summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7671.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7671.txt')
-rw-r--r--doc/rfc/rfc7671.txt1851
1 files changed, 1851 insertions, 0 deletions
diff --git a/doc/rfc/rfc7671.txt b/doc/rfc/rfc7671.txt
new file mode 100644
index 0000000..43a3267
--- /dev/null
+++ b/doc/rfc/rfc7671.txt
@@ -0,0 +1,1851 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) V. Dukhovni
+Request for Comments: 7671 Two Sigma
+Updates: 6698 W. Hardaker
+Category: Standards Track Parsons
+ISSN: 2070-1721 October 2015
+
+
+ The DNS-Based Authentication of Named Entities (DANE) Protocol:
+ Updates and Operational Guidance
+
+Abstract
+
+ This document clarifies and updates the DNS-Based Authentication of
+ Named Entities (DANE) TLSA specification (RFC 6698), based on
+ subsequent implementation experience. It also contains guidance for
+ implementers, operators, and protocol developers who want to use DANE
+ records.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7671.
+
+Copyright Notice
+
+ Copyright (c) 2015 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 1]
+
+RFC 7671 DANE Operations October 2015
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. Terminology ................................................4
+ 2. DANE TLSA Record Overview .......................................5
+ 2.1. Example TLSA Record ........................................6
+ 3. DANE TLS Requirements ...........................................6
+ 4. DANE Certificate Usage Selection Guidelines .....................7
+ 4.1. Opportunistic Security and PKIX Usages .....................7
+ 4.2. Interaction with Certificate Transparency ..................8
+ 4.3. Switching from/to PKIX-TA/EE to/from DANE-TA/EE ............9
+ 5. Certificate-Usage-Specific DANE Updates and Guidelines ..........9
+ 5.1. Certificate Usage DANE-EE(3) ...............................9
+ 5.2. Certificate Usage DANE-TA(2) ..............................11
+ 5.3. Certificate Usage PKIX-EE(1) ..............................15
+ 5.4. Certificate Usage PKIX-TA(0) ..............................15
+ 6. Service Provider and TLSA Publisher Synchronization ............16
+ 7. TLSA Base Domain and CNAMEs ....................................18
+ 8. TLSA Publisher Requirements ....................................19
+ 8.1. Key Rollover with Fixed TLSA Parameters ...................20
+ 8.2. Switching to DANE-TA(2) from DANE-EE(3) ...................21
+ 8.3. Switching to New TLSA Parameters ..........................22
+ 8.4. TLSA Publisher Requirements: Summary ......................23
+ 9. Digest Algorithm Agility .......................................23
+ 10. General DANE Guidelines .......................................25
+ 10.1. DANE DNS Record Size Guidelines ..........................25
+ 10.2. Certificate Name Check Conventions .......................26
+ 10.3. Design Considerations for Protocols Using DANE ...........27
+ 11. Note on DNSSEC Security .......................................28
+ 12. Summary of Updates to RFC 6698 ................................29
+ 13. Operational Considerations ....................................29
+ 14. Security Considerations .......................................30
+ 15. References ....................................................30
+ 15.1. Normative References .....................................30
+ 15.2. Informative References ...................................32
+ Acknowledgements ..................................................33
+ Authors' Addresses ................................................33
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 2]
+
+RFC 7671 DANE Operations October 2015
+
+
+1. Introduction
+
+ The DNS-Based Authentication of Named Entities (DANE) specification
+ [RFC6698] introduces the DNS "TLSA" resource record (RR) type ("TLSA"
+ is not an acronym). TLSA records associate a certificate or a public
+ key of an end-entity or a trusted issuing authority with the
+ corresponding Transport Layer Security (TLS) [RFC5246] or Datagram
+ Transport Layer Security (DTLS) [RFC6347] transport endpoint. DANE
+ relies on the DNS Security Extensions (DNSSEC) [RFC4033]. DANE TLSA
+ records validated by DNSSEC can be used to augment or replace the use
+ of trusted public Certification Authorities (CAs).
+
+ The TLS and DTLS protocols provide secured TCP and UDP communication,
+ respectively, over IP. In the context of this document, channel
+ security is assumed to be provided by TLS or DTLS. By convention,
+ "TLS" will be used throughout this document; unless otherwise
+ specified, the text applies equally well to DTLS over UDP. Used
+ without authentication, TLS provides protection only against
+ eavesdropping through its use of encryption. With authentication,
+ TLS also protects the transport against man-in-the-middle (MITM)
+ attacks.
+
+ [RFC6698] defines three TLSA record fields: the first with four
+ possible values, the second with two, and the third with three.
+ These yield 24 distinct combinations of TLSA record types. This
+ document recommends a smaller set of best-practice combinations of
+ these fields to simplify protocol design, implementation, and
+ deployment.
+
+ This document explains and recommends DANE-specific strategies to
+ simplify "virtual hosting", where a single Service Provider transport
+ endpoint simultaneously supports multiple hosted Customer Domains.
+
+ Other related documents that build on [RFC6698] are [RFC7673] and
+ [RFC7672].
+
+ Section 12 summarizes the normative updates this document makes to
+ [RFC6698].
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 3]
+
+RFC 7671 DANE Operations October 2015
+
+
+1.1. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ [RFC2119].
+
+ The following terms are used throughout this document:
+
+ Web PKI: The Public Key Infrastructure (PKI) model employed by
+ browsers to authenticate web servers. This employs a set of
+ trusted public CAs to vouch for the authenticity of public keys
+ associated with a particular party (the subject).
+
+ Service Provider: A company or organization that offers to host a
+ service on behalf of the owner of a Customer Domain. The original
+ domain name associated with the service often remains under the
+ control of the customer. Connecting applications may be directed
+ to the Service Provider via a redirection RR. Example redirection
+ records include MX, SRV, and CNAME. The Service Provider
+ frequently provides services for many customers and needs to
+ ensure that the TLS credentials presented to connecting
+ applications authenticate it as a valid server for the requested
+ domain.
+
+ Customer Domain: As described above, a TLS client may be interacting
+ with a service that is hosted by a third party. This document
+ refers to the domain name used to locate the service (prior to any
+ redirection) as the "Customer Domain".
+
+ TLSA Publisher: The entity responsible for publishing a TLSA record
+ within a DNS zone. This zone will be assumed DNSSEC-signed and
+ validatable to a trust anchor (TA), unless otherwise specified.
+ If the Customer Domain is not outsourcing its DNS service, the
+ TLSA Publisher will be the customer itself. Otherwise, the TLSA
+ Publisher may be the operator of the outsourced DNS service.
+
+ Public key: The term "public key" is shorthand for the
+ subjectPublicKeyInfo component of a PKIX [RFC5280] certificate.
+
+ SNI: The Server Name Indication (SNI) TLS protocol extension allows
+ a TLS client to request a connection to a particular service name
+ of a TLS server ([RFC6066], Section 3). Without this TLS
+ extension, a TLS server has no choice but to offer a certificate
+ with a default list of server names, making it difficult to host
+ multiple Customer Domains at the same IP-address-based TLS service
+ endpoint (i.e., provide "secure virtual hosting").
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 4]
+
+RFC 7671 DANE Operations October 2015
+
+
+ TLSA parameters: In [RFC6698], the TLSA record is defined to consist
+ of four fields. The first three of these are numeric parameters
+ that specify the meaning of the data in the fourth and final
+ field. This document refers to the first three fields as "TLSA
+ parameters", or sometimes just "parameters" when obvious from
+ context.
+
+ TLSA base domain: Per Section 3 of [RFC6698], TLSA records are
+ stored at a DNS domain name that is a combination of a port and
+ protocol prefix and a "base domain". In [RFC6698], the "base
+ domain" is the fully qualified domain name of the TLS server.
+ This document modifies the TLSA record lookup strategy to prefer
+ the fully CNAME-expanded name of the TLS server, provided that
+ expansion is "secure" (DNSSEC validated) at each stage of the
+ expansion, and TLSA records are published for this fully expanded
+ name. Thus, the "TLSA base domain" is either the fully
+ CNAME-expanded TLS server name or otherwise the initial fully
+ qualified TLS server name, whichever is used in combination with a
+ port and protocol prefix to obtain the TLSA RRset.
+
+2. DANE TLSA Record Overview
+
+ DANE TLSA [RFC6698] specifies a protocol for publishing TLS server
+ certificate associations via DNSSEC [RFC4033] [RFC4034] [RFC4035].
+ DANE TLSA records consist of four fields. The record type is
+ determined by the values of the first three fields, which this
+ document refers to as the "TLSA parameters" to distinguish them from
+ the fourth and last field. The numeric values of these parameters
+ were given symbolic names in [RFC7218]. The four fields are as
+ follows:
+
+ The Certificate Usage field: Section 2.1.1 of [RFC6698] specifies
+ four values: PKIX-TA(0), PKIX-EE(1), DANE-TA(2), and DANE-EE(3).
+ There is an additional private-use value: PrivCert(255), which,
+ given its private scope, shall not be considered further in this
+ document. All other values are reserved for use by future
+ specifications.
+
+ The Selector field: Section 2.1.2 of [RFC6698] specifies two values:
+ Cert(0) and SPKI(1). There is an additional private-use value:
+ PrivSel(255). All other values are reserved for use by future
+ specifications.
+
+ The Matching Type field: Section 2.1.3 of [RFC6698] specifies three
+ values: Full(0), SHA2-256(1), and SHA2-512(2). There is an
+ additional private-use value: PrivMatch(255). All other values
+ are reserved for use by future specifications.
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 5]
+
+RFC 7671 DANE Operations October 2015
+
+
+ The Certificate Association Data field: See Section 2.1.4 of
+ [RFC6698]. This field stores the full value or digest of the
+ certificate or subject public key as determined by the matching
+ type and selector, respectively.
+
+ In the Matching Type field, of the two digest algorithms --
+ SHA2-256(1) and SHA2-512(2) -- as of the time of this writing, only
+ SHA2-256(1) is mandatory to implement. Clients SHOULD implement
+ SHA2-512(2), but servers SHOULD NOT exclusively publish SHA2-512(2)
+ digests. The digest algorithm agility protocol defined in Section 9
+ SHOULD be used by clients to decide how to process TLSA RRsets that
+ employ multiple digest algorithms. Server operators MUST publish
+ TLSA RRsets that are compatible (see Section 8) with digest algorithm
+ agility (Section 9).
+
+2.1. Example TLSA Record
+
+ In the example TLSA record below, the TLSA certificate usage is
+ DANE-TA(2), the selector is Cert(0), and the matching type is
+ SHA2-256(1). The last field is the Certificate Association Data
+ field, which in this case contains the SHA2-256 digest of the server
+ certificate.
+
+ _25._tcp.mail.example.com. IN TLSA 2 0 1 (
+ E8B54E0B4BAA815B06D3462D65FBC7C0
+ CF556ECCF9F5303EBFBB77D022F834C0 )
+
+3. DANE TLS Requirements
+
+ [RFC6698] does not discuss what versions of TLS are required when
+ using DANE records. This document specifies that TLS clients that
+ support DANE/TLSA MUST support at least TLS 1.0 and SHOULD support
+ TLS 1.2 or later.
+
+ TLS clients using DANE MUST support the SNI extension of TLS
+ [RFC6066]. Servers MAY support SNI and respond with a matching
+ certificate chain but MAY also ignore SNI and respond with a default
+ certificate chain. When a server supports SNI but is not configured
+ with a certificate chain that exactly matches the client's SNI
+ extension, the server SHOULD respond with another certificate chain
+ (a default or closest match). This is because clients might support
+ more than one server name but can only put a single name in the SNI
+ extension.
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 6]
+
+RFC 7671 DANE Operations October 2015
+
+
+4. DANE Certificate Usage Selection Guidelines
+
+ As mentioned in Section 2, the TLSA Certificate Usage field takes one
+ of four possible values. With PKIX-TA(0) and PKIX-EE(1), the
+ validation of peer certificate chains requires additional
+ preconfigured CA TAs that are mutually trusted by the operators of
+ the TLS server and client. With DANE-TA(2) and DANE-EE(3), no
+ preconfigured CA TAs are required and the published DANE TLSA records
+ are sufficient to verify the peer's certificate chain.
+
+ Standards for application protocols that employ DANE TLSA can specify
+ more specific guidance than [RFC6698] or this document. Such
+ application-specific standards need to carefully consider which set
+ of DANE certificate usages to support. Simultaneous support for all
+ four usages is NOT RECOMMENDED for DANE clients. When all four
+ usages are supported, an attacker capable of compromising the
+ integrity of DNSSEC needs only to replace the server's TLSA RRset
+ with one that lists suitable DANE-EE(3) or DANE-TA(2) records,
+ effectively bypassing any added verification via public CAs. In
+ other words, when all four usages are supported, PKIX-TA(0) and
+ PKIX-EE(1) offer only illusory incremental security over DANE-TA(2)
+ and DANE-EE(3).
+
+ Designs in which clients support just the DANE-TA(2) and DANE-EE(3)
+ certificate usages are RECOMMENDED. With DANE-TA(2) and DANE-EE(3),
+ clients don't need to track a large changing list of X.509 TAs in
+ order to successfully authenticate servers whose certificates are
+ issued by a CA that is brand new or not widely trusted.
+
+ The DNSSEC TLSA records for servers MAY include both sets of usages
+ if the server needs to support a mixture of clients, some supporting
+ one pair of usages and some the other.
+
+4.1. Opportunistic Security and PKIX Usages
+
+ When the client's protocol design is based on "Opportunistic
+ Security" (OS) [RFC7435] and the use of authentication is based on
+ the presence of server TLSA records, it is especially important to
+ avoid the PKIX-EE(1) and PKIX-TA(0) certificate usages.
+
+ When authenticated TLS is used opportunistically based on the
+ presence of DANE TLSA records and no secure TLSA records are present,
+ unauthenticated TLS is used if possible, and if TLS is not possible,
+ perhaps even cleartext. However, if usable secure TLSA records are
+ published, then authentication MUST succeed. Also, outside the
+ browser space, there is no preordained canon of trusted CAs, and in
+ any case there is no security advantage in using PKIX-TA(0) or
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 7]
+
+RFC 7671 DANE Operations October 2015
+
+
+ PKIX-EE(1) when the DANE-TA(2) and DANE-EE(3) usages are also
+ supported (as an attacker who can compromise DNS can replace the
+ former with the latter).
+
+ Authentication via the PKIX-TA(0) and PKIX-EE(1) certificate usages
+ is more brittle; the client and server need to happen to agree on a
+ mutually trusted CA, but with OS the client is just trying to protect
+ the communication channel at the request of the server and would
+ otherwise be willing to use cleartext or unauthenticated TLS. The
+ use of fragile mechanisms (like public CA authentication for some
+ unspecified set of trusted CAs) is not sufficiently reliable for an
+ OS client to honor the server's request for authentication. OS needs
+ to be non-intrusive and to require few, if any, workarounds for valid
+ but mismatched peers.
+
+ Because the PKIX-TA(0) and PKIX-EE(1) usages offer no more security
+ and are more prone to failure, they are a poor fit for OS and
+ SHOULD NOT be used in that context.
+
+4.2. Interaction with Certificate Transparency
+
+ Certificate Transparency (CT) [RFC6962] defines an experimental
+ approach that could be used to mitigate the risk of rogue or
+ compromised public CAs issuing unauthorized certificates. This
+ section clarifies the interaction of the experimental CT and DANE.
+ This section may need to be revised in light of any future Standards
+ Track version of CT.
+
+ When a server is authenticated via a DANE TLSA RR with TLSA
+ certificate usage DANE-EE(3), the domain owner has directly specified
+ the certificate associated with the given service without reference
+ to any public CA. Therefore, when a TLS client authenticates the TLS
+ server via a TLSA record with usage DANE-EE(3), CT checks SHOULD NOT
+ be performed. Publication of the server certificate or public key
+ (digest) in a TLSA record in a DNSSEC-signed zone by the domain owner
+ assures the TLS client that the certificate is not an unauthorized
+ certificate issued by a rogue CA without the domain owner's consent.
+
+ When a server is authenticated via a DANE TLSA record with TLSA usage
+ DANE-TA(2) and the server certificate does not chain to a known
+ public root CA, CT cannot apply (CT logs only accept chains that
+ start with a known public root). Since TLSA certificate usage
+ DANE-TA(2) is generally intended to support non-public TAs, TLS
+ clients SHOULD NOT perform CT checks with usage DANE-TA(2).
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 8]
+
+RFC 7671 DANE Operations October 2015
+
+
+ With certificate usages PKIX-TA(0) and PKIX-EE(1), CT applies just as
+ it would without DANE. TLSA records of this type only constrain
+ which CAs are acceptable in PKIX validation. All checks used in the
+ absence of DANE still apply when validating certificate chains with
+ DANE PKIX-TA(0) and PKIX-EE(1) constraints.
+
+4.3. Switching from/to PKIX-TA/EE to/from DANE-TA/EE
+
+ The choice of preferred certificate usages may need to change as an
+ application protocol evolves. When transitioning between PKIX-TA/
+ PKIX-EE and DANE-TA/DANE-EE, clients begin to enable support for the
+ new certificate usage values. If the new preferred certificate
+ usages are PKIX-TA/EE, this requires installing and managing the
+ appropriate set of CA TAs. During this time, servers will publish
+ both types of TLSA records. At some later time, when the vast
+ majority of servers have published the new preferred TLSA records,
+ clients can stop supporting the legacy certificate usages.
+ Similarly, servers can stop publishing legacy TLSA records once the
+ vast majority of clients support the new certificate usages.
+
+5. Certificate-Usage-Specific DANE Updates and Guidelines
+
+ The four certificate usage values from the TLSA record -- DANE-EE(3),
+ DANE-TA(2), PKIX-EE(1), and PKIX-TA(0) -- are discussed below.
+
+5.1. Certificate Usage DANE-EE(3)
+
+ In this section, the meaning of DANE-EE(3) is updated from [RFC6698]
+ to specify that peer identity matching and validity period
+ enforcement are based solely on the TLSA RRset properties. This
+ document also extends [RFC6698] to cover the use of DANE
+ authentication of raw public keys [RFC7250] via TLSA records with
+ certificate usage DANE-EE(3) and selector SPKI(1).
+
+ Authentication via certificate usage DANE-EE(3) TLSA records involves
+ simply checking that the server's leaf certificate matches the TLSA
+ record. In particular, the binding of the server public key to its
+ name is based entirely on the TLSA record association. The server
+ MUST be considered authenticated even if none of the names in the
+ certificate match the client's reference identity for the server.
+ This simplifies the operation of servers that host multiple Customer
+ Domains, as a single certificate can be associated with multiple
+ domains without having to match each of the corresponding reference
+ identifiers.
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 9]
+
+RFC 7671 DANE Operations October 2015
+
+
+ ; Multiple Customer Domains hosted by an example.net
+ ; Service Provider:
+ ;
+ www.example.com. IN CNAME ex-com.example.net.
+ www.example.org. IN CNAME ex-org.example.net.
+ ;
+ ; In the provider's DNS zone, a single certificate and TLSA
+ ; record support multiple Customer Domains, greatly simplifying
+ ; "virtual hosting".
+ ;
+ ex-com.example.net. IN A 192.0.2.1
+ ex-org.example.net. IN A 192.0.2.1
+ _443._tcp.ex-com.example.net. IN CNAME tlsa._dane.example.net.
+ _443._tcp.ex-org.example.net. IN CNAME tlsa._dane.example.net.
+ tlsa._dane.example.net. IN TLSA 3 1 1 e3b0c44298fc1c14...
+
+ Also, with DANE-EE(3), the expiration date of the server certificate
+ MUST be ignored. The validity period of the TLSA record key binding
+ is determined by the validity period of the TLSA record DNSSEC
+ signatures. Validity is reaffirmed on an ongoing basis by continuing
+ to publish the TLSA record and signing the zone in which the record
+ is contained, rather than via dates "set in stone" in the
+ certificate. The expiration becomes a reminder to the administrator
+ that it is likely time to rotate the key, but missing the date no
+ longer causes an outage. When keys are rotated (for whatever
+ reason), it is important to follow the procedures outlined in
+ Section 8.
+
+ If a server uses just DANE-EE(3) TLSA records and all its clients are
+ DANE clients, the server need not employ SNI (i.e., it may ignore the
+ client's SNI message) even when the server is known via multiple
+ domain names that would otherwise require separate certificates. It
+ is instead sufficient for the TLSA RRsets for all the domain names in
+ question to match the server's default certificate. For application
+ protocols where the server name is obtained indirectly via SRV
+ records, MX records, or similar records, it is simplest to publish a
+ single hostname as the target server name for all the hosted domains.
+
+ In organizations where it is practical to make coordinated changes in
+ DNS TLSA records before server key rotation, it is generally best to
+ publish end-entity DANE-EE(3) certificate associations in preference
+ to other choices of certificate usage. DANE-EE(3) TLSA records
+ support multiple server names without SNI, don't suddenly stop
+ working when leaf or intermediate certificates expire, and don't fail
+ when a server operator neglects to include all the required issuer
+ certificates in the server certificate chain.
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 10]
+
+RFC 7671 DANE Operations October 2015
+
+
+ More specifically, it is RECOMMENDED that at most sites TLSA records
+ published for DANE servers be "DANE-EE(3) SPKI(1) SHA2-256(1)"
+ records. Selector SPKI(1) is chosen because it is compatible with
+ raw public keys [RFC7250] and the resulting TLSA record need not
+ change across certificate renewals with the same key. Matching type
+ SHA2-256(1) is chosen because all DANE implementations are required
+ to support SHA2-256. This TLSA record type easily supports hosting
+ arrangements with a single certificate matching all hosted domains.
+ It is also the easiest to implement correctly in the client.
+
+ Clients that support raw public keys can use DANE TLSA records with
+ certificate usage DANE-EE(3) and selector SPKI(1) to authenticate
+ servers that negotiate the use of raw public keys. Provided the
+ server adheres to the requirements of Section 8, the fact that raw
+ public keys are not compatible with any other TLSA record types will
+ not get in the way of successful authentication. Clients that employ
+ DANE to authenticate the peer server SHOULD NOT negotiate the use of
+ raw public keys unless the server's TLSA RRset includes "DANE-EE(3)
+ SPKI(1)" TLSA records.
+
+ While it is, in principle, also possible to authenticate raw public
+ keys via "DANE-EE(3) Cert(0) Full(0)" records by extracting the
+ public key from the certificate in DNS, extracting just the public
+ key from a "3 0 0" TLSA record requires extra logic on clients that
+ not all implementations are expected to provide. Servers that wish
+ to support [RFC7250] raw public keys need to publish TLSA records
+ with a certificate usage of DANE-EE(3) and a selector of SPKI(1).
+
+ While DANE-EE(3) TLSA records are expected to be by far the most
+ prevalent, as explained in Section 5.2, DANE-TA(2) records are a
+ valid alternative for sites with many DANE services. Note, however,
+ that virtual hosting is more complex with DANE-TA(2). Also, with
+ DANE-TA(2), server operators MUST ensure that the server is
+ configured with a sufficiently complete certificate chain and need to
+ remember to replace certificates prior to their expiration dates.
+
+5.2. Certificate Usage DANE-TA(2)
+
+ This section updates [RFC6698] by specifying a new operational
+ requirement for servers publishing TLSA records with a usage of
+ DANE-TA(2): such servers MUST include the TA certificate in their TLS
+ server certificate message unless all such TLSA records are "2 0 0"
+ records that publish the server certificate in full.
+
+ Some domains may prefer to avoid the operational complexity of
+ publishing unique TLSA RRs for each TLS service. If the domain
+ employs a common issuing CA to create certificates for multiple TLS
+ services, it may be simpler to publish the issuing authority as a TA
+
+
+
+Dukhovni & Hardaker Standards Track [Page 11]
+
+RFC 7671 DANE Operations October 2015
+
+
+ for the certificate chains of all relevant services. The TLSA query
+ domain (TLSA base domain with port and protocol prefix labels) for
+ each service issued by the same TA may then be set to a CNAME alias
+ that points to a common TLSA RRset that matches the TA. For example:
+
+ ; Two servers, each with its own certificate, that share
+ ; a common issuer (TA).
+ ;
+ www1.example.com. IN A 192.0.2.1
+ www2.example.com. IN A 192.0.2.2
+ _443._tcp.www1.example.com. IN CNAME tlsa._dane.example.com.
+ _443._tcp.www2.example.com. IN CNAME tlsa._dane.example.com.
+ tlsa._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c14...
+
+ The above configuration simplifies server key rotation, because while
+ the servers continue to receive new certificates from a CA matched by
+ the shared (target of the CNAMEs) TLSA record, server certificates
+ can be updated without making any DNS changes. As the list of active
+ issuing CAs changes, the shared TLSA record will be updated (much
+ less frequently) by the administrators who manage the CAs. Those
+ administrators still need to perform TLSA record updates with care,
+ as described in Section 8.
+
+ With usage DANE-TA(2), the server certificates will need to have
+ names that match one of the client's reference identifiers (see
+ [RFC6125]). When hosting multiple unrelated Customer Domains (that
+ can't all appear in a single certificate), such a server SHOULD
+ employ SNI to select the appropriate certificate to present to the
+ client.
+
+5.2.1. Recommended Record Combinations
+
+ TLSA records with a matching type of Full(0) are NOT RECOMMENDED.
+ While these potentially obviate the need to transmit the TA
+ certificate in the TLS server certificate message, client
+ implementations may not be able to augment the server certificate
+ chain with the data obtained from DNS, especially when the TLSA
+ record supplies a bare key (selector SPKI(1)). Since the server will
+ need to transmit the TA certificate in any case, server operators
+ SHOULD publish TLSA records with a matching type other than Full(0)
+ and avoid potential DNS interoperability issues with large TLSA
+ records containing full certificates or keys (see Section 10.1.1).
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 12]
+
+RFC 7671 DANE Operations October 2015
+
+
+ TLSA Publishers employing DANE-TA(2) records SHOULD publish records
+ with a selector of Cert(0). Such TLSA records are associated with
+ the whole TA certificate, not just with the TA public key. In
+ particular, when authenticating the peer certificate chain via such a
+ TLSA record, the client SHOULD apply any relevant constraints from
+ the TA certificate, such as, for example, path length constraints.
+
+ While a selector of SPKI(1) may also be employed, the resulting TLSA
+ record will not specify the full TA certificate content, and elements
+ of the TA certificate other than the public key become mutable. This
+ may, for example, enable a subsidiary CA to issue a chain that
+ violates the TA's path length or name constraints.
+
+5.2.2. Trust Anchor Digests and Server Certificate Chain
+
+ With DANE-TA(2), a complication arises when the TA certificate is
+ omitted from the server's certificate chain, perhaps on the basis of
+ Section 7.4.2 of [RFC5246]:
+
+ The sender's certificate MUST come first in the list. Each
+ following certificate MUST directly certify the one preceding it.
+ Because certificate validation requires that root keys be
+ distributed independently, the self-signed certificate that
+ specifies the root certificate authority MAY be omitted from the
+ chain, under the assumption that the remote end must already
+ possess it in order to validate it in any case.
+
+ With TLSA certificate usage DANE-TA(2), there is no expectation that
+ the client is preconfigured with the TA certificate. In fact, client
+ implementations are free to ignore all locally configured TAs when
+ processing usage DANE-TA(2) TLSA records and may rely exclusively on
+ the certificates provided in the server's certificate chain. But,
+ with a digest in the TLSA record, the TLSA record contains neither
+ the full TA certificate nor the full public key. If the TLS server's
+ certificate chain does not contain the TA certificate, DANE clients
+ will be unable to authenticate the server.
+
+ TLSA Publishers that publish TLSA certificate usage DANE-TA(2)
+ associations with a selector of SPKI(1) or with a digest-based
+ matching type (not Full(0)) MUST ensure that the corresponding server
+ is configured to also include the TA certificate in its TLS handshake
+ certificate chain, even if that certificate is a self-signed root CA
+ and would have been optional in the context of the existing public
+ CA PKI.
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 13]
+
+RFC 7671 DANE Operations October 2015
+
+
+ Only when the server TLSA record includes a "DANE-TA(2) Cert(0)
+ Full(0)" TLSA record containing a full TA certificate is the TA
+ certificate optional in the server's TLS certificate message. This
+ is also the only type of DANE-TA(2) record for which the client MUST
+ be able to verify the server's certificate chain even if the TA
+ certificate appears only in DNS and is absent from the TLS handshake
+ server certificate message.
+
+5.2.3. Trust Anchor Public Keys
+
+ TLSA records with TLSA certificate usage DANE-TA(2), selector
+ SPKI(1), and a matching type of Full(0) publish the full public key
+ of a TA via DNS. In Section 6.1.1 of [RFC5280], the definition of a
+ TA consists of the following four parts:
+
+ 1. the trusted issuer name,
+
+ 2. the trusted public key algorithm,
+
+ 3. the trusted public key, and
+
+ 4. optionally, the trusted public key parameters associated with the
+ public key.
+
+ Items 2-4 are precisely the contents of the subjectPublicKeyInfo
+ published in the TLSA record. The issuer name is not included in the
+ subjectPublicKeyInfo.
+
+ With TLSA certificate usage DANE-TA(2), the client may not have the
+ associated TA certificate and cannot generally verify whether or not
+ a particular certificate chain is "issued by" the TA described in the
+ TLSA record.
+
+ When the server certificate chain includes a CA certificate whose
+ public key matches the TLSA record, the client can match that CA as
+ the intended issuer. Otherwise, the client can only check that the
+ topmost certificate in the server's chain is "signed by" the TA's
+ public key in the TLSA record. Such a check may be difficult to
+ implement and cannot be expected to be supported by all clients.
+
+ Thus, servers cannot rely on "DANE-TA(2) SPKI(1) Full(0)" TLSA
+ records to be sufficient to authenticate chains issued by the
+ associated public key in the absence of a corresponding certificate
+ in the server's TLS certificate message. Servers employing "2 1 0"
+ TLSA records MUST include the corresponding TA certificate in their
+ certificate chain.
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 14]
+
+RFC 7671 DANE Operations October 2015
+
+
+ If none of the server's certificate chain elements match a public key
+ specified in a TLSA record, and at least one "DANE-TA(2) SPKI(1)
+ Full(0)" TLSA record is available, it is RECOMMENDED that clients
+ check to see whether or not the topmost certificate in the chain is
+ signed by the provided public key and has not expired, and in that
+ case consider the server authenticated, provided the rest of the
+ chain passes validation, including leaf certificate name checks.
+
+5.3. Certificate Usage PKIX-EE(1)
+
+ This certificate usage is similar to DANE-EE(3); but, in addition,
+ PKIX verification is required. Therefore, name checks, certificate
+ expiration, CT, etc. apply as they would without DANE.
+
+5.4. Certificate Usage PKIX-TA(0)
+
+ This section updates [RFC6698] by specifying new client
+ implementation requirements. Clients that trust intermediate
+ certificates MUST be prepared to construct longer PKIX chains than
+ would be required for PKIX alone.
+
+ TLSA certificate usage PKIX-TA(0) allows a domain to publish
+ constraints on the set of PKIX CAs trusted to issue certificates for
+ its TLS servers. A PKIX-TA(0) TLSA record matches PKIX-verified
+ trust chains that contain an issuer certificate (root or
+ intermediate) that matches its Certificate Association Data field
+ (typically a certificate or digest).
+
+ PKIX-TA(0) requires more complex coordination (than with DANE-TA(2)
+ or DANE-EE(3)) between the Customer Domain and the Service Provider
+ in hosting arrangements. Thus, this certificate usage is
+ NOT RECOMMENDED when the Service Provider is not also the TLSA
+ Publisher (at the TLSA base domain obtained via CNAMEs, SRV records,
+ or MX records).
+
+ TLSA Publishers who publish TLSA records for a particular public root
+ CA will expect that clients will only accept chains anchored at that
+ root. It is possible, however, that the client's trusted certificate
+ store includes some intermediate CAs, either with or without the
+ corresponding root CA. When a client constructs a trust chain
+ leading from a trusted intermediate CA to the server leaf
+ certificate, such a "truncated" chain might not contain the trusted
+ root published in the server's TLSA record.
+
+ If the omitted root is also trusted, the client may erroneously
+ reject the server chain if it fails to determine that the shorter
+ chain it constructed extends to a longer trusted chain that matches
+ the TLSA record. Thus, when matching a usage PKIX-TA(0) TLSA record,
+
+
+
+Dukhovni & Hardaker Standards Track [Page 15]
+
+RFC 7671 DANE Operations October 2015
+
+
+ so long as no matching certificate has yet been found, a client MUST
+ continue extending the chain even after any locally trusted
+ certificate is found. If no TLSA records have matched any of the
+ elements of the chain and the trusted certificate found is not
+ self-issued, the client MUST attempt to build a longer chain in case
+ a certificate closer to the root matches the server's TLSA record.
+
+6. Service Provider and TLSA Publisher Synchronization
+
+ Whenever possible, the TLSA Publisher and the Service Provider should
+ be the same entity. Otherwise, they need to coordinate changes to
+ ensure that TLSA records published by the TLSA Publisher don't fall
+ out of sync with the server certificate used by the Service Provider.
+ Such coordination is difficult, and service outages will result when
+ coordination fails.
+
+ Publishing the TLSA record in the Service Provider's zone avoids the
+ complexity of bilateral coordination of server certificate
+ configuration and TLSA record management. Even when the TLSA RRset
+ has to be published in the Customer Domain's DNS zone (perhaps the
+ client application does not "chase" CNAMEs to the TLSA base domain),
+ it is possible to employ CNAME records to delegate the content of the
+ TLSA RRset to a domain operated by the Service Provider.
+
+ Only certificate usages DANE-EE(3) and DANE-TA(2) work well with TLSA
+ CNAMEs across organizational boundaries. With PKIX-TA(0) or
+ PKIX-EE(1), the Service Provider would need to obtain certificates in
+ the name of the Customer Domain from a suitable public CA (securely
+ impersonate the customer), or the customer would need to provision
+ the relevant private keys and certificates at the Service Provider's
+ systems.
+
+ Certificate Usage DANE-EE(3): In this case, the Service Provider can
+ publish a single TLSA RRset that matches the server certificate or
+ public key digest. The same RRset works for all Customer Domains
+ because name checks do not apply with DANE-EE(3) TLSA records (see
+ Section 5.1). A Customer Domain can create a CNAME record
+ pointing to the TLSA RRset published by the Service Provider.
+
+ Certificate Usage DANE-TA(2): When the Service Provider operates a
+ private CA, the Service Provider is free to issue a certificate
+ bearing any customer's domain name. Without DANE, such a
+ certificate would not pass trust verification, but with DANE, the
+ customer's TLSA RRset that is aliased to the provider's TLSA RRset
+ can delegate authority to the provider's CA for the corresponding
+ service. The Service Provider can generate appropriate
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 16]
+
+RFC 7671 DANE Operations October 2015
+
+
+ certificates for each customer and use the SNI information
+ provided by clients to select the right certificate chain to
+ present to each client.
+
+ Below are example DNS records (assumed "secure" and shown without the
+ associated DNSSEC information, such as record signatures) that
+ illustrate both of the above models in the case of an HTTPS service
+ whose clients all support DANE TLS. These examples work even with
+ clients that don't "chase" CNAMEs when constructing the TLSA base
+ domain (see Section 7 below).
+
+ ; The hosted web service is redirected via a CNAME alias.
+ ; The associated TLSA RRset is also redirected via a CNAME alias.
+ ;
+ ; Certificate usage DANE-EE(3) makes it possible to deploy
+ ; a single provider certificate for all Customer Domains.
+ ;
+ www1.example.com. IN CNAME w1.example.net.
+ _443._tcp.www1.example.com. IN CNAME _443._tcp.w1.example.net.
+ _443._tcp.w1.example.net. IN TLSA 3 1 1 (
+ 8A9A70596E869BED72C69D97A8895DFA
+ D86F300A343FECEFF19E89C27C896BC9 )
+
+ ;
+ ; A CA at the provider can also issue certificates for each Customer
+ ; Domain and employ the DANE-TA(2) certificate usage to
+ ; designate the provider's CA as a TA.
+ ;
+ www2.example.com. IN CNAME w2.example.net.
+ _443._tcp.www2.example.com. IN CNAME _443._tcp.w2.example.net.
+ _443._tcp.w2.example.net. IN TLSA 2 0 1 (
+ C164B2C3F36D068D42A6138E446152F5
+ 68615F28C69BD96A73E354CAC88ED00C )
+
+ With protocols that support explicit transport redirection via DNS MX
+ records, SRV records, or other similar records, the TLSA base domain
+ is based on the redirected transport endpoint rather than the origin
+ domain. With SMTP, for example, when an email service is hosted by a
+ Service Provider, the Customer Domain's MX hostnames will point at
+ the Service Provider's SMTP hosts. When the Customer Domain's DNS
+ zone is signed, the MX hostnames can be securely used as the base
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 17]
+
+RFC 7671 DANE Operations October 2015
+
+
+ domains for TLSA records that are published and managed by the
+ Service Provider. For example (without the required DNSSEC
+ information, such as record signatures):
+
+ ; Hosted SMTP service.
+ ;
+ example.com. IN MX 0 mx1.example.net.
+ example.com. IN MX 0 mx2.example.net.
+ _25._tcp.mx1.example.net. IN TLSA 3 1 1 (
+ 8A9A70596E869BED72C69D97A8895DFA
+ D86F300A343FECEFF19E89C27C896BC9 )
+ _25._tcp.mx2.example.net. IN TLSA 3 1 1 (
+ C164B2C3F36D068D42A6138E446152F5
+ 68615F28C69BD96A73E354CAC88ED00C )
+
+ If redirection to the Service Provider's domain (via MX records, SRV
+ records, or any similar mechanism) is not possible and aliasing of
+ the TLSA record is not an option, then more complex coordination
+ between the Customer Domain and Service Provider will be required.
+ Either the Customer Domain periodically provides private keys and a
+ corresponding certificate chain to the provider (after making
+ appropriate changes in its TLSA records), or the Service Provider
+ periodically generates the keys and certificates and needs to wait
+ for matching TLSA records to be published by its Customer Domains
+ before deploying newly generated keys and certificate chains.
+ Section 7 below describes an approach that employs CNAME "chasing" to
+ avoid the difficulties of coordinating key management across
+ organizational boundaries.
+
+ For further information about combining DANE and SRV, please see
+ [RFC7673].
+
+7. TLSA Base Domain and CNAMEs
+
+ When the application protocol does not support service location
+ indirection via MX, SRV, or similar DNS records, the service may be
+ redirected via a CNAME. A CNAME is a more blunt instrument for this
+ purpose because, unlike an MX or SRV record, it remaps the entire
+ origin domain to the target domain for all protocols.
+
+ The complexity of coordinating key management is largely eliminated
+ when DANE TLSA records are found in the Service Provider's domain, as
+ discussed in Section 6. Therefore, DANE TLS clients connecting to a
+ server whose domain name is a CNAME alias SHOULD follow the CNAME
+ "hop by hop" to its ultimate target host (noting at each step whether
+ or not the CNAME is DNSSEC validated). If at each stage of CNAME
+ expansion the DNSSEC validation status is "secure", the final target
+ name SHOULD be the preferred base domain for TLSA lookups.
+
+
+
+Dukhovni & Hardaker Standards Track [Page 18]
+
+RFC 7671 DANE Operations October 2015
+
+
+ Implementations failing to find a TLSA record using a base name of
+ the final target of a CNAME expansion SHOULD issue a TLSA query using
+ the original destination name. That is, the preferred TLSA base
+ domain SHOULD be derived from the fully expanded name and, failing
+ that, SHOULD be the initial domain name.
+
+ When the TLSA base domain is the result of "secure" CNAME expansion,
+ the resulting domain name MUST be used as the HostName in the
+ client's SNI extension and MUST be the primary reference identifier
+ for peer certificate matching with certificate usages other than
+ DANE-EE(3).
+
+ Protocol-specific TLSA specifications may provide additional guidance
+ or restrictions when following CNAME expansions.
+
+ Though CNAMEs are illegal on the right-hand side of most indirection
+ records, such as MX and SRV records, they are supported by some
+ implementations. For example, if the MX or SRV host is a CNAME
+ alias, some implementations may "chase" the CNAME. If they do, they
+ SHOULD use the target hostname as the preferred TLSA base domain as
+ described above (and, if the TLSA records are found there, also use
+ the CNAME-expanded domain in SNI and certificate name checks).
+
+8. TLSA Publisher Requirements
+
+ This section updates [RFC6698] by specifying that the TLSA Publisher
+ MUST ensure that each combination of certificate usage, selector, and
+ matching type in the server's TLSA RRset includes at least one record
+ that matches the server's current certificate chain. TLSA records
+ that match recently retired or yet-to-be-deployed certificate chains
+ will be present during key rollover. Such past or future records
+ MUST NOT at any time be the only records published for any given
+ combination of usage, selector, and matching type. The TLSA record
+ update process described below ensures that this requirement is met.
+
+ While a server is to be considered authenticated when its certificate
+ chain is matched by any of the published TLSA records, not all
+ clients support all combinations of TLSA record parameters. Some
+ clients may not support some digest algorithms; others may either not
+ support or exclusively support the PKIX certificate usages. Some
+ clients may prefer to negotiate [RFC7250] raw public keys, which are
+ only compatible with TLSA records whose certificate usage is
+ DANE-EE(3) with selector SPKI(1). The only other TLSA record type
+ that is potentially compatible with raw public keys is "DANE-EE(3)
+ Cert(0) Full(0)", but support for raw public keys with that TLSA
+ record type is not expected to be broadly implemented.
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 19]
+
+RFC 7671 DANE Operations October 2015
+
+
+ A consequence of the above uncertainty as to which TLSA parameters
+ are supported by any given client is that servers need to ensure that
+ each and every parameter combination that appears in the TLSA RRset
+ is, on its own, sufficient to match the server's current certificate
+ chain. In particular, when deploying new keys or new parameter
+ combinations, some care is required to not generate parameter
+ combinations that only match past or future certificate chains (or
+ raw public keys). The rest of this section explains how to update
+ the TLSA RRset in a manner that ensures that the above requirement
+ is met.
+
+8.1. Key Rollover with Fixed TLSA Parameters
+
+ The simplest case is key rollover while retaining the same set of
+ published parameter combinations. In this case, TLSA records
+ matching the existing server certificate chain (or raw public keys)
+ are first augmented with corresponding records matching the future
+ keys, at least two Times to Live (TTLs) or longer before the new
+ chain is deployed. This allows the obsolete RRset to age out of
+ client caches before the new chain is used in TLS handshakes. Once
+ sufficient time has elapsed and all clients performing DNS lookups
+ are retrieving the updated TLSA records, the server administrator may
+ deploy the new certificate chain, verify that it works, and then
+ remove any obsolete records matching the chain that is no longer
+ active:
+
+ ; Initial TLSA RRset.
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+
+ ; Transitional TLSA RRset published at least two TTLs before
+ ; the actual key change.
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+ _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...
+
+ ; Final TLSA RRset after the key change.
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...
+
+
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 20]
+
+RFC 7671 DANE Operations October 2015
+
+
+ The next case to consider is adding or switching to a new combination
+ of TLSA parameters. In this case, publish the new parameter
+ combinations for the server's existing certificate chain first, and
+ only then deploy new keys if desired:
+
+ ; Initial TLSA RRset.
+ ;
+ _443._tcp.www.example.org. IN TLSA 1 1 1 01d09d19c2139a46...
+
+ ; New TLSA RRset, same key re-published as DANE-EE(3).
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+
+8.2. Switching to DANE-TA(2) from DANE-EE(3)
+
+ This section explains how to migrate to a new certificate chain and
+ TLSA record with usage DANE-TA(2) from a self-signed server
+ certificate and a "DANE-EE(3) SPKI(1) SHA2-256(1)" TLSA record. This
+ example assumes that a new private key is generated in conjunction
+ with transitioning to a new certificate issued by the desired TA.
+
+ The original "3 1 1" TLSA record supports [RFC7250] raw public keys,
+ and clients may choose to negotiate their use. The use of raw public
+ keys rules out the possibility of certificate chain verification.
+ Therefore, the transitional TLSA record for the planned DANE-TA(2)
+ certificate chain is a "3 1 1" record that works even when raw public
+ keys are used. The TLSA RRset is updated to use DANE-TA(2) only
+ after the new chain is deployed and the "3 1 1" record matching the
+ original key is dropped.
+
+ This process follows the requirement that each combination of
+ parameters present in the RRset is always sufficient to validate the
+ server. It avoids publishing a transitional TLSA RRset in which
+ "3 1 1" matches only the current key and "2 0 1" matches only the
+ future certificate chain, because these might not work reliably
+ during the initial deployment of the new keys.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 21]
+
+RFC 7671 DANE Operations October 2015
+
+
+ ; Initial TLSA RRset.
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+
+ ; Transitional TLSA RRset, published at least two TTLs before the
+ ; actual key change. The new keys are issued by a DANE-TA(2) CA
+ ; but are initially specified via a DANE-EE(3) association.
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+ _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...
+
+ ; The final TLSA RRset after the key change. Now that the old
+ ; self-signed EE key is out of the picture, publish the issuing
+ ; TA of the new chain.
+ ;
+ _443._tcp.www.example.org. IN TLSA 2 0 1 c57bce38455d9e3d...
+
+8.3. Switching to New TLSA Parameters
+
+ When employing a new digest algorithm in the TLSA RRset, for
+ compatibility with digest algorithm agility as specified in Section 9
+ below, administrators SHOULD publish the new digest algorithm with
+ each combination of certificate usage and selector for each
+ associated key or chain used with any other digest algorithm. When
+ removing an algorithm, remove it entirely. Each digest algorithm
+ employed SHOULD match the same set of chains (or raw public keys).
+
+ ; Initial TLSA RRset with "DANE-EE(3) SHA2-256(1)" associations
+ ; for two keys.
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+ _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...
+
+ ; New TLSA RRset, also with SHA2-512(2) associations
+ ; for each key.
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+ _443._tcp.www.example.org. IN TLSA 3 1 2 d9947c35089310bc...
+ _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...
+ _443._tcp.www.example.org. IN TLSA 3 1 2 89a7486a4b6ae714...
+
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 22]
+
+RFC 7671 DANE Operations October 2015
+
+
+8.4. TLSA Publisher Requirements: Summary
+
+ In summary, server operators updating TLSA records should make one
+ change at a time. The individual safe changes are as follows:
+
+ o Pre-publish new certificate associations that employ the same TLSA
+ parameters (usage, selector, and matching type) as existing TLSA
+ records, but match certificate chains that will be deployed in the
+ near future.
+
+ o Wait for stale TLSA RRsets to expire from DNS caches before
+ configuring servers to use the new certificate chain.
+
+ o Remove TLSA records matching any certificate chains that are no
+ longer deployed.
+
+ o Publish TLSA RRsets in which all parameter combinations
+ (certificate usage, selector, and matching type) present in the
+ RRset match the same set of current and planned certificate
+ chains.
+
+ The above steps are intended to ensure that at all times, and for
+ each combination of usage, selector, and matching type, at least one
+ TLSA record corresponds to the server's current certificate chain.
+ Each combination of certificate usage, selector, and matching type in
+ a server's TLSA RRset SHOULD NOT at any time (including unexpired
+ RRsets in client caches) match only some combination of future or
+ past certificate chains. As a result, no matter what combinations of
+ usage, selector, and matching type may be supported by a given
+ client, they will be sufficient to authenticate the server.
+
+9. Digest Algorithm Agility
+
+ While [RFC6698] specifies multiple digest algorithms, it does not
+ specify a protocol by which the client and TLSA record publisher can
+ agree on the strongest shared algorithm. Such a protocol would allow
+ the client and server to avoid exposure to deprecated weaker
+ algorithms that are published for compatibility with less capable
+ clients but that SHOULD be avoided when possible. Such a protocol is
+ specified below.
+
+ This section defines a protocol for avoiding deprecated digest
+ algorithms when these are published in a peer's TLSA RRset alongside
+ stronger digest algorithms. Note that this protocol never avoids RRs
+ with a DANE matching type of Full(0), as these do not employ a digest
+ algorithm that might someday be weakened by cryptanalysis.
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 23]
+
+RFC 7671 DANE Operations October 2015
+
+
+ Client implementations SHOULD implement a default order of digest
+ algorithms by strength. This order SHOULD be configurable by the
+ administrator or user of the client software. If possible, a
+ configurable mapping from numeric DANE TLSA matching types to
+ underlying digest algorithms provided by the cryptographic library
+ SHOULD be implemented to allow new matching types to be used with
+ software that predates their introduction. Configurable ordering of
+ digest algorithms SHOULD be extensible to any new digest algorithms.
+
+ To make digest algorithm agility possible, all published DANE TLSA
+ RRsets MUST conform to the requirements of Section 8. Clients SHOULD
+ use digest algorithm agility when processing the peer's DANE TLSA
+ records. Algorithm agility is to be applied after first discarding
+ any unusable or malformed records (unsupported digest algorithm, or
+ incorrect digest length). For each usage and selector, the client
+ SHOULD process only any usable records with a matching type of
+ Full(0) and the usable records whose digest algorithm is considered
+ by the client to be the strongest among usable records with the given
+ usage and selector.
+
+ Example: a client implements digest algorithm agility and prefers
+ SHA2-512(2) over SHA2-256(1), while the server publishes an RRset
+ that employs both digest algorithms as well as a Full(0) record.
+
+ _25._tcp.mail.example.com. IN TLSA 3 1 1 (
+ 3FE246A848798236DD2AB78D39F0651D
+ 6B6E7CA8E2984012EB0A2E1AC8A87B72 )
+ _25._tcp.mail.example.com. IN TLSA 3 1 2 (
+ D4F5AF015B46C5057B841C7E7BAB759C
+ BF029526D29520C5BE6A32C67475439E
+ 54AB3A945D80C743347C9BD4DADC9D8D
+ 57FAB78EAA835362F3CA07CCC19A3214 )
+ _25._tcp.mail.example.com. IN TLSA 3 1 0 (
+ 3059301306072A8648CE3D020106082A
+ 8648CE3D0301070342000471CB1F504F
+ 9E4B33971376C005445DACD33CD79A28
+ 81C3DED1981F18E7AAA76609DD0E4EF2
+ 8265C82703030AD60C5DBA6FB8A9397A
+ C0FCF06D424C885D484887 )
+
+ In this case, the client SHOULD accept a server public key that
+ matches either the "3 1 0" record or the "3 1 2" record, but it
+ SHOULD NOT accept keys that match only the weaker "3 1 1" record.
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 24]
+
+RFC 7671 DANE Operations October 2015
+
+
+10. General DANE Guidelines
+
+ These guidelines provide guidance for using or designing protocols
+ for DANE.
+
+10.1. DANE DNS Record Size Guidelines
+
+ Selecting a combination of TLSA parameters to use requires careful
+ thought. One important consideration to take into account is the
+ size of the resulting TLSA record after its parameters are selected.
+
+10.1.1. UDP and TCP Considerations
+
+ Deployments SHOULD avoid TLSA record sizes that cause UDP
+ fragmentation.
+
+ Although DNS over TCP would provide the ability to more easily
+ transfer larger DNS records between clients and servers, it is not
+ universally deployed and is still prohibited by some firewalls.
+ Clients that request DNS records via UDP typically only use TCP upon
+ receipt of a truncated response in the DNS response message sent over
+ UDP. Setting the Truncation (TC) bit (Section 4.1.1 of [RFC1035])
+ alone will be insufficient if the response containing the TC bit is
+ itself fragmented.
+
+10.1.2. Packet Size Considerations for TLSA Parameters
+
+ Server operators SHOULD NOT publish TLSA records using both a TLSA
+ selector of Cert(0) and a TLSA matching type of Full(0), as even a
+ single certificate is generally too large to be reliably delivered
+ via DNS over UDP. Furthermore, two TLSA records containing full
+ certificates will need to be published simultaneously during a
+ certificate rollover, as discussed in Section 8.1.
+
+ While TLSA records using a TLSA selector of SPKI(1) and a TLSA
+ matching type of Full(0) (which publish the bare public keys, i.e.,
+ without the overhead of encapsulating the keys in an X.509
+ certificate) are generally more compact, these are also best avoided
+ when significantly larger than their digests. Rather, servers SHOULD
+ publish digest-based TLSA matching types in their TLSA records, in
+ which case the complete corresponding certificate MUST be transmitted
+ to the client in-band during the TLS handshake. The certificate (or
+ raw public key) can be easily verified using the digest value.
+
+ In summary, the use of a TLSA matching type of Full(0) is
+ NOT RECOMMENDED, and a digest-based matching type, such as
+ SHA2-256(1), SHOULD be used instead.
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 25]
+
+RFC 7671 DANE Operations October 2015
+
+
+10.2. Certificate Name Check Conventions
+
+ Certificates presented by a TLS server will generally contain a
+ subjectAltName (SAN) extension or a Common Name (CN) element within
+ the subject Distinguished Name (DN). The TLS server's DNS domain
+ name is normally published within these elements, ideally within the
+ SAN extension. (The use of the CN field for this purpose is
+ deprecated.)
+
+ When a server hosts multiple domains at the same transport endpoint,
+ the server's ability to respond with the right certificate chain is
+ predicated on correct SNI information from the client. DANE clients
+ MUST send the SNI extension with a HostName value of the base domain
+ of the TLSA RRset.
+
+ With the exception of TLSA certificate usage DANE-EE(3), where name
+ checks are not applicable (see Section 5.1), DANE clients MUST verify
+ that the client has reached the correct server by checking that the
+ server name is listed in the server certificate's SAN or CN (when
+ still supported). The primary server name used for this comparison
+ MUST be the TLSA base domain; however, additional acceptable names
+ may be specified by protocol-specific DANE standards. For example,
+ with SMTP, both the destination domain name and the MX hostname are
+ acceptable names to be found in the server certificate (see
+ [RFC7672]).
+
+ It is the responsibility of the service operator, in coordination
+ with the TLSA Publisher, to ensure that at least one of the TLSA
+ records published for the service will match the server's certificate
+ chain (either the default chain or the certificate that was selected
+ based on the SNI information provided by the client).
+
+ Given the DNSSEC-validated DNS records below:
+
+ example.com. IN MX 0 mail.example.com.
+ mail.example.com. IN A 192.0.2.1
+ _25._tcp.mail.example.com. IN TLSA 2 0 1 (
+ E8B54E0B4BAA815B06D3462D65FBC7C0
+ CF556ECCF9F5303EBFBB77D022F834C0 )
+
+ The TLSA base domain is "mail.example.com" and is required to be the
+ HostName in the client's SNI extension. The server certificate chain
+ is required to be signed by a TA with the above certificate SHA2-256
+ digest. Finally, one of the DNS names in the server certificate is
+ required to be either "mail.example.com" or "example.com" (this
+ additional name is a concession to compatibility with prior practice;
+ see [RFC7672] for details).
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 26]
+
+RFC 7671 DANE Operations October 2015
+
+
+ [RFC6125] specifies the semantics of wildcards in server certificates
+ for various application protocols. DANE does not change how
+ wildcards are treated by any given application.
+
+10.3. Design Considerations for Protocols Using DANE
+
+ When a TLS client goes to the trouble of authenticating a certificate
+ chain presented by a TLS server, it will typically not continue to
+ use that server in the event of authentication failure, or else
+ authentication serves no purpose. Some clients may, at times,
+ operate in an "audit" mode, where authentication failure is reported
+ to the user or in logs as a potential problem, but the connection
+ proceeds despite the failure. Nevertheless, servers publishing TLSA
+ records MUST be configured to allow correctly configured clients to
+ successfully authenticate their TLS certificate chains.
+
+ A service with DNSSEC-validated TLSA records implicitly promises TLS
+ support. When all the TLSA records for a service are found
+ "unusable" due to unsupported parameter combinations or malformed
+ certificate association data, DANE clients cannot authenticate the
+ service certificate chain. When authenticated TLS is mandatory, the
+ client MUST NOT connect to the associated server.
+
+ If, on the other hand, the use of TLS and DANE is "opportunistic"
+ [RFC7435], then when all TLSA records are unusable, the client SHOULD
+ connect to the server via an unauthenticated TLS connection, and if
+ TLS encryption cannot be established, the client MUST NOT connect to
+ the server.
+
+ Standards for opportunistic DANE TLS specific to a particular
+ application protocol may modify the above requirements. The key
+ consideration is whether or not mandating the use of
+ (unauthenticated) TLS even with unusable TLSA records is asking for
+ more security than one can realistically expect. If expecting TLS
+ support when unusable TLSA records are published is realistic for the
+ application in question, then the application MUST avoid cleartext.
+ If not realistic, then mandating TLS would cause clients (even in the
+ absence of active attacks) to run into problems with various peers
+ that do not interoperate "securely enough". That would create strong
+ incentives to just disable Opportunistic Security and stick with
+ cleartext.
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 27]
+
+RFC 7671 DANE Operations October 2015
+
+
+11. Note on DNSSEC Security
+
+ Clearly, the security of the DANE TLSA PKI rests on the security of
+ the underlying DNSSEC infrastructure. While this document is not a
+ guide to DNSSEC security, a few comments may be helpful to TLSA
+ implementers.
+
+ With the existing public CA Web PKI, name constraints are rarely
+ used, and a public root CA can issue certificates for any domain of
+ its choice. With DNSSEC, under the Registry/Registrar/Registrant
+ model, the situation is different: only the registrar of record can
+ update a domain's DS record [RFC4034] in the registry parent zone (in
+ some cases, however, the registry is the sole registrar). With many
+ Generic Top-Level Domains (gTLDs) for which multiple registrars
+ compete to provide domains in a single registry, it is important to
+ make sure that rogue registrars cannot easily initiate an
+ unauthorized domain transfer and thus take over DNSSEC for the
+ domain. DNS operators are advised to set a registrar lock on their
+ domains to offer some protection against this possibility.
+
+ When the registrar is also the DNS operator for the domain, one needs
+ to consider whether or not the registrar will allow orderly migration
+ of the domain to another registrar or DNS operator in a way that will
+ maintain DNSSEC integrity. TLSA Publishers are advised to seek out a
+ DNS hosting registrar that makes it possible to transfer domains to
+ another hosting provider without disabling DNSSEC.
+
+ DNSSEC-signed RRsets cannot be securely revoked before they expire.
+ Operators need to plan accordingly and not generate signatures of
+ excessively long duration. For domains publishing high-value keys, a
+ signature lifetime (length of the "signature validity period" as
+ described in Section 8.1 of [RFC4033]) of a few days is reasonable,
+ and the zone can be re-signed daily. For domains with less critical
+ data, a reasonable signature lifetime is a couple of weeks to a
+ month, and the zone can be re-signed weekly.
+
+ Short signature lifetimes require tighter synchronization of primary
+ and secondary nameservers, to make sure that secondary servers never
+ serve records with expired signatures. They also limit the maximum
+ time for which a primary server that signs the zone can be down.
+ Therefore, short signature lifetimes are more appropriate for sites
+ with dedicated operations staff, who can restore service quickly in
+ case of a problem.
+
+ Monitoring is important. If a DNS zone is not re-signed in a timely
+ manner, a major outage is likely, as the entire domain and all its
+ sub-domains become "bogus".
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 28]
+
+RFC 7671 DANE Operations October 2015
+
+
+12. Summary of Updates to RFC 6698
+
+ o Section 3 updates [RFC6698] to specify a requirement for clients
+ to support at least TLS 1.0 and to support SNI.
+
+ o Section 4 explains that application support for all four
+ certificate usages is NOT RECOMMENDED. The recommended design is
+ to support just DANE-EE(3) and DANE-TA(2).
+
+ o Section 5.1 updates [RFC6698] to specify that peer identity
+ matching and validity period enforcement are based solely on the
+ TLSA RRset properties. It also specifies DANE authentication of
+ raw public keys [RFC7250] via TLSA records with certificate usage
+ DANE-EE(3) and selector SPKI(1).
+
+ o Section 5.2 updates [RFC6698] to require that servers publishing
+ digest TLSA records with a usage of DANE-TA(2) MUST include the
+ TA certificate in their TLS server certificate message. This
+ extends to the case of "2 1 0" TLSA records that publish a full
+ public key.
+
+ o Section 5.4 observes that with usage PKIX-TA(0), clients may need
+ to process extended trust chains beyond the first trusted issuer
+ when that issuer is not self-signed.
+
+ o Section 7 recommends that DANE application protocols specify that,
+ when possible, securely CNAME-expanded names be used to derive the
+ TLSA base domain.
+
+ o Section 8 specifies a strategy for managing TLSA records that
+ interoperates with DANE clients regardless of what subset of the
+ possible TLSA record types (combinations of TLSA parameters) is
+ supported by the client.
+
+ o Section 9 specifies a digest algorithm agility protocol.
+
+ o Section 10.1 recommends against the use of Full(0) TLSA records,
+ as digest records are generally much more compact.
+
+13. Operational Considerations
+
+ The DNS TTL of TLSA records needs to be chosen with care. When an
+ unplanned change in the server's certificate chain and TLSA RRset is
+ required, such as when keys are compromised or lost, clients that
+ cache stale TLSA records will fail to validate the certificate chain
+ of the updated server. Publish TLSA RRsets with TTLs that are short
+ enough to limit unplanned service disruption to an acceptable
+ duration.
+
+
+
+Dukhovni & Hardaker Standards Track [Page 29]
+
+RFC 7671 DANE Operations October 2015
+
+
+ The signature lifetime (length of the signature validity period) for
+ TLSA records SHOULD NOT be too long. Signed DNSSEC records can be
+ replayed by an MITM attacker, provided the signatures have not yet
+ expired. Shorter signature validity periods allow for faster
+ invalidation of compromised keys. Zone refresh and expiration times
+ for secondary nameservers often imply a lower bound on the signature
+ validity period (Section 11). See Section 4.4.1 of [RFC6781].
+
+14. Security Considerations
+
+ Application protocols that cannot use the existing public CA Web PKI
+ may choose to not implement certain TLSA record types defined in
+ [RFC6698]. If such records are published despite not being supported
+ by the application protocol, they are treated as "unusable". When
+ TLS is opportunistic, the client MAY proceed to use the server with
+ mandatory unauthenticated TLS. This is stronger than opportunistic
+ TLS without DANE, since in that case the client may also proceed with
+ a cleartext connection. When TLS is not opportunistic, the client
+ MUST NOT connect to the server.
+
+ Thus, when TLSA records are used with opportunistic protocols where
+ PKIX-TA(0) and PKIX-EE(1) do not apply, the recommended protocol
+ design is for servers to not publish such TLSA records, and for
+ opportunistic TLS clients to use them to only enforce the use of
+ (albeit unauthenticated) TLS but otherwise treat them as unusable.
+ Of course, when PKIX-TA(0) and PKIX-EE(1) are supported by the
+ application protocol, clients MUST implement these certificate usages
+ as described in [RFC6698] and this document.
+
+15. References
+
+15.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements",
+ RFC 4033, DOI 10.17487/RFC4033, March 2005,
+ <http://www.rfc-editor.org/info/rfc4033>.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, DOI 10.17487/RFC4034, March 2005,
+ <http://www.rfc-editor.org/info/rfc4034>.
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 30]
+
+RFC 7671 DANE Operations October 2015
+
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
+ <http://www.rfc-editor.org/info/rfc4035>.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.2", RFC 5246,
+ DOI 10.17487/RFC5246, August 2008,
+ <http://www.rfc-editor.org/info/rfc5246>.
+
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
+ Housley, R., and W. Polk, "Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation List
+ (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
+ <http://www.rfc-editor.org/info/rfc5280>.
+
+ [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS)
+ Extensions: Extension Definitions", RFC 6066,
+ DOI 10.17487/RFC6066, January 2011,
+ <http://www.rfc-editor.org/info/rfc6066>.
+
+ [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
+ Verification of Domain-Based Application Service Identity
+ within Internet Public Key Infrastructure Using X.509
+ (PKIX) Certificates in the Context of Transport Layer
+ Security (TLS)", RFC 6125, DOI 10.17487/RFC6125,
+ March 2011, <http://www.rfc-editor.org/info/rfc6125>.
+
+ [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
+ Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
+ January 2012, <http://www.rfc-editor.org/info/rfc6347>.
+
+ [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
+ of Named Entities (DANE) Transport Layer Security (TLS)
+ Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698,
+ August 2012, <http://www.rfc-editor.org/info/rfc6698>.
+
+ [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify
+ Conversations about DNS-Based Authentication of Named
+ Entities (DANE)", RFC 7218, DOI 10.17487/RFC7218,
+ April 2014, <http://www.rfc-editor.org/info/rfc7218>.
+
+ [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
+ Weiler, S., and T. Kivinen, "Using Raw Public Keys in
+ Transport Layer Security (TLS) and Datagram Transport
+ Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
+ June 2014, <http://www.rfc-editor.org/info/rfc7250>.
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 31]
+
+RFC 7671 DANE Operations October 2015
+
+
+15.2. Informative References
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
+ November 1987, <http://www.rfc-editor.org/info/rfc1035>.
+
+ [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
+ Operational Practices, Version 2", RFC 6781,
+ DOI 10.17487/RFC6781, December 2012,
+ <http://www.rfc-editor.org/info/rfc6781>.
+
+ [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate
+ Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013,
+ <http://www.rfc-editor.org/info/rfc6962>.
+
+ [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
+ Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
+ December 2014, <http://www.rfc-editor.org/info/rfc7435>.
+
+ [RFC7672] Dukhovni, V. and W. Hardaker, "SMTP Security via
+ Opportunistic DNS-Based Authentication of Named Entities
+ (DANE) Transport Layer Security (TLS)", RFC 7672,
+ DOI 10.17487/RFC7672, October 2015,
+ <http://www.rfc-editor.org/info/rfc7672>.
+
+ [RFC7673] Finch, T., Miller, M., and P. Saint-Andre, "Using
+ DNS-Based Authentication of Named Entities (DANE) TLSA
+ Records with SRV Records", RFC 7673, DOI 10.17487/RFC7673,
+ October 2015, <http://www.rfc-editor.org/info/rfc7673>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 32]
+
+RFC 7671 DANE Operations October 2015
+
+
+Acknowledgements
+
+ The authors would like to thank Phil Pennock for his comments and
+ advice on this document.
+
+ Acknowledgements from Viktor: Thanks to Tony Finch, who finally
+ prodded me into participating in DANE working group discussions.
+ Thanks to Paul Hoffman, who motivated me to produce this document and
+ provided feedback on early draft versions of it. Thanks also to
+ Samuel Dukhovni for editorial assistance.
+
+Authors' Addresses
+
+ Viktor Dukhovni
+ Two Sigma
+
+ Email: ietf-dane@dukhovni.org
+
+
+ Wes Hardaker
+ Parsons
+ P.O. Box 382
+ Davis, CA 95617
+ United States
+
+ Email: ietf@hardakers.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Standards Track [Page 33]
+