record set.  Additionally, if DNSSEC validation is not performed
      on the system that wishes to use TLSA certificate bindings, this
      specification requires that the "last mile" be over a secure
      transport.  There are no other deployment dependencies for this
      approach.

   Minimal Options -- The operating modes map precisely to the DANE use
      cases and requirements.  DNSSEC use is mandatory in that this
      specification encourages applications to use only those TLSA
      records that are shown to be validated.

   Wildcards -- Wildcards are covered in a limited manner in the TLSA
      request syntax; see Appendix A.

   Redirection -- Redirection is covered in the TLSA request syntax; see
      Appendix A.



Hoffman & Schlyter           Standards Track                   [Page 14]

RFC 6698            DNS-Based Authentication for TLS         August 2012


6.  Mandatory-to-Implement Features

   TLS clients conforming to this specification MUST be able to
   correctly interpret TLSA records with certificate usages 0, 1, 2,
   and 3.  TLS clients conforming to this specification MUST be able to
   compare a certificate association with a certificate from the TLS
   handshake using selector types 0 and 1, and matching type 0 (no hash
   used) and matching type 1 (SHA-256), and SHOULD be able to make such
   comparisons with matching type 2 (SHA-512).

7.  IANA Considerations

   IANA has made the assignments in this section.

   In the following sections, "RFC Required" was chosen for TLSA
   certificate usages and "Specification Required" for selectors and
   matching types because of the amount of detail that is likely to be
   needed for implementers to correctly implement new certificate usages
   as compared to new selectors and matching types.

7.1.  TLSA RRtype

   This document uses a new DNS RR type, TLSA, whose value (52) was
   allocated by IANA from the Resource Record (RR) TYPEs subregistry of
   the Domain Name System (DNS) Parameters registry.

7.2.  TLSA Certificate Usages

   This document creates a new registry, "TLSA Certificate Usages".  The
   registry policy is "RFC Required".  The initial entries in the
   registry are:

   Value    Short description                       Reference
   ----------------------------------------------------------
   0        CA constraint                           RFC 6698
   1        Service certificate constraint          RFC 6698
   2        Trust anchor assertion                  RFC 6698
   3        Domain-issued certificate               RFC 6698
   4-254    Unassigned
   255      Private use

   Applications to the registry can request specific values that have
   yet to be assigned.








Hoffman & Schlyter           Standards Track                   [Page 15]

RFC 6698            DNS-Based Authentication for TLS         August 2012


7.3.  TLSA Selectors

   This document creates a new registry, "TLSA Selectors".  The registry
   policy is "Specification Required".  The initial entries in the
   registry are:

   Value    Short description                       Reference
   ----------------------------------------------------------
   0        Full certificate                        RFC 6698
   1        SubjectPublicKeyInfo                    RFC 6698
   2-254    Unassigned
   255      Private use

   Applications to the registry can request specific values that have
   yet to be assigned.

7.4.  TLSA Matching Types

   This document creates a new registry, "TLSA Matching Types".  The
   registry policy is "Specification Required".  The initial entries in
   the registry are:

   Value    Short description                       Reference
   ----------------------------------------------------------
   0        No hash used                            RFC 6698
   1        SHA-256                                 RFC 6234
   2        SHA-512                                 RFC 6234
   3-254    Unassigned
   255      Private use

   Applications to the registry can request specific values that have
   yet to be assigned.

8.  Security Considerations

   The security of the DNS RRtype described in this document relies on
   the security of DNSSEC to verify that the TLSA record has not been
   altered.

   A rogue DNS administrator who changes the A, AAAA, and/or TLSA
   records for a domain name can cause the client to go to an
   unauthorized server that will appear authorized, unless the client
   performs PKIX certification path validation and rejects the
   certificate.  That administrator could probably get a certificate
   issued by some CA anyway, so this is not an additional threat.






Hoffman & Schlyter           Standards Track                   [Page 16]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   If the authentication mechanism for adding or changing TLSA data in a
   zone is weaker than the authentication mechanism for changing the A
   and/or AAAA records, a man-in-the-middle who can redirect traffic to
   his site may be able to impersonate the attacked host in TLS if he
   can use the weaker authentication mechanism.  A better design for
   authenticating DNS would be to have the same level of authentication
   used for all DNS additions and changes for a particular domain name.

   Secure Socket Layer (SSL) proxies can sometimes act as a man-in-the-
   middle for TLS clients.  In these scenarios, the clients add a new
   trust anchor whose private key is kept on the SSL proxy; the proxy
   intercepts TLS requests, creates a new TLS session with the intended
   host, and sets up a TLS session with the client using a certificate
   that chains to the trust anchor installed in the client by the proxy.
   In such environments, using TLSA records will prevent the SSL proxy
   from functioning as expected because the TLS client will get a
   certificate association from the DNS that will not match the
   certificate that the SSL proxy uses with the client.  The client,
   seeing the proxy's new certificate for the supposed destination, will
   not set up a TLS session.

   Client treatment of any information included in the trust anchor is a
   matter of local policy.  This specification does not mandate that
   such information be inspected or validated by the server's domain
   name administrator.

   If a server's certificate is revoked, or if an intermediate CA in a
   chain between the server and a trust anchor has its certificate
   revoked, a TLSA record with a certificate usage of 2 that matches the
   revoked certificate would in essence override the revocation because
   the client would treat that revoked certificate as a trust anchor and
   thus not check its revocation status.  Because of this, domain
   administrators need to be responsible for being sure that the keys or
   certificates used in TLSA records with a certificate usage of 2 are
   in fact able to be used as reliable trust anchors.

   Certificates that are delivered in TLSA with certificate usage 2
   fundamentally change the way the TLS server's end entity certificate
   is evaluated.  For example, the server's certificate might chain to
   an existing CA through an intermediate CA that has certain policy
   restrictions, and the certificate would not pass those restrictions
   and thus normally be rejected.  That intermediate CA could issue
   itself a new certificate without the policy restrictions and tell its
   customers to use that certificate with certificate usage 2.  This in
   essence allows an intermediate CA to become a trust anchor for
   certificates that the end user might have expected to chain to an
   existing trust anchor.




Hoffman & Schlyter           Standards Track                   [Page 17]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   If an administrator wishes to stop using a TLSA record, the
   administrator can simply remove it from the DNS.  Normal clients will
   stop using the TLSA record after the TTL has expired.  Replay attacks
   against the TLSA record are not possible after the expiration date on
   the RRsig of the TLSA record that was removed.

   Generators of TLSA records should be aware that the client's full
   trust of a certificate association retrieved from a TLSA record may
   be a matter of local policy.  While such trust is limited to the
   specific domain name, protocol, and port for which the TLSA query was
   made, local policy may decline to accept the certificate (for reasons
   such as weak cryptography), as is also the case with PKIX trust
   anchors.

8.1.  Comparing DANE to Public CAs

   As stated above, the security of the DNS RRtype described in this
   document relies on the security of DNSSEC to verify that the TLSA
   record has not been altered.  This section describes where the
   security of public CAs and the security of TLSA are similar and
   different.  This section applies equally to other security-related
   DNS RRtypes such as keys for IPsec and SSH.

   DNSSEC forms certificates (the binding of an identity to a key) by
   combining a DNSKEY, DS, or DLV resource record with an associated
   RRSIG record.  These records then form a signing chain extending from
   the client's trust anchors to the RR of interest.

   Although the DNSSEC protocol does not enforce it, DNSKEYs are often
   marked with a SEP flag indicating whether the key is a Zone Signing
   Key (ZSK) or a Key Signing Key (KSK).  ZSKs protect records in the
   zone (including DS and DLV records), and KSKs protect ZSK DNSKEY
   records.  This allows KSKs to be stored offline.

   The TLSA RRtype allows keys from the DNSSEC PKI hierarchy to
   authenticate keys wrapped in PKIX certificates for a particular host
   name, protocol, and port.

   With the exception of the DLV RRtype, all of these certificates
   constrain the keys they identify to names that are within the zone
   signing the certificate.  In order for a domain's DLV resource
   records to be honored, the domain must be configured as a DLV domain,
   and the domain's DNSKEYs must be configured as trust anchors or be
   authentic [RFC5074].







Hoffman & Schlyter           Standards Track                   [Page 18]

RFC 6698            DNS-Based Authentication for TLS         August 2012


8.1.1.  Risk of Key Compromise

   The risk that a given certificate that has a valid signing chain is
   fake is related to the number of keys that can contribute to the
   validation of the certificate, the quality of protection each private
   key receives, the value of each key to an attacker, and the value of
   falsifying the certificate.

   DNSSEC allows any set of domains to be configured as trust anchors
   and/or DLVs, but most clients are likely to use the root zone as
   their only trust anchor.  Also, because a given DNSKEY can only sign
   resource records for that zone, the number of private keys capable of
   compromising a given TLSA resource record is limited to the number of
   zones between the TLSA resource record and the nearest trust anchor,
   plus any configured DLV domains.  Typically, this will be six keys,
   half of which will be KSKs.

   PKIX only describes how to validate a certificate based on a client-
   chosen set of trust anchors, but says nothing about how many trust
   anchors to use or how they should be constrained.  As currently
   deployed, most PKIX clients use a large number of trust anchors
   provided with the client or operating system software.  These trust
   anchors are selected carefully, but with a desire for broad
   interoperability.  The trust anchors and CA certificates for public
   CAs rarely have name constraints applied.

   A combination of technical protections, process controls, and
   personnel experience contribute to the quality of security that keys
   receive.

   o  The security surrounding DNSSEC DNSKEYs varies significantly.  The
      KSK/ZSK split allows the KSK to be stored offline and protected
      more carefully than the ZSK, but not all domains do so.  The
      security applied to a zone's DNSKEYs should be proportional to the
      value of the domain, but that is difficult to estimate.  For
      example, the root DNSKEY has protections and controls comparable
      to or exceeding those of public CAs.  On the other end of the
      spectrum, small domains might provide no more protection to their
      keys than they do to their other data.

   o  The security surrounding public CAs also varies.  However, due to
      financial incentives and standards imposed by clients for
      acceptance into their trust anchor stores, CAs generally employ
      security experts and protect their keys carefully, though highly
      public compromises have occurred.






Hoffman & Schlyter           Standards Track                   [Page 19]

RFC 6698            DNS-Based Authentication for TLS         August 2012


8.1.2.  Impact of Key Compromise

   The impact of a key compromise differs significantly between the two
   models.

   o  DNSKEYs are inherently limited in what they can sign, so a
      compromise of the DNSKEY for "example.com" provides no avenue of
      attack against "example.org".  Even the impact of a compromise of
      .com's DNSKEY, while considerable, would be limited to .com
      domains.  Only the compromise of the root DNSKEY would have the
      equivalent impact of an unconstrained public CA.

   o  Public CAs are not typically constrained in what names they can
      sign, and therefore a compromise of even one CA allows the
      attacker to generate a certificate for any name in the DNS.  A
      domain holder can get a certificate from any willing CA, or even
      multiple CAs simultaneously, making it impossible for a client to
      determine whether the certificate it is validating is legitimate
      or fraudulent.

   Because a TLSA certificate association is constrained to its
   associated name, protocol, and port, the PKIX certificate is
   similarly constrained, even if its public CAs signing the certificate
   (if any) are not.

8.1.3.  Detection of Key Compromise

   If a key is compromised, rapid and reliable detection is important in
   order to limit the impact of the compromise.  In this regard, neither
   model prevents an attacker from near-invisibly attacking their
   victim, provided that the necessary keys are compromised.

   If a public CA is compromised, only the victim will see the
   fraudulent certificate, as there is typically no publicly accessible
   directory of all the certificates issued by a CA that can be
   inspected.  DNS resource records are typically published publicly.
   However, the attacker could also allow the uncompromised records to
   be published to the Internet as usual but provide a compromised DNS
   view to the victim to achieve the same effect.

8.1.4.  Spoofing Hostnames

   Some CAs implement technical controls to ensure that certificates are
   not issued to domains with names similar to domains that are popular
   and prone to attack.  Of course, an attacker can attempt to
   circumvent this restriction by finding a CA willing to issue the
   certificate anyway.  However, by using DNSSEC and TLSA, the attacker
   can circumvent this check completely.



Hoffman & Schlyter           Standards Track                   [Page 20]

RFC 6698            DNS-Based Authentication for TLS         August 2012


8.2.  DNS Caching

   Implementations of this protocol rely heavily on the DNS, and are
   thus prone to security attacks based on the deliberate
   mis-association of TLSA records and DNS names.  Implementations need
   to be cautious in assuming the continuing validity of an association
   between a TLSA record and a DNS name.

   In particular, implementations SHOULD rely on their DNS resolver for
   confirmation of an association between a TLSA record and a DNS name,
   rather than caching the result of previous domain name lookups.  Many
   platforms already can cache domain name lookups locally when
   appropriate, and they SHOULD be configured to do so.  It is proper
   for these lookups to be cached, however, only when the TTL (Time To
   Live) information reported by the DNS makes it likely that the cached
   information will remain useful.

   If implementations cache the results of domain name lookups in order
   to achieve a performance improvement, they MUST observe the TTL
   information reported by DNS.  Implementations that fail to follow
   this rule could be spoofed or have access denied when a previously
   accessed server's TLSA record changes, such as during a certificate
   rollover.

8.3.  External DNSSEC Validators

   Due to a lack of DNSSEC support in the most commonly deployed stub
   resolvers today, some ISPs have begun checking DNSSEC in the
   recursive resolvers they provide to their customers, setting the
   Authentic Data (AD) flag as appropriate.  DNSSEC-aware clients could
   use that data, ignoring the fact that the DNSSEC data has been
   validated externally.  Because there is typically no authentication
   of the recursive resolver or integrity protection of the data and AD
   flag between the client and the recursive resolver, this can be
   trivially spoofed by an attacker.

   However, even with secure communications between a host and the
   external validating resolver, there is a risk that the external
   validator could become compromised.  Nothing prevents a compromised
   external DNSSEC validator from claiming that all the records it
   provides are secure, even if the data is falsified, unless the client
   checks the DNSSEC data itself (rendering the external validator
   unnecessary).

   For this reason, DNSSEC validation is best performed on-host, even
   when a secure path to an external validator is available.





Hoffman & Schlyter           Standards Track                   [Page 21]

RFC 6698            DNS-Based Authentication for TLS         August 2012


9.  Acknowledgements

   Many of the ideas in this document have been discussed over many
   years.  More recently, the ideas have been discussed by the authors
   and others in a more focused fashion.  In particular, some of the
   ideas and words here originated with Paul Vixie, Dan Kaminsky, Jeff
   Hodges, Phillip Hallam-Baker, Simon Josefsson, Warren Kumari, Adam
   Langley, Ben Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit,
   Ondrej Sury, Richard Barnes, Jim Schaad, Stephen Farrell, Suresh
   Krishnaswamy, Peter Palfrader, Pieter Lexis, Wouter Wijngaards, John
   Gilmore, and Murray Kucherawy.

   This document has also been greatly helped by many active
   participants of the DANE Working Group.

10.  References

10.1.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, November 1987.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements",
              RFC 4033, March 2005.

   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for the DNS Security Extensions",
              RFC 4034, March 2005.

   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", RFC 4035, March 2005.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.




Hoffman & Schlyter           Standards Track                   [Page 22]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, March 2011.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

10.2.  Informative References

   [RFC0952]  Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet
              host table specification", RFC 952, October 1985.

   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
              specifying the location of services (DNS SRV)", RFC 2782,
              February 2000.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
              Wellington, "Secret Key Transaction Authentication for DNS
              (TSIG)", RFC 2845, May 2000.

   [RFC2931]  Eastlake 3rd, D., "DNS Request and Transaction Signatures
              ( SIG(0)s)", RFC 2931, September 2000.

   [RFC4025]  Richardson, M., "A Method for Storing IPsec Keying
              Material in DNS", RFC 4025, March 2005.

   [RFC4255]  Schlyter, J. and W. Griffin, "Using DNS to Securely
              Publish Secure Shell (SSH) Key Fingerprints", RFC 4255,
              January 2006.

   [RFC4641]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
              RFC 4641, September 2006.

   [RFC5074]  Weiler, S., "DNSSEC Lookaside Validation (DLV)", RFC 5074,
              November 2007.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, August 2010.

   [RFC6066]  Eastlake 3rd, D., "Transport Layer Security (TLS)
              Extensions: Extension Definitions", RFC 6066,
              January 2011.




Hoffman & Schlyter           Standards Track                   [Page 23]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   [RFC6071]  Frankel, S. and S. Krishnan, "IP Security (IPsec) and
              Internet Key Exchange (IKE) Document Roadmap", RFC 6071,
              February 2011.

   [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
              (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.

   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", RFC 6376,
              September 2011.

   [RFC6394]  Barnes, R., "Use Cases and Requirements for DNS-Based
              Authentication of Named Entities (DANE)", RFC 6394,
              October 2011.

   [X.690]    "Recommendation ITU-T X.690 (2002) | ISO/IEC 8825-1:2002,
              Information technology - ASN.1 encoding rules:
              Specification of Basic Encoding Rules (BER), Canonical
              Encoding Rules (CER) and Distinguished Encoding Rules
              (DER)", July 2002.































Hoffman & Schlyter           Standards Track                   [Page 24]

RFC 6698            DNS-Based Authentication for TLS         August 2012


Appendix A.  Operational Considerations for Deploying TLSA Records

A.1.  Creating TLSA Records

   When creating TLSA records, care must be taken to avoid
   misconfigurations.  Section 4 of this document states that a TLSA
   RRSet whose validation state is secure MUST be used.  This means that
   the existence of such a RRSet effectively disables other forms of
   name and path validation.  A misconfigured TLSA RRSet will
   effectively disable access to the TLS server for all conforming
   clients, and this document does not provide any means of making a
   gradual transition to using TLSA.

   When creating TLSA records with certificate usage 0 (CA certificate)
   or usage 2 (trust anchor), one needs to understand the implications
   when choosing between selector type 0 (Full certificate) and 1
   (SubjectPublicKeyInfo).  A careful choice is required because
   different methods for building trust chains are used by different TLS
   clients.  The following outlines the cases that one ought to be aware
   of and discusses the implications of the choice of selector type.

   Certificate usage 2 is not affected by the different types of chain
   building when the end entity certificate is the same as the trust
   anchor certificate.

A.1.1.  Ambiguities and Corner Cases When TLS Clients Build Trust Chains

   TLS clients can implement their own chain-building code rather than
   rely on the chain presented by the TLS server.  This means that,
   except for the end entity certificate, any certificate presented in
   the suggested chain might or might not be present in the final chain
   built by the client.

   Certificates that the client can use to replace certificates from the
   original chain include:

   o  Client's trust anchors

   o  Certificates cached locally

   o  Certificates retrieved from a URI listed in an Authority
      Information Access X.509v3 extension

   CAs frequently reissue certificates with different validity periods,
   signature algorithms (such as a different hash algorithm in the
   signature algorithm), CA key pairs (such as for a cross-certificate),





Hoffman & Schlyter           Standards Track                   [Page 25]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   or PKIX extensions where the public key and subject remain the same.
   These reissued certificates are the certificates that the TLS client
   can use in place of an original certificate.

   Clients are known to exchange or remove certificates that could cause
   TLSA certificate associations that rely on the full certificate to
   fail.  For example:

   o  The client considers the signature algorithm of a certificate to
      no longer be sufficiently secure.

   o  The client might not have an associated root certificate in its
      trust store and instead uses a cross-certificate with an identical
      subject and public key.

A.1.2.  Choosing a Selector Type

   In this section, "false-negative failure" means that a client will
   not accept the TLSA certificate association for a certificate
   designated by the DNS administrator.  Also, "false-positive
   acceptance" means that the client accepts a TLSA association for a
   certificate that is not designated by the DNS administrator.

A.1.2.1.  Selector Type 0 (Full Certificate)

   The "Full certificate" selector provides the most precise
   specification of a TLSA certificate association, capturing all
   fields of the PKIX certificate.  For a DNS administrator, the best
   course to avoid false-negative failures in the client when using this
   selector is:

   1.  If a CA issued a replacement certificate, don't associate to CA
       certificates that have a signature algorithm with a hash that is
       considered weak by local policy.

   2.  Determine how common client applications process the TLSA
       certificate association using a fresh client installation -- that
       is, with the local certificate cache empty.













Hoffman & Schlyter           Standards Track                   [Page 26]

RFC 6698            DNS-Based Authentication for TLS         August 2012


A.1.2.2.  Selector Type 1 (SubjectPublicKeyInfo)

   A SubjectPublicKeyInfo selector gives greater flexibility in avoiding
   some false-negative failures caused by trust-chain-building
   algorithms used in clients.

   One specific use case ought to be noted: creating a TLSA certificate
   association to CA certificate I1 that directly signed end entity
   certificate S1 of the server.  The case can be illustrated by the
   following graph:

           +----+                      +----+
           | I1 |                      | I2 |
           +----+                      +----+
              |                           |
              v                           v
           +----+                      +----+
           | S1 |                      | S1 |
           +----+                      +----+
   Certificate chain sent by    A different validation path
   server in TLS handshake      built by the TLS client

   I2 is a reissued version of CA certificate I1 (that is, it has a
   different hash in its signature algorithm).

   In the above scenario, both certificates I1 and I2 that sign S1 need
   to have identical SubjectPublicKeyInfo fields because the key used to
   sign S1 is fixed.  An association to SubjectPublicKeyInfo (selector
   type 1) will always succeed in such a case, but an association with a
   full certificate (selector type 0) might not work due to a false-
   negative failure.

   The attack surface is a bit broader compared to the "Full
   certificate" selector: the DNS administrator might unintentionally
   specify an association that would lead to false-positive acceptance.

   o  The administrator must know or trust that the CA does not engage
      in bad practices, such as not sharing the key of I1 for unrelated
      CA certificates (which would lead to trust-chain redirection).  If
      possible, the administrator ought to review all CA certificates
      that have the same SubjectPublicKeyInfo field.

   o  The administrator ought to understand whether some PKIX extension
      may adversely affect security of the association.  If possible,
      administrators ought to review all CA certificates that share the
      SubjectPublicKeyInfo.





Hoffman & Schlyter           Standards Track                   [Page 27]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   o  The administrator ought to understand that any CA could, in the
      future, issue a certificate that contains the same
      SubjectPublicKeyInfo.  Therefore, new chains can crop up in the
      future without any warning.

   Using the SubjectPublicKeyInfo selector for association with a
   certificate in a chain above I1 needs to be decided on a case-by-case
   basis: there are too many possibilities based on the issuing CA's
   practices.  Unless the full implications of such an association are
   understood by the administrator, using selector type 0 is a better
   option from a security perspective.

A.2.  Provisioning TLSA Records in DNS

A.2.1.  Provisioning TLSA Records with Aliases

   The TLSA resource record is not special in the DNS; it acts exactly
   like any other RRtype where the queried name has one or more labels
   prefixed to the base name, such as the SRV RRtype [RFC2782].  This
   affects the way that the TLSA resource record is used when aliasing
   in the DNS.

   Note that the IETF sometimes adds new types of aliasing in the DNS.
   If that happens in the future, those aliases might affect TLSA
   records, hopefully in a good way.

A.2.1.1.  Provisioning TLSA Records with CNAME Records

   Using CNAME to alias in DNS only aliases from the exact name given,
   not any zones below the given name.  For example, assume that a zone
   file has only the following:

   sub1.example.com.          IN CNAME sub2.example.com.

   In this case, a request for the A record at "bottom.sub1.example.com"
   would not return any records because the CNAME given only aliases the
   name given.  Assume, instead, the zone file has the following:

   sub3.example.com.          IN CNAME sub4.example.com.
   bottom.sub3.example.com.   IN CNAME bottom.sub4.example.com.

   In this case, a request for the A record at bottom.sub3.example.com
   would in fact return whatever value for the A record exists at
   bottom.sub4.example.com.







Hoffman & Schlyter           Standards Track                   [Page 28]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   Application implementations and full-service resolvers request DNS
   records using libraries that automatically follow CNAME (and DNAME)
   aliasing.  This allows hosts to put TLSA records in their own zones
   or to use CNAME to do redirection.

   If the owner of the original domain wants a TLSA record for the same,
   they simply enter it under the defined prefix:

   ; No TLSA record in target domain
   ;
   sub5.example.com.            IN CNAME sub6.example.com.
   _443._tcp.sub5.example.com.  IN TLSA 1 1 1 308202c5308201ab...
   sub6.example.com.            IN A 192.0.2.1
   sub6.example.com.            IN AAAA 2001:db8::1

   If the owner of the original domain wants to have the target domain
   host the TLSA record, the original domain uses a CNAME record:

   ; TLSA record for original domain has CNAME to target domain
   ;
   sub5.example.com.            IN CNAME sub6.example.com.
   _443._tcp.sub5.example.com.  IN CNAME _443._tcp.sub6.example.com.
   sub6.example.com.            IN A 192.0.2.1
   sub6.example.com.            IN AAAA 2001:db8::1
   _443._tcp.sub6.example.com.  IN TLSA 1 1 1 536a570ac49d9ba4...

   Note that it is acceptable for both the original domain and the
   target domain to have TLSA records, but the two records are
   unrelated.  Consider the following:

   ; TLSA record in both the original and target domain
   ;
   sub5.example.com.            IN CNAME sub6.example.com.
   _443._tcp.sub5.example.com.  IN TLSA 1 1 1 308202c5308201ab...
   sub6.example.com.            IN A 192.0.2.1
   sub6.example.com.            IN AAAA 2001:db8::1
   _443._tcp.sub6.example.com.  IN TLSA 1 1 1 ac49d9ba4570ac49...

   In this example, someone looking for the TLSA record for
   sub5.example.com would always get the record whose value starts with
   "308202c5308201ab"; the TLSA record whose value starts with
   "ac49d9ba4570ac49" would only be sought by someone who is looking for
   the TLSA record for sub6.example.com, and never for sub5.example.com.
   Note that deploying different certificates for multiple services
   located at a shared TLS listener often requires the use of TLS SNI
   (Server Name Indication) [RFC6066].





Hoffman & Schlyter           Standards Track                   [Page 29]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   Note that these methods use the normal method for DNS aliasing using
   CNAME: the DNS client requests the record type that they actually
   want.

A.2.1.2.  Provisioning TLSA Records with DNAME Records

   Using DNAME records allows a zone owner to alias an entire subtree of
   names below the name that has the DNAME.  This allows the wholesale
   aliasing of prefixed records such as those used by TLSA, SRV, and so
   on without aliasing the name itself.  However, because DNAME can only
   be used for subtrees of a base name, it is rarely used to alias
   individual hosts that might also be running TLS.

   ; TLSA record in target domain, visible in original domain via DNAME
   ;
   sub5.example.com.            IN CNAME sub6.example.com.
   _tcp.sub5.example.com.       IN DNAME _tcp.sub6.example.com.
   sub6.example.com.            IN A 192.0.2.1
   sub6.example.com.            IN AAAA 2001:db8::1
   _443._tcp.sub6.example.com.  IN TLSA 1 1 1 536a570ac49d9ba4...

A.2.1.3.  Provisioning TLSA Records with Wildcards

   Wildcards are generally not terribly useful for RRtypes that require
   prefixing because one can only wildcard at a layer below the host
   name.  For example, if one wants to have the same TLSA record for
   every TCP port for www.example.com, the result might be:

   *._tcp.www.example.com.    IN TLSA 1 1 1 5c1502a6549c423b...

   This is possibly useful in some scenarios where the same service is
   offered on many ports or the same certificate and/or key is used for
   all services on a host.  Note that the domain being searched for is
   not necessarily related to the domain name found in the certificate,
   so a certificate with a wildcard in it is not searched for using a
   wildcard in the search request.

A.3.  Securing the Last Hop

   As described in Section 4, an application processing TLSA records
   must know the DNSSEC validity of those records.  There are many ways
   for the application to determine this securely, and this
   specification does not mandate any single method.








Hoffman & Schlyter           Standards Track                   [Page 30]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   Some common methods for an application to know the DNSSEC validity of
   TLSA records include:

   o  The application can have its own DNS resolver and DNSSEC
      validation stack.

   o  The application can communicate through a trusted channel (such as
      requests to the operating system under which the application is
      running) to a local DNS resolver that does DNSSEC validation.

   o  The application can communicate through a secured channel (such as
      requests running over TLS, IPsec, TSIG, or SIG(0)) to a non-local
      DNS resolver that does DNSSEC validation.

   o  The application can communicate through a secured channel (such as
      requests running over TLS, IPsec, TSIG, or SIG(0)) to a non-local
      DNS resolver that does not do DNSSEC validation, but gets
      responses through a secured channel from a different DNS resolver
      that does DNSSEC validation.

A.4.  Handling Certificate Rollover

   Certificate rollover is handled in much the same way as for rolling
   DNSSEC zone signing keys using the pre-publish key rollover method
   [RFC4641].  Suppose example.com has a single TLSA record for a TLS
   service on TCP port 990:

   _990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015...

   To start the rollover process, obtain or generate the new certificate
   or SubjectPublicKeyInfo to be used after the rollover and generate
   the new TLSA record.  Add that record alongside the old one:

   _990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015...
   _990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30...

   After the new records have propagated to the authoritative
   nameservers and the TTL of the old record has expired, switch to the
   new certificate on the TLS server.  Once this has occurred, the old
   TLSA record can be removed:

   _990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30...

   This completes the certificate rollover.







Hoffman & Schlyter           Standards Track                   [Page 31]

RFC 6698            DNS-Based Authentication for TLS         August 2012


Appendix B.  Pseudocode for Using TLSA

   This appendix describes, in pseudocode format, the interactions given
   earlier in this specification.  If the steps below disagree with the
   text earlier in the document, the steps earlier in the document ought
   to be considered correct and this text incorrect.

   Note that this pseudocode is more strict than the normative text.
   For instance, it forces an order on the evaluation of criteria, which
   is not mandatory from the normative text.

B.1.  Helper Functions

   // implement the function for exiting
   function Finish (F) = {
     if (F == ABORT_TLS) {
       abort the TLS handshake or prevent TLS from starting
       exit
     }

     if (F == NO_TLSA) {
       fall back to non-TLSA certificate validation
       exit
     }

     if (F == ACCEPT) {
       accept the TLS connection
       exit
     }

     // unreachable
   }

   // implement the selector function
   function Select (S, X) = {
     // Full certificate
     if (S == 0) {
       return X in DER encoding
     }

     // SubjectPublicKeyInfo
     if (S == 1) {
       return X.SubjectPublicKeyInfo in DER encoding
     }

     // unreachable
   }




Hoffman & Schlyter           Standards Track                   [Page 32]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   // implement the matching function
   function Match (M, X, Y) {
     // Exact match on selected content
     if (M == 0) {
       return (X == Y)
     }

     // SHA-256 hash of selected content
     if (M == 1) {
       return (SHA-256(X) == Y)
     }

     // SHA-512 hash of selected content
     if (M == 2) {
       return (SHA-512(X) == Y)
     }

     // unreachable
   }

B.2.  Main TLSA Pseudocode

   TLS connect using [transport] to [name] on [port] and receiving end
   entity cert C for the TLS server:

   (TLSArecords, ValState) = DNSSECValidatedLookup(
     domainname=_[port]._[transport].[name], RRtype=TLSA)

   // check for states that would change processing
   if (ValState == BOGUS) {
     Finish(ABORT_TLS)
   }
   if ((ValState == INDETERMINATE) or (ValState == INSECURE)) {
     Finish(NO_TLSA)
   }
   // if here, ValState must be SECURE

   for each R in TLSArecords {
     // unusable records include unknown certUsage, unknown
     // selectorType, unknown matchingType, erroneous RDATA, and
     // prohibited by local policy
     if (R is unusable) {
       remove R from TLSArecords
     }
   }
   if (length(TLSArecords) == 0) {
     Finish(NO_TLSA)
   }



Hoffman & Schlyter           Standards Track                   [Page 33]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   // A TLS client might have multiple trust anchors that it might use
   //    when validating the TLS server's end entity (EE) certificate.
   //    Also, there can be multiple PKIX certification paths for the
   //    certificates given by the server in TLS.  Thus, there are
   //    possibly many chains that might need to be tested during
   //    PKIX path validation.

   for each R in TLSArecords {

     // pass PKIX certificate validation and chain through a CA cert
     //    that comes from TLSA
     if (R.certUsage == 0) {
       for each PKIX certification path H {
         if (C passes PKIX certification path validation in H) {
           for each D in H {
             if ((D is a CA certificate) and
                 Match(R.matchingType, Select(R.selectorType, D),
                       R.cert)) {
               Finish(ACCEPT)
             }
           }
         }
       }
     }

     // pass PKIX certificate validation and match EE cert from TLSA
     if (R.certUsage == 1) {
       for each PKIX certification path H {
         if ((C passes PKIX certificate validation in H) and
                 Match(R.matchingType, Select(R.selectorType, C),
                 R.cert)) {
             Finish(ACCEPT)
         }
       }
     }

     // pass PKIX certification validation using TLSA record as the
     //    trust anchor
     if (R.certUsage == 2) {
       // the following assert() is merely a formalization of the
       // "trust anchor" condition for a certificate D matching R
       assert(Match(R.matchingType, Select(R.selectorType, D), R.cert))









Hoffman & Schlyter           Standards Track                   [Page 34]

RFC 6698            DNS-Based Authentication for TLS         August 2012


       for each PKIX certification path H that has certificate D
           matching R as the trust anchor {
         if (C passes PKIX validation in H) {
           Finish(ACCEPT);
         }
       }
     }

     // match the TLSA record and the TLS certificate
     if (R.certUsage == 3) {
       if Match(R.matchingType, Select(R.selectorType, C), R.cert)
         Finish(ACCEPT)
       }
     }

   }

   // if here, then none of the TLSA records ended in "Finish(ACCEPT)"
   //   so abort TLS
   Finish(ABORT_TLS)

Appendix C.  Examples

   The following are examples of self-signed certificates that have been
   generated with various selectors and matching types.  They were
   generated with one piece of software, and validated by an individual
   using other tools.

   S = Selector
   M = Matching Type

   S M Association Data
   0 0 30820454308202BC020900AB58D24E77AD2AF6300D06092A86
       4886F70D0101050500306C310B3009060355040613024E4C31163014
       0603550408130D4E6F6F72642D486F6C6C616E643112301006035504
       071309416D7374657264616D310C300A060355040A13034F53333123
       30210603550403131A64616E652E6B6965762E70726163746963756D
       2E6F73332E6E6C301E170D3132303131363136353730335A170D3232
       303131333136353730335A306C310B3009060355040613024E4C3116
       30140603550408130D4E6F6F72642D486F6C6C616E64311230100603
       5504071309416D7374657264616D310C300A060355040A13034F5333
       312330210603550403131A64616E652E6B6965762E70726163746963
       756D2E6F73332E6E6C308201A2300D06092A864886F70D0101010500
       0382018F003082018A0282018100E62C84A5AFE59F0A2A6B250DEE68
       7AC8C5C604F57D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B
       6AD5DEA0C8771C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE
       281A68230B24B9DA1A98DCBE51195B60E42FD7517C328D983E26A827
       C877AB914EE4C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D5



Hoffman & Schlyter           Standards Track                   [Page 35]

RFC 6698            DNS-Based Authentication for TLS         August 2012


       8C389CC3D6D8C20662E19CF768F32441B7F7D14AEA8966CE7C32A172
       2AB38623D008029A9E4702883F8B977A1A1E5292BF8AD72239D40393
       37B86A3AC60FA001290452177BF1798609A05A130F033457A5212629
       FBDDB8E70E2A9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D
       4BD77DFA34035563C126AA2C3328B900E7990AC9787F01DA82F74C3D
       4B6674CCECE1FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE775
       6213BD3D60831175BE290442B4AFC5AE6F46B769855A067C1097E617
       962529E166F22AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A44
       9C8D0D31BC683C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2
       DDFF6B4CAC050203010001300D06092A864886F70D01010505000382
       0181002B2ABE063E9C86AC4A1F7835372091079C8276A9C2C5D1EC57
       64DE523FDDABDEAB3FD34E6FE6CBA054580A6785A663595D90132B93
       D473929E81FA0887D2FFF78A81C7D014B97778AB6AC9E5E690F6F5A9
       E92BB5FBAB71B857AE69B6E18BDCCB0BA6FCD9D4B084A34F3635148C
       495D48FE635903B888EC1DEB2610548EDD48D63F86513A4562469831
       48C0D5DB82D73A4C350A42BB661D763430FC6C8E5F9D13EA1B76AA52
       A4C358E5EA04000F794618303AB6CEEA4E9A8E9C74D73C1B0B7BAF16
       DEDE7696B5E2F206F777100F5727E1684D4132F5E692F47AF6756EA8
       B421000BE031B5D8F0220E436B51FB154FE9595333C13A2403F9DE08
       E5DDC5A22FD6182E339593E26374450220BC14F3E40FF33F084526B0
       9C34250702E8A352B332CCCB0F9DE2CF2B338823B92AFC61C0B6B8AB
       DB5AF718ED8DDA97C298E46B82A01B14814868CFA4F2C36268BFFF4A
       591F42658BF75918902D3E426DFE1D5FF0FC6A212071F6DA8BD833FE
       2E560D87775E8EE9333C05B6FB8EB56589D910DB5EA903

   0 1 EFDDF0D915C7BDC5782C0881E1B2A95AD099FBDD06D7B1F779
       82D9364338D955

   0 2 81EE7F6C0ECC6B09B7785A9418F54432DE630DD54DC6EE9E3C
       49DE547708D236D4C413C3E97E44F969E635958AA410495844127C04
       883503E5B024CF7A8F6A94

   1 0 308201A2300D06092A864886F70D01010105000382018F0030
       82018A0282018100E62C84A5AFE59F0A2A6B250DEE687AC8C5C604F5
       7D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B6AD5DEA0C877
       1C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE281A68230B24
       B9DA1A98DCBE51195B60E42FD7517C328D983E26A827C877AB914EE4
       C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D58C389CC3D6D8
       C20662E19CF768F32441B7F7D14AEA8966CE7C32A1722AB38623D008
       029A9E4702883F8B977A1A1E5292BF8AD72239D4039337B86A3AC60F
       A001290452177BF1798609A05A130F033457A5212629FBDDB8E70E2A
       9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D4BD77DFA3403
       5563C126AA2C3328B900E7990AC9787F01DA82F74C3D4B6674CCECE1
       FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE7756213BD3D6083
       1175BE290442B4AFC5AE6F46B769855A067C1097E617962529E166F2
       2AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A449C8D0D31BC68
       3C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2DDFF6B4CAC05
       0203010001



Hoffman & Schlyter           Standards Track                   [Page 36]

RFC 6698            DNS-Based Authentication for TLS         August 2012


   1 1 8755CDAA8FE24EF16CC0F2C918063185E433FAAF1415664911
       D9E30A924138C4

   1 2 D43165B4CDF8F8660AECCCC5344D9D9AE45FFD7E6AAB7AB9EE
       C169B58E11F227ED90C17330CC17B5CCEF0390066008C720CEC6AAE5
       33A934B3A2D7E232C94AB4

Authors' Addresses

   Paul Hoffman
   VPN Consortium

   EMail: paul.hoffman@vpnc.org


   Jakob Schlyter
   Kirei AB

   EMail: jakob@kirei.se
































Hoffman & Schlyter           Standards Track                   [Page 37]