idnits 2.17.00 (12 Aug 2021) /tmp/idnits19548/draft-ietf-dane-smtp-with-dane-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 4, 2015) is 2634 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: draft-ietf-dane-ops has been published as RFC 7671 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) == Outdated reference: draft-ietf-dane-srv has been published as RFC 7673 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DANE V. Dukhovni 3 Internet-Draft Two Sigma 4 Intended status: Standards Track W. Hardaker 5 Expires: September 5, 2015 Parsons 6 March 4, 2015 8 SMTP security via opportunistic DANE TLS 9 draft-ietf-dane-smtp-with-dane-15 11 Abstract 13 This memo describes a downgrade-resistant protocol for SMTP transport 14 security between Mail Transfer Agents (MTAs) based on the DNS-Based 15 Authentication of Named Entities (DANE) TLSA DNS record. Adoption of 16 this protocol enables an incremental transition of the Internet email 17 backbone to one using encrypted and authenticated Transport Layer 18 Security (TLS). 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on September 5, 2015. 37 Copyright Notice 39 Copyright (c) 2015 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 55 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.2. Background . . . . . . . . . . . . . . . . . . . . . . . 5 57 1.3. SMTP channel security . . . . . . . . . . . . . . . . . . 6 58 1.3.1. STARTTLS downgrade attack . . . . . . . . . . . . . . 6 59 1.3.2. Insecure server name without DNSSEC . . . . . . . . . 7 60 1.3.3. Sender policy does not scale . . . . . . . . . . . . 8 61 1.3.4. Too many certification authorities . . . . . . . . . 8 62 2. Identifying applicable TLSA records . . . . . . . . . . . . . 8 63 2.1. DNS considerations . . . . . . . . . . . . . . . . . . . 8 64 2.1.1. DNS errors, bogus and indeterminate responses . . . . 8 65 2.1.2. DNS error handling . . . . . . . . . . . . . . . . . 11 66 2.1.3. Stub resolver considerations . . . . . . . . . . . . 11 67 2.2. TLS discovery . . . . . . . . . . . . . . . . . . . . . . 12 68 2.2.1. MX resolution . . . . . . . . . . . . . . . . . . . . 14 69 2.2.2. Non-MX destinations . . . . . . . . . . . . . . . . . 15 70 2.2.3. TLSA record lookup . . . . . . . . . . . . . . . . . 17 71 3. DANE authentication . . . . . . . . . . . . . . . . . . . . . 19 72 3.1. TLSA certificate usages . . . . . . . . . . . . . . . . . 19 73 3.1.1. Certificate usage DANE-EE(3) . . . . . . . . . . . . 20 74 3.1.2. Certificate usage DANE-TA(2) . . . . . . . . . . . . 21 75 3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) . . . . 22 76 3.2. Certificate matching . . . . . . . . . . . . . . . . . . 23 77 3.2.1. DANE-EE(3) name checks . . . . . . . . . . . . . . . 23 78 3.2.2. DANE-TA(2) name checks . . . . . . . . . . . . . . . 24 79 3.2.3. Reference identifier matching . . . . . . . . . . . . 25 80 4. Server key management . . . . . . . . . . . . . . . . . . . . 25 81 5. Digest algorithm agility . . . . . . . . . . . . . . . . . . 26 82 6. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 26 83 7. Note on DANE for Message User Agents . . . . . . . . . . . . 27 84 8. Interoperability considerations . . . . . . . . . . . . . . . 27 85 8.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 27 86 8.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 28 87 9. Operational Considerations . . . . . . . . . . . . . . . . . 28 88 9.1. Client Operational Considerations . . . . . . . . . . . . 29 89 9.2. Publisher Operational Considerations . . . . . . . . . . 29 90 10. Security Considerations . . . . . . . . . . . . . . . . . . . 30 91 11. IANA considerations . . . . . . . . . . . . . . . . . . . . . 31 92 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 93 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 94 13.1. Normative References . . . . . . . . . . . . . . . . . . 31 95 13.2. Informative References . . . . . . . . . . . . . . . . . 32 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 98 1. Introduction 100 This memo specifies a new connection security model for Message 101 Transfer Agents (MTAs). This model is motivated by key features of 102 inter-domain SMTP delivery, in particular the fact that the 103 destination server is selected indirectly via DNS Mail Exchange (MX) 104 records and that neither email addresses nor MX hostnames signal a 105 requirement for either secure or cleartext transport. Therefore, 106 aside from a few manually configured exceptions, SMTP transport 107 security is of necessity opportunistic. 109 This specification uses the presence of DANE TLSA records to securely 110 signal TLS support and to publish the means by which SMTP clients can 111 successfully authenticate legitimate SMTP servers. This becomes 112 "opportunistic DANE TLS" and is resistant to downgrade and man-in- 113 the-middle (MITM) attacks. It enables an incremental transition of 114 the email backbone to authenticated TLS delivery, with increased 115 global protection as adoption increases. 117 With opportunistic DANE TLS, traffic from SMTP clients to domains 118 that publish "usable" DANE TLSA records in accordance with this memo 119 is authenticated and encrypted. Traffic from legacy clients or to 120 domains that do not publish TLSA records will continue to be sent in 121 the same manner as before, via manually configured security, (pre- 122 DANE) opportunistic TLS or just cleartext SMTP. 124 Problems with existing use of TLS in MTA to MTA SMTP that motivate 125 this specification are described in Section 1.3. The specification 126 itself follows in Section 2 and Section 3 which describe respectively 127 how to locate and use DANE TLSA records with SMTP. In Section 6, we 128 discuss application of DANE TLS to destinations for which channel 129 integrity and confidentiality are mandatory. In Section 7 we briefly 130 comment on potential applicability of this specification to Message 131 User Agents. 133 1.1. Terminology 135 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 136 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 137 "OPTIONAL" in this document are to be interpreted as described in 138 [RFC2119]. 140 The following terms or concepts are used through the document: 142 Man-in-the-middle or MITM attack: Active modification of network 143 traffic by an adversary able to thereby compromise the 144 confidentiality or integrity of the data. 146 secure, bogus, insecure, indeterminate: DNSSEC validation results, 147 as defined in Section 4.3 of [RFC4035]. 149 Validating Security-Aware Stub Resolver and Non-Validating 150 Security-Aware Stub Resolver: 151 Capabilities of the stub resolver in use as defined in [RFC4033]; 152 note that this specification requires the use of a Security-Aware 153 Stub Resolver. 155 (pre-DANE) opportunistic TLS: Best-effort use of TLS that is 156 generally vulnerable to DNS forgery and STARTTLS downgrade 157 attacks. When a TLS-encrypted communication channel is not 158 available, message transmission takes place in the clear. MX 159 record indirection generally precludes authentication even when 160 TLS is available. 162 opportunistic DANE TLS: Best-effort use of TLS, resistant to 163 downgrade attacks for destinations with DNSSEC-validated TLSA 164 records. When opportunistic DANE TLS is determined to be 165 unavailable, clients should fall back to opportunistic TLS. 166 Opportunistic DANE TLS requires support for DNSSEC, DANE and 167 STARTTLS on the client side and STARTTLS plus a DNSSEC published 168 TLSA record on the server side. 170 reference identifier: (Special case of [RFC6125] definition). One 171 of the domain names associated by the SMTP client with the 172 destination SMTP server for performing name checks on the server 173 certificate. When name checks are applicable, at least one of the 174 reference identifiers MUST match an [RFC6125] DNS-ID (or if none 175 are present the [RFC6125] CN-ID) of the server certificate (see 176 Section 3.2.3). 178 MX hostname: The RRDATA of an MX record consists of a 16 bit 179 preference followed by a Mail Exchange domain name (see [RFC1035], 180 Section 3.3.9). We will use the term "MX hostname" to refer to 181 the latter, that is, the DNS domain name found after the 182 preference value in an MX record. Thus an "MX hostname" is 183 specifically a reference to a DNS domain name, rather than any 184 host that bears that name. 186 delayed delivery: Email delivery is a multi-hop store & forward 187 process. When an MTA is unable to forward a message that may 188 become deliverable later the message is queued and delivery is 189 retried periodically. Some MTAs may be configured with a fallback 190 next-hop destination that handles messages that the MTA would 191 otherwise queue and retry. When a fallback next-hop is 192 configured, messages that would otherwise have to be delayed may 193 be sent to the fallback next-hop destination instead. The 194 fallback destination may itself be subject to opportunistic or 195 mandatory DANE TLS (Section 6) as though it were the original 196 message destination. 198 original next hop destination: The logical destination for mail 199 delivery. By default this is the domain portion of the recipient 200 address, but MTAs may be configured to forward mail for some or 201 all recipients via designated relays. The original next hop 202 destination is, respectively, either the recipient domain or the 203 associated configured relay. 205 MTA: Message Transfer Agent ([RFC5598], Section 4.3.2). 207 MSA: Message Submission Agent ([RFC5598], Section 4.3.1). 209 MUA: Message User Agent ([RFC5598], Section 4.2.1). 211 RR: A DNS Resource Record as defined in [RFC1034], Section 3.6. 213 RRSet: An RRSet ([RFC2181], Section 5) is a group of DNS resource 214 records that share the same label, class and type. 216 1.2. Background 218 The Domain Name System Security Extensions (DNSSEC) add data origin 219 authentication, data integrity and data non-existence proofs to the 220 Domain Name System (DNS). DNSSEC is defined in [RFC4033], [RFC4034] 221 and [RFC4035]. 223 As described in the introduction of [RFC6698], TLS authentication via 224 the existing public Certification Authority (CA) PKI suffers from an 225 over-abundance of trusted parties capable of issuing certificates for 226 any domain of their choice. DANE leverages the DNSSEC infrastructure 227 to publish trusted public keys and certificates for use with the 228 Transport Layer Security (TLS) [RFC5246] protocol via a new "TLSA" 229 DNS record type. With DNSSEC each domain can only vouch for the keys 230 of its directly delegated sub-domains. 232 The TLS protocol enables secure TCP communication. In the context of 233 this memo, channel security is assumed to be provided by TLS. Used 234 without authentication, TLS provides only privacy protection against 235 eavesdropping attacks. With authentication, TLS also provides data 236 integrity protection to guard against MITM attacks. 238 1.3. SMTP channel security 240 With HTTPS, Transport Layer Security (TLS) employs X.509 certificates 241 [RFC5280] issued by one of the many Certification Authorities (CAs) 242 bundled with popular web browsers to allow users to authenticate 243 their "secure" websites. Before we specify a new DANE TLS security 244 model for SMTP, we will explain why a new security model is needed. 245 In the process, we will explain why the familiar HTTPS security model 246 is inadequate to protect inter-domain SMTP traffic. 248 The subsections below outline four key problems with applying 249 traditional PKI to SMTP that are addressed by this specification. 250 Since SMTP channel security policy is not explicitly specified in 251 either the recipient address or the MX record, a new signaling 252 mechanism is required to indicate when channel security is possible 253 and should be used. The publication of TLSA records allows server 254 operators to securely signal to SMTP clients that TLS is available 255 and should be used. DANE TLSA makes it possible to simultaneously 256 discover which destination domains support secure delivery via TLS 257 and how to verify the authenticity of the associated SMTP services, 258 providing a path forward to ubiquitous SMTP channel security. 260 1.3.1. STARTTLS downgrade attack 262 The Simple Mail Transfer Protocol (SMTP) [RFC5321] is a single-hop 263 protocol in a multi-hop store & forward email delivery process. An 264 SMTP envelope recipient address does not correspond to a specific 265 transport-layer endpoint address, rather at each relay hop the 266 transport-layer endpoint is the next-hop relay, while the envelope 267 recipient address typically remains the same. Unlike the Hypertext 268 Transfer Protocol (HTTP) and its corresponding secured version, 269 HTTPS, where the use of TLS is signaled via the URI scheme, email 270 recipient addresses do not directly signal transport security policy. 271 Indeed, no such signaling could work well with SMTP since TLS 272 encryption of SMTP protects email traffic on a hop-by-hop basis while 273 email addresses could only express end-to-end policy. 275 With no mechanism available to signal transport security policy, SMTP 276 relays employ a best-effort "opportunistic" security model for TLS. 277 A single SMTP server TCP listening endpoint can serve both TLS and 278 non-TLS clients; the use of TLS is negotiated via the SMTP STARTTLS 279 command ([RFC3207]). The server signals TLS support to the client 280 over a cleartext SMTP connection, and, if the client also supports 281 TLS, it may negotiate a TLS encrypted channel to use for email 282 transmission. The server's indication of TLS support can be easily 283 suppressed by an MITM attacker. Thus pre-DANE SMTP TLS security can 284 be subverted by simply downgrading a connection to cleartext. No TLS 285 security feature, such as the use of PKIX, can prevent this. The 286 attacker can simply disable TLS. 288 1.3.2. Insecure server name without DNSSEC 290 With SMTP, DNS Mail Exchange (MX) records abstract the next-hop 291 transport endpoint and allow administrators to specify a set of 292 target servers to which SMTP traffic should be directed for a given 293 domain. 295 A PKIX TLS client is vulnerable to MITM attacks unless it verifies 296 that the server's certificate binds the public key to a name that 297 matches one of the client's reference identifiers. A natural choice 298 of reference identifier is the server's domain name. However, with 299 SMTP, server names are not directly encoded in the recipient address, 300 instead they are obtained indirectly via MX records. Without DNSSEC, 301 the MX lookup is vulnerable to MITM and DNS cache poisoning attacks. 302 Active attackers can forge DNS replies with fake MX records and can 303 redirect email to servers with names of their choice. Therefore, 304 secure verification of SMTP TLS certificates matching the server name 305 is not possible without DNSSEC. 307 One might try to harden TLS for SMTP against DNS attacks by using the 308 envelope recipient domain as a reference identifier and by requiring 309 each SMTP server to possess a trusted certificate for the envelope 310 recipient domain rather than the MX hostname. Unfortunately, this is 311 impractical as email for many domains is handled by third parties 312 that are not in a position to obtain certificates for all the domains 313 they serve. Deployment of the Server Name Indication (SNI) extension 314 to TLS (see [RFC6066] Section 3) is no panacea, since SNI key 315 management is operationally challenging except when the email service 316 provider is also the domain's registrar and its certificate issuer; 317 this is rarely the case for email. 319 Since the recipient domain name cannot be used as the SMTP server 320 reference identifier, and neither can the MX hostname without DNSSEC, 321 large-scale deployment of authenticated TLS for SMTP requires that 322 the DNS be secure. 324 Since SMTP security depends critically on DNSSEC, it is important to 325 point out that consequently SMTP with DANE is the most conservative 326 possible trust model. It trusts only what must be trusted and no 327 more. Adding any other trusted actors to the mix can only reduce 328 SMTP security. A sender may choose to further harden DNSSEC for 329 selected high-value receiving domains by configuring explicit trust 330 anchors for those domains instead of relying on the chain of trust 331 from the root domain. However, detailed discussion of DNSSEC 332 security practices is out of scope for this document. 334 1.3.3. Sender policy does not scale 336 Sending systems are in some cases explicitly configured to use TLS 337 for mail sent to selected peer domains, but this requires configuring 338 sending MTAs with appropriate subject names or certificate content 339 digests from their peer domains. Due to the resulting administrative 340 burden, such statically configured SMTP secure channels are used 341 rarely (generally only between domains that make bilateral 342 arrangements with their business partners). Internet email, on the 343 other hand, requires regularly contacting new domains for which 344 security configurations cannot be established in advance. 346 The abstraction of the SMTP transport endpoint via DNS MX records, 347 often across organization boundaries, limits the use of public CA PKI 348 with SMTP to a small set of sender-configured peer domains. With 349 little opportunity to use TLS authentication, sending MTAs are rarely 350 configured with a comprehensive list of trusted CAs. SMTP services 351 that support STARTTLS often deploy X.509 certificates that are self- 352 signed or issued by a private CA. 354 1.3.4. Too many certification authorities 356 Even if it were generally possible to determine a secure server name, 357 the SMTP client would still need to verify that the server's 358 certificate chain is issued by a trusted Certification Authority (a 359 trust anchor). MTAs are not interactive applications where a human 360 operator can make a decision (wisely or otherwise) to selectively 361 disable TLS security policy when certificate chain verification 362 fails. With no user to "click OK", the MTA's list of public CA trust 363 anchors would need to be comprehensive in order to avoid bouncing 364 mail addressed to sites that employ unknown Certification 365 Authorities. 367 On the other hand, each trusted CA can issue certificates for any 368 domain. If even one of the configured CAs is compromised or operated 369 by an adversary, it can subvert TLS security for all destinations. 370 Any set of CAs is simultaneously both overly inclusive and not 371 inclusive enough. 373 2. Identifying applicable TLSA records 375 2.1. DNS considerations 377 2.1.1. DNS errors, bogus and indeterminate responses 379 An SMTP client that implements opportunistic DANE TLS per this 380 specification depends critically on the integrity of DNSSEC lookups, 381 as discussed in Section 1.3.2. This section lists the DNS resolver 382 requirements needed to avoid downgrade attacks when using 383 opportunistic DANE TLS. 385 A DNS lookup may signal an error or return a definitive answer. A 386 security-aware resolver must be used for this specification. 387 Security-aware resolvers will indicate the security status of a DNS 388 RRSet with one of four possible values defined in Section 4.3 of 389 [RFC4035]: "secure", "insecure", "bogus" and "indeterminate". In 390 [RFC4035] the meaning of the "indeterminate" security status is: 392 An RRSet for which the resolver is not able to determine whether 393 the RRSet should be signed, as the resolver is not able to obtain 394 the necessary DNSSEC RRs. This can occur when the security-aware 395 resolver is not able to contact security-aware name servers for 396 the relevant zones. 398 Note, the "indeterminate" security status has a conflicting 399 definition in section 5 of [RFC4033]. 401 There is no trust anchor that would indicate that a specific 402 portion of the tree is secure. 404 To avoid further confusion, the adjective "anchorless" will be used 405 below to refer to domains or RRSets that are "indeterminate" in the 406 [RFC4033] sense, and the term "indeterminate" will be used 407 exclusively in the sense of [RFC4035]. 409 SMTP clients following this specification SHOULD NOT distinguish 410 between "insecure" and "anchorless" DNS responses. Both "insecure" 411 and "anchorless" RRSets MUST be handled identically: in either case 412 unvalidated data for the query domain is all that is and can be 413 available, and authentication using the data is impossible. In what 414 follows, the term "insecure" will also include the case of 415 "anchorless" domains that lie in a portion of the DNS tree for which 416 there is no applicable trust anchor. With the DNS root zone signed, 417 we expect that validating resolvers used by Internet-facing MTAs will 418 be configured with trust anchor data for the root zone, and that 419 therefore "anchorless" domains should be rare in practice. 421 As noted in section 4.3 of [RFC4035], a security-aware DNS resolver 422 MUST be able to determine whether a given non-error DNS response is 423 "secure", "insecure", "bogus" or "indeterminate". It is expected 424 that most security-aware stub resolvers will not signal an 425 "indeterminate" security status (in the sense of RFC4035) to the 426 application, and will signal a "bogus" or error result instead. If a 427 resolver does signal an RFC4035 "indeterminate" security status, this 428 MUST be treated by the SMTP client as though a "bogus" or error 429 result had been returned. 431 An MTA making use of a non-validating security-aware stub resolver 432 MAY use the stub resolver's ability, if available, to signal DNSSEC 433 validation status based on information the stub resolver has learned 434 from an upstream validating recursive resolver. Security-Oblivious 435 stub-resolvers ([RFC4033]) MUST NOT be used. In accordance with 436 section 4.9.3 of [RFC4035]: 438 ... a security-aware stub resolver MUST NOT place any reliance on 439 signature validation allegedly performed on its behalf, except 440 when the security-aware stub resolver obtained the data in question 441 from a trusted security-aware recursive name server via a secure 442 channel. 444 To avoid much repetition in the text below, we will pause to explain 445 the handling of "bogus" or "indeterminate" DNSSEC query responses. 446 These are not necessarily the result of a malicious actor; they can, 447 for example, occur when network packets are corrupted or lost in 448 transit. Therefore, "bogus" or "indeterminate" replies are equated 449 in this memo with lookup failure. 451 There is an important non-failure condition we need to highlight in 452 addition to the obvious case of the DNS client obtaining a non-empty 453 "secure" or "insecure" RRSet of the requested type. Namely, it is 454 not an error when either "secure" or "insecure" non-existence is 455 determined for the requested data. When a DNSSEC response with a 456 validation status that is either "secure" or "insecure" reports 457 either no records of the requested type or non-existence of the query 458 domain, the response is not a DNS error condition. The DNS client 459 has not been left without an answer; it has learned that records of 460 the requested type do not exist. 462 Security-aware stub resolvers will, of course, also signal DNS lookup 463 errors in other cases, for example when processing a "ServFail" 464 RCODE, which will not have an associated DNSSEC status. All lookup 465 errors are treated the same way by this specification, regardless of 466 whether they are from a "bogus" or "indeterminate" DNSSEC status or 467 from a more generic DNS error: the information that was requested 468 cannot be obtained by the security-aware resolver at this time. A 469 lookup error is thus a failure to obtain the relevant RRSet if it 470 exists, or to determine that no such RRSet exists when it does not. 472 In contrast to a "bogus" or an "indeterminate" response, an 473 "insecure" DNSSEC response is not an error, rather it indicates that 474 the target DNS zone is either securely opted out of DNSSEC validation 475 or is not connected with the DNSSEC trust anchors being used. 476 Insecure results will leave the SMTP client with degraded channel 477 security, but do not stand in the way of message delivery. See 478 section Section 2.2 for further details. 480 2.1.2. DNS error handling 482 When a DNS lookup failure (error or "bogus" or "indeterminate" as 483 defined above) prevents an SMTP client from determining which SMTP 484 server or servers it should connect to, message delivery MUST be 485 delayed. This naturally includes, for example, the case when a 486 "bogus" or "indeterminate" response is encountered during MX 487 resolution. When multiple MX hostnames are obtained from a 488 successful MX lookup, but a later DNS lookup failure prevents network 489 address resolution for a given MX hostname, delivery may proceed via 490 any remaining MX hosts. 492 When a particular SMTP server is securely identified as the delivery 493 destination, a set of DNS lookups (Section 2.2) MUST be performed to 494 locate any related TLSA records. If any DNS queries used to locate 495 TLSA records fail (be it due to "bogus" or "indeterminate" records, 496 timeouts, malformed replies, ServFails, etc.), then the SMTP client 497 MUST treat that server as unreachable and MUST NOT deliver the 498 message via that server. If no servers are reachable, delivery is 499 delayed. 501 In what follows, we will only describe what happens when all relevant 502 DNS queries succeed. If any DNS failure occurs, the SMTP client MUST 503 behave as described in this section, by skipping the problem SMTP 504 server, or the problem destination. Queries for candidate TLSA 505 records are explicitly part of "all relevant DNS queries" and SMTP 506 clients MUST NOT continue to connect to an SMTP server or destination 507 whose TLSA record lookup fails. 509 2.1.3. Stub resolver considerations 511 SMTP clients that employ opportunistic DANE TLS to secure connections 512 to SMTP servers MUST NOT use Security-Oblivious ([RFC4033]) stub- 513 resolvers. 515 A note about DNAME aliases: a query for a domain name whose ancestor 516 domain is a DNAME alias returns the DNAME RR for the ancestor domain 517 along with a CNAME that maps the query domain to the corresponding 518 sub-domain of the target domain of the DNAME alias [RFC6672]. 519 Therefore, whenever we speak of CNAME aliases, we implicitly allow 520 for the possibility that the alias in question is the result of an 521 ancestor domain DNAME record. Consequently, no explicit support for 522 DNAME records is needed in SMTP software; it is sufficient to process 523 the resulting CNAME aliases. DNAME records only require special 524 processing in the validating stub-resolver library that checks the 525 integrity of the combined DNAME + CNAME reply. When DNSSEC 526 validation is handled by a local caching resolver, rather than the 527 MTA itself, even that part of the DNAME support logic is outside the 528 MTA. 530 When a stub resolver returns a response containing a CNAME alias that 531 does not also contain the corresponding query results for the target 532 of the alias, the SMTP client will need to repeat the query at the 533 target of the alias, and should do so recursively up to some 534 configured or implementation-dependent recursion limit. If at any 535 stage of CNAME expansion an error is detected, the lookup of the 536 original requested records MUST be considered to have failed. 538 Whether a chain of CNAME records was returned in a single stub 539 resolver response or via explicit recursion by the SMTP client, if at 540 any stage of recursive expansion an "insecure" CNAME record is 541 encountered, then it and all subsequent results (in particular, the 542 final result) MUST be considered "insecure" regardless of whether any 543 earlier CNAME records leading to the "insecure" record were "secure". 545 Note that a security-aware non-validating stub resolver may return to 546 the SMTP client an "insecure" reply received from a validating 547 recursive resolver that contains a CNAME record along with additional 548 answers recursively obtained starting at the target of the CNAME. In 549 this case, the only possible conclusion is that some record in the 550 set of records returned is "insecure", and it is in fact possible 551 that the initial CNAME record and a subset of the subsequent records 552 are "secure". 554 If the SMTP client needs to determine the security status of the DNS 555 zone containing the initial CNAME record, it may need to issue a 556 separate query of type "CNAME" that returns only the initial CNAME 557 record. In particular in Section 2.2.2 when insecure A or AAAA 558 records are found for an SMTP server via a CNAME alias, it may be 559 necessary to perform an additional CNAME query to determine whether 560 the DNS zone in which the alias is published is signed. 562 2.2. TLS discovery 564 As noted previously (in Section 1.3.1), opportunistic TLS with SMTP 565 servers that advertise TLS support via STARTTLS is subject to an MITM 566 downgrade attack. Also some SMTP servers that are not, in fact, TLS 567 capable erroneously advertise STARTTLS by default and clients need to 568 be prepared to retry cleartext delivery after STARTTLS fails. In 569 contrast, DNSSEC validated TLSA records MUST NOT be published for 570 servers that do not support TLS. Clients can safely interpret their 571 presence as a commitment by the server operator to implement TLS and 572 STARTTLS. 574 This memo defines four actions to be taken after the search for a 575 TLSA record returns secure usable results, secure unusable results, 576 insecure or no results or an error signal. The term "usable" in this 577 context is in the sense of Section 4.1 of [RFC6698]. Specifically, 578 if the DNS lookup for a TLSA record returns: 580 A secure TLSA RRSet with at least one usable record: A connection to 581 the MTA MUST be made using authenticated and encrypted TLS, using 582 the techniques discussed in the rest of this document. Failure to 583 establish an authenticated TLS connection MUST result in falling 584 back to the next SMTP server or delayed delivery. 586 A secure non-empty TLSA RRSet where all the records are unusable: A 587 connection to the MTA MUST be made via TLS, but authentication is 588 not required. Failure to establish an encrypted TLS connection 589 MUST result in falling back to the next SMTP server or delayed 590 delivery. 592 An insecure TLSA RRSet or DNSSEC validated proof-of-non-existent TLSA 593 records: 594 A connection to the MTA SHOULD be made using (pre-DANE) 595 opportunistic TLS, this includes using cleartext delivery when the 596 remote SMTP server does not appear to support TLS. The MTA MAY 597 retry in cleartext when delivery via TLS fails either during the 598 handshake or even during data transfer. 600 Any lookup error: Lookup errors, including "bogus" and 601 "indeterminate", as explained in Section 2.1.1 MUST result in 602 falling back to the next SMTP server or delayed delivery. 604 An SMTP client MAY be configured to mandate DANE verified delivery 605 for some destinations. With mandatory DANE TLS (Section 6), delivery 606 proceeds only when "secure" TLSA records are used to establish an 607 encrypted and authenticated TLS channel with the SMTP server. 609 When the original next-hop destination is an address literal, rather 610 than a DNS domain, DANE TLS does not apply. Delivery proceeds using 611 any relevant security policy configured by the MTA administrator. 612 Similarly, when an MX RRSet incorrectly lists a network address in 613 lieu of an MX hostname, if an MTA chooses to connect to the network 614 address in the non-conformant MX record, DANE TLSA does not apply for 615 such a connection. 617 In the subsections that follow we explain how to locate the SMTP 618 servers and the associated TLSA records for a given next-hop 619 destination domain. We also explain which name or names are to be 620 used in identity checks of the SMTP server certificate. 622 2.2.1. MX resolution 624 In this section we consider next-hop domains that are subject to MX 625 resolution and have MX records. The TLSA records and the associated 626 base domain are derived separately for each MX hostname that is used 627 to attempt message delivery. DANE TLS can authenticate message 628 delivery to the intended next-hop domain only when the MX records are 629 obtained securely via a DNSSEC validated lookup. 631 MX records MUST be sorted by preference; an MX hostname with a worse 632 (numerically higher) MX preference that has TLSA records MUST NOT 633 preempt an MX hostname with a better (numerically lower) preference 634 that has no TLSA records. In other words, prevention of delivery 635 loops by obeying MX preferences MUST take precedence over channel 636 security considerations. Even with two equal-preference MX records, 637 an MTA is not obligated to choose the MX hostname that offers more 638 security. Domains that want secure inbound mail delivery need to 639 ensure that all their SMTP servers and MX records are configured 640 accordingly. 642 In the language of [RFC5321] Section 5.1, the original next-hop 643 domain is the "initial name". If the MX lookup of the initial name 644 results in a CNAME alias, the MTA replaces the initial name with the 645 resulting name and performs a new lookup with the new name. MTAs 646 typically support recursion in CNAME expansion, so this replacement 647 is performed repeatedly (up to the MTA's recursion limit) until the 648 ultimate non-CNAME domain is found. 650 If the MX RRSet (or any CNAME leading to it) is "insecure" (see 651 Section 2.1.1), DANE TLS need not apply, and delivery MAY proceed via 652 pre-DANE opportunistic TLS. That said, the protocol in this memo is 653 an "opportunistic security" protocol, meaning that it strives to 654 communicate with each peer as securely as possible, while maintaining 655 broad interoperability. Therefore, the SMTP client MAY proceed to 656 use DANE TLS (as described in Section 2.2.2 below) even with MX hosts 657 obtained via an "insecure" MX RRSet. For example, when a hosting 658 provider has a signed DNS zone and publishes TLSA records for its 659 SMTP servers, hosted domains that are not signed may still benefit 660 from the provider's TLSA records. Deliveries via the provider's SMTP 661 servers will not be subject to active attacks when sending SMTP 662 clients elect to make use of the provider's TLSA records. 664 When the MX records are not (DNSSEC) signed, an active attacker can 665 redirect SMTP clients to MX hosts of his choice. Such redirection is 666 tamper-evident when SMTP servers found via "insecure" MX records are 667 recorded as the next-hop relay in the MTA delivery logs in their 668 original (rather than CNAME expanded) form. Sending MTAs SHOULD log 669 unexpanded MX hostnames when these result from insecure MX lookups. 671 Any successful authentication via an insecurely determined MX host 672 MUST NOT be misrepresented in the mail logs as secure delivery to the 673 intended next-hop domain. When DANE TLS is mandatory (Section 6) for 674 a given destination, delivery MUST be delayed when the MX RRSet is 675 not "secure". 677 Otherwise, assuming no DNS errors (Section 2.1.1), the MX RRSet is 678 "secure", and the SMTP client MUST treat each MX hostname as a 679 separate non-MX destination for opportunistic DANE TLS as described 680 in Section 2.2.2. When, for a given MX hostname, no TLSA records are 681 found, or only "insecure" TLSA records are found, DANE TLSA is not 682 applicable with the SMTP server in question and delivery proceeds to 683 that host as with pre-DANE opportunistic TLS. To avoid downgrade 684 attacks, any errors during TLSA lookups MUST, as explained in 685 Section 2.1.1, cause the SMTP server in question to be treated as 686 unreachable. 688 2.2.2. Non-MX destinations 690 This section describes the algorithm used to locate the TLSA records 691 and associated TLSA base domain for an input domain not subject to MX 692 resolution. Such domains include: 694 o Each MX hostname used in a message delivery attempt for an 695 original next-hop destination domain subject to MX resolution. 696 Note, MTAs are not obligated to support CNAME expansion of MX 697 hostnames. 699 o Any administrator configured relay hostname, not subject to MX 700 resolution. This frequently involves configuration set by the MTA 701 administrator to handle some or all mail. 703 o A next-hop destination domain subject to MX resolution that has no 704 MX records. In this case the domain's name is implicitly also its 705 sole SMTP server name. 707 Note that DNS queries with type TLSA are mishandled by load balancing 708 nameservers that serve the MX hostnames of some large email 709 providers. The DNS zones served by these nameservers are not signed 710 and contain no TLSA records, but queries for TLSA records fail, 711 rather than returning the non-existence of the requested TLSA 712 records. 714 To avoid problems delivering mail to domains whose SMTP servers are 715 served by the problem nameservers the SMTP client MUST perform any A 716 and/or AAAA queries for the destination before attempting to locate 717 the associated TLSA records. This lookup is needed in any case to 718 determine whether the destination domain is reachable and the DNSSEC 719 validation status of the chain of CNAME queries required to reach the 720 ultimate address records. 722 If no address records are found, the destination is unreachable. If 723 address records are found, but the DNSSEC validation status of the 724 first query response is "insecure" (see Section 2.1.3), the SMTP 725 client SHOULD NOT proceed to search for any associated TLSA records. 726 With the problem domains, TLSA queries will lead to DNS lookup errors 727 and cause messages to be consistently delayed and ultimately returned 728 to the sender. We don't expect to find any "secure" TLSA records 729 associated with a TLSA base domain that lies in an unsigned DNS zone. 730 Therefore, skipping TLSA lookups in this case will also reduce 731 latency with no detrimental impact on security. 733 If the A and/or AAAA lookup of the "initial name" yields a CNAME, we 734 replace it with the resulting name as if it were the initial name and 735 perform a lookup again using the new name. This replacement is 736 performed recursively (up to the MTA's recursion limit). 738 We consider the following cases for handling a DNS response for an A 739 or AAAA DNS lookup: 741 Not found: When the DNS queries for A and/or AAAA records yield 742 neither a list of addresses nor a CNAME (or CNAME expansion is not 743 supported) the destination is unreachable. 745 Non-CNAME: The answer is not a CNAME alias. If the address RRSet 746 is "secure", TLSA lookups are performed as described in 747 Section 2.2.3 with the initial name as the candidate TLSA base 748 domain. If no "secure" TLSA records are found, DANE TLS is not 749 applicable and mail delivery proceeds with pre-DANE opportunistic 750 TLS (which, being best-effort, degrades to cleartext delivery when 751 STARTTLS is not available or the TLS handshake fails). 753 Insecure CNAME: The input domain is a CNAME alias, but the ultimate 754 network address RRSet is "insecure" (see Section 2.1.1). If the 755 initial CNAME response is also "insecure", DANE TLS does not 756 apply. Otherwise, this case is treated just like the non-CNAME 757 case above, where a search is performed for a TLSA record with the 758 original input domain as the candidate TLSA base domain. 760 Secure CNAME: The input domain is a CNAME alias, and the ultimate 761 network address RRSet is "secure" (see Section 2.1.1). Two 762 candidate TLSA base domains are tried: the fully CNAME-expanded 763 initial name and, failing that, then the initial name itself. 765 In summary, if it is possible to securely obtain the full, CNAME- 766 expanded, DNSSEC-validated address records for the input domain, then 767 that name is the preferred TLSA base domain. Otherwise, the 768 unexpanded input-MX domain is the candidate TLSA base domain. When 769 no "secure" TLSA records are found at either the CNAME-expanded or 770 unexpanded domain, then DANE TLS does not apply for mail delivery via 771 the input domain in question. And, as always, errors, bogus or 772 indeterminate results for any query in the process MUST result in 773 delaying or abandoning delivery. 775 2.2.3. TLSA record lookup 777 Each candidate TLSA base domain (the original or fully CNAME-expanded 778 name of a non-MX destination or a particular MX hostname of an MX 779 destination) is in turn prefixed with service labels of the form 780 "_._tcp". The resulting domain name is used to issue a DNSSEC 781 query with the query type set to TLSA ([RFC6698] Section 7.1). 783 For SMTP, the destination TCP port is typically 25, but this may be 784 different with custom routes specified by the MTA administrator in 785 which case the SMTP client MUST use the appropriate number in the 786 "_" prefix in place of "_25". If, for example, the candidate 787 base domain is "mx.example.com", and the SMTP connection is to port 788 25, the TLSA RRSet is obtained via a DNSSEC query of the form: 790 _25._tcp.mx.example.com. IN TLSA ? 792 The query response may be a CNAME, or the actual TLSA RRSet. If the 793 response is a CNAME, the SMTP client (through the use of its 794 security-aware stub resolver) restarts the TLSA query at the target 795 domain, following CNAMEs as appropriate and keeping track of whether 796 the entire chain is "secure". If any "insecure" records are 797 encountered, or the TLSA records don't exist, the next candidate TLSA 798 base domain is tried instead. 800 If the ultimate response is a "secure" TLSA RRSet, then the candidate 801 TLSA base domain will be the actual TLSA base domain and the TLSA 802 RRSet will constitute the TLSA records for the destination. If none 803 of the candidate TLSA base domains yield "secure" TLSA records then 804 delivery MAY proceed via pre-DANE opportunistic TLS. SMTP clients 805 MAY elect to use "insecure" TLSA records to avoid STARTTLS downgrades 806 or even to skip SMTP servers that fail authentication, but MUST NOT 807 misrepresent authentication success as either a secure connection to 808 the SMTP server or as a secure delivery to the intended next-hop 809 domain. 811 TLSA record publishers may leverage CNAMEs to reference a single 812 authoritative TLSA RRSet specifying a common Certification Authority 813 or a common end entity certificate to be used with multiple TLS 814 services. Such CNAME expansion does not change the SMTP client's 815 notion of the TLSA base domain; thus, when _25._tcp.mx.example.com is 816 a CNAME, the base domain remains mx.example.com and this is still the 817 reference identifier used together with the next-hop domain in peer 818 certificate name checks. 820 Note that shared end entity certificate associations expose the 821 publishing domain to substitution attacks, where an MITM attacker can 822 reroute traffic to a different server that shares the same end entity 823 certificate. Such shared end entity TLSA records SHOULD be avoided 824 unless the servers in question are functionally equivalent or employ 825 mutually incompatible protocols (an active attacker gains nothing by 826 diverting client traffic from one such server to another). 828 A better example, employing a shared trust anchor rather than shared 829 end-entity certificates, is illustrated by the DNSSEC validated 830 records below: 832 example.com. IN MX 0 mx1.example.com. 833 example.com. IN MX 0 mx2.example.com. 834 _25._tcp.mx1.example.com. IN CNAME tlsa201._dane.example.com. 835 _25._tcp.mx2.example.com. IN CNAME tlsa201._dane.example.com. 836 tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c149a... 838 The SMTP servers mx1.example.com and mx2.example.com will be expected 839 to have certificates issued under a common trust anchor, but each MX 840 hostname's TLSA base domain remains unchanged despite the above CNAME 841 records. Correspondingly, each SMTP server will be associated with a 842 pair of reference identifiers consisting of its hostname plus the 843 next-hop domain "example.com". 845 If, during TLSA resolution (including possible CNAME indirection), at 846 least one "secure" TLSA record is found (even if not usable because 847 it is unsupported by the implementation or support is 848 administratively disabled), then the corresponding host has signaled 849 its commitment to implement TLS. The SMTP client MUST NOT deliver 850 mail via the corresponding host unless a TLS session is negotiated 851 via STARTTLS. This is required to avoid MITM STARTTLS downgrade 852 attacks. 854 As noted previously (in Section Section 2.2.2), when no "secure" TLSA 855 records are found at the fully CNAME-expanded name, the original 856 unexpanded name MUST be tried instead. This supports customers of 857 hosting providers where the provider's zone cannot be validated with 858 DNSSEC, but the customer has shared appropriate key material with the 859 hosting provider to enable TLS via SNI. Intermediate names that 860 arise during CNAME expansion that are neither the original, nor the 861 final name, are never candidate TLSA base domains, even if "secure". 863 3. DANE authentication 865 This section describes which TLSA records are applicable to SMTP 866 opportunistic DANE TLS and how to apply such records to authenticate 867 the SMTP server. With opportunistic DANE TLS, both the TLS support 868 implied by the presence of DANE TLSA records and the verification 869 parameters necessary to authenticate the TLS peer are obtained 870 together. In contrast to protocols where channel security policy is 871 set exclusively by the client, authentication via this protocol is 872 expected to be less prone to connection failure caused by 873 incompatible configuration of the client and server. 875 3.1. TLSA certificate usages 877 The DANE TLSA specification [RFC6698] defines multiple TLSA RR types 878 via combinations of 3 numeric parameters. The numeric values of 879 these parameters were later given symbolic names in [RFC7218]. The 880 rest of the TLSA record is the "certificate association data field", 881 which specifies the full or digest value of a certificate or public 882 key. The parameters are: 884 The TLSA Certificate Usage field: Section 2.1.1 of [RFC6698] 885 specifies four values: PKIX-TA(0), PKIX-EE(1), DANE-TA(2), and 886 DANE-EE(3). There is an additional private-use value: 887 PrivCert(255). All other values are reserved for use by future 888 specifications. 890 The selector field: Section 2.1.2 of [RFC6698] specifies two values: 891 Cert(0) and SPKI(1). There is an additional private-use value: 892 PrivSel(255). All other values are reserved for use by future 893 specifications. 895 The matching type field: Section 2.1.3 of [RFC6698] specifies three 896 values: Full(0), SHA2-256(1) and SHA2-512(2). There is an 897 additional private-use value: PrivMatch(255). All other values 898 are reserved for use by future specifications. 900 We may think of TLSA Certificate Usage values 0 through 3 as a 901 combination of two one-bit flags. The low bit chooses between trust 902 anchor (TA) and end entity (EE) certificates. The high bit chooses 903 between public PKI issued and domain-issued certificates. 905 The selector field specifies whether the TLSA RR matches the whole 906 certificate: Cert(0), or just its subjectPublicKeyInfo: SPKI(1). The 907 subjectPublicKeyInfo is an ASN.1 DER ([X.690]) encoding of the 908 certificate's algorithm id, any parameters and the public key data. 910 The matching type field specifies how the TLSA RR Certificate 911 Association Data field is to be compared with the certificate or 912 public key. A value of Full(0) means an exact match: the full DER 913 encoding of the certificate or public key is given in the TLSA RR. A 914 value of SHA2-256(1) means that the association data matches the 915 SHA2-256 digest of the certificate or public key, and likewise 916 SHA2-512(2) means a SHA2-512 digest is used. 918 Since opportunistic DANE TLS will be used by non-interactive MTAs, 919 with no user to "press OK" when authentication fails, reliability of 920 peer authentication is paramount. Server operators are advised to 921 publish TLSA records that are least likely to fail authentication due 922 to interoperability or operational problems. Because DANE TLS relies 923 on coordinated changes to DNS and SMTP server settings, the best 924 choice of records to publish will depend on site-specific practices. 926 The certificate usage element of a TLSA record plays a critical role 927 in determining how the corresponding certificate association data 928 field is used to authenticate server's certificate chain. The next 929 two subsections explain the process for certificate usages DANE-EE(3) 930 and DANE-TA(2). The third subsection briefly explains why 931 certificate usages PKIX-TA(0) and PKIX-EE(1) are not applicable with 932 opportunistic DANE TLS. 934 In summary, we RECOMMEND the use of either "DANE-EE(3) SPKI(1) 935 SHA2-256(1)" or "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records 936 depending on site needs. Other combinations of TLSA parameters are 937 either explicitly unsupported, or offer little to recommend them over 938 these two. 940 As specified in [RFC6698], the mandatory to implement matching type 941 digest algorithm is SHA2-256(1). When the server's TLSA RRSet 942 includes records with a matching type indicating a digest record 943 (i.e., a value other than Full(0)), a TLSA record with a SHA2-256(1) 944 matching type SHOULD be provided along with any other digest 945 published, since some SMTP clients may support only SHA2-256(1). If 946 at some point the SHA2-256 digest algorithm is tarnished by new 947 cryptanalytic attacks, publishers will need to include an appropriate 948 stronger digest in their TLSA records, initially along with, and 949 ultimately in place of, SHA2-256. 951 3.1.1. Certificate usage DANE-EE(3) 953 Authentication via certificate usage DANE-EE(3) TLSA records involves 954 simply checking that the server's leaf certificate matches the TLSA 955 record. In particular the binding of the server public key to its 956 name is based entirely on the TLSA record association. The server 957 MUST be considered authenticated even if none of the names in the 958 certificate match the client's reference identity for the server. 960 Similarly, the expiration date of the server certificate MUST be 961 ignored, the validity period of the TLSA record key binding is 962 determined by the validity interval of the TLSA record DNSSEC 963 signature. 965 With DANE-EE(3) servers need not employ SNI (may ignore the client's 966 SNI message) even when the server is known under independent names 967 that would otherwise require separate certificates. It is instead 968 sufficient for the TLSA RRSets for all the domains in question to 969 match the server's default certificate. Of course with SMTP servers 970 it is simpler still to publish the same MX hostname for all the 971 hosted domains. 973 For domains where it is practical to make coordinated changes in DNS 974 TLSA records during SMTP server key rotation, it is often best to 975 publish end-entity DANE-EE(3) certificate associations. DANE-EE(3) 976 certificates don't suddenly stop working when leaf or intermediate 977 certificates expire, and don't fail when the server operator neglects 978 to configure all the required issuer certificates in the server 979 certificate chain. 981 TLSA records published for SMTP servers SHOULD, in most cases, be 982 "DANE-EE(3) SPKI(1) SHA2-256(1)" records. Since all DANE 983 implementations are required to support SHA2-256, this record type 984 works for all clients and need not change across certificate renewals 985 with the same key. 987 3.1.2. Certificate usage DANE-TA(2) 989 Some domains may prefer to avoid the operational complexity of 990 publishing unique TLSA RRs for each TLS service. If the domain 991 employs a common issuing Certification Authority to create 992 certificates for multiple TLS services, it may be simpler to publish 993 the issuing authority as a trust anchor (TA) for the certificate 994 chains of all relevant services. The TLSA query domain (TLSA base 995 domain with port and protocol prefix labels) for each service issued 996 by the same TA may then be set to a CNAME alias that points to a 997 common TLSA RRSet that matches the TA. For example: 999 example.com. IN MX 0 mx1.example.com. 1000 example.com. IN MX 0 mx2.example.com. 1001 _25._tcp.mx1.example.com. IN CNAME tlsa201._dane.example.com. 1002 _25._tcp.mx2.example.com. IN CNAME tlsa201._dane.example.com. 1003 tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c14.... 1005 With usage DANE-TA(2) the server certificates will need to have names 1006 that match one of the client's reference identifiers (see [RFC6125]). 1007 The server MAY employ SNI to select the appropriate certificate to 1008 present to the client. 1010 SMTP servers that rely on certificate usage DANE-TA(2) TLSA records 1011 for TLS authentication MUST include the TA certificate as part of the 1012 certificate chain presented in the TLS handshake server certificate 1013 message even when it is a self-signed root certificate. At this 1014 time, many SMTP servers are not configured with a comprehensive list 1015 of trust anchors, nor are they expected to at any point in the 1016 future. Some MTAs will ignore all locally trusted certificates when 1017 processing usage DANE-TA(2) TLSA records. Thus even when the TA 1018 happens to be a public Certification Authority known to the SMTP 1019 client, authentication is likely to fail unless the TA certificate is 1020 included in the TLS server certificate message. 1022 TLSA records with matching type Full(0) are discouraged. While these 1023 potentially obviate the need to transmit the TA certificate in the 1024 TLS server certificate message, client implementations may not be 1025 able to augment the server certificate chain with the data obtained 1026 from DNS, especially when the TLSA record supplies a bare key 1027 (selector SPKI(1)). Since the server will need to transmit the TA 1028 certificate in any case, server operators SHOULD publish TLSA records 1029 with a matching type other than Full(0) and avoid potential 1030 interoperability issues with large TLSA records containing full 1031 certificates or keys. 1033 TLSA Publishers employing DANE-TA(2) records SHOULD publish records 1034 with a selector of Cert(0). Such TLSA records are associated with 1035 the whole trust anchor certificate, not just with the trust anchor 1036 public key. In particular, the SMTP client SHOULD then apply any 1037 relevant constraints from the trust anchor certificate, such as, for 1038 example, path length constraints. 1040 While a selector of SPKI(1) may also be employed, the resulting TLSA 1041 record will not specify the full trust anchor certificate content, 1042 and elements of the trust anchor certificate other than the public 1043 key become mutable. This may, for example, allow a subsidiary CA to 1044 issue a chain that violates the trust anchor's path length or name 1045 constraints. 1047 3.1.3. Certificate usages PKIX-TA(0) and PKIX-EE(1) 1049 Note, this section applies to MTA-to-MTA SMTP on port 25. That is, 1050 to servers that are the SMTP servers for one or more destination 1051 domains. Other uses of SMTP, such as in MUA-to-MSA submission on 1052 ports 587 or 465 are out of scope for this document. Where those 1053 other uses also employ TLS opportunistically and/or depend on DNSSEC 1054 as a result of DNS-based discovery of service location, the relevant 1055 specifications should, as appropriate, arrive at similar conclusions. 1057 As noted in Section 1.3.1 and Section 1.3.2, sending MTAs cannot, 1058 without relying on DNSSEC for secure MX records and DANE for STARTTLS 1059 support signaling, perform server identity verification or prevent 1060 STARTTLS downgrade attacks. The use of PKIX CAs offers no added 1061 security since an attacker capable of compromising DNSSEC is free to 1062 replace any PKIX-TA(0) or PKIX-EE(1) TLSA records with records 1063 bearing any convenient non-PKIX certificate usage. Finally, as 1064 explained in Section 1.3.4, there is no list of trusted CAs agreed by 1065 all MTAs, and no user to "click OK" when a server's CA is not trusted 1066 by a client. 1068 Therefore, TLSA records for the port 25 SMTP service used by client 1069 MTAs SHOULD NOT include TLSA RRs with certificate usage PKIX-TA(0) or 1070 PKIX-EE(1). SMTP client MTAs cannot be expected to be configured 1071 with a suitably complete set of trusted public CAs. Lacking a 1072 complete set of public CAs, MTA clients would not be able to verify 1073 the certificates of SMTP servers whose issuing root CAs are not 1074 trusted by the client. 1076 Opportunistic DANE TLS needs to interoperate without bilateral 1077 coordination of security settings between client and server systems. 1078 Therefore, parameter choices that are fragile in the absence of 1079 bilateral coordination are unsupported. Nothing is lost since the 1080 PKIX certificate usages cannot aid SMTP TLS security, they can only 1081 impede SMTP TLS interoperability. 1083 SMTP client treatment of TLSA RRs with certificate usages PKIX-TA(0) 1084 or PKIX-EE(1) is undefined. SMTP clients should generally treat such 1085 TLSA records as unusable. 1087 3.2. Certificate matching 1089 When at least one usable "secure" TLSA record is found, the SMTP 1090 client MUST use TLSA records to authenticate the SMTP server. 1091 Messages MUST NOT be delivered via the SMTP server if authentication 1092 fails, otherwise the SMTP client is vulnerable to MITM attacks. 1094 3.2.1. DANE-EE(3) name checks 1096 The SMTP client MUST NOT perform certificate name checks with 1097 certificate usage DANE-EE(3); see Section 3.1.1 above. 1099 3.2.2. DANE-TA(2) name checks 1101 To match a server via a TLSA record with certificate usage DANE- 1102 TA(2), the client MUST perform name checks to ensure that it has 1103 reached the correct server. In all DANE-TA(2) cases the SMTP client 1104 MUST include the TLSA base domain as one of the valid reference 1105 identifiers for matching the server certificate. 1107 TLSA records for MX hostnames: If the TLSA base domain was obtained 1108 indirectly via a "secure" MX lookup (including any CNAME-expanded 1109 name of an MX hostname), then the original next-hop domain used in 1110 the MX lookup MUST be included as as a second reference 1111 identifier. The CNAME-expanded original next-hop domain MUST be 1112 included as a third reference identifier if different from the 1113 original next-hop domain. When the client MTA is employing DANE 1114 TLS security despite "insecure" MX redirection the MX hostname is 1115 the only reference identifier. 1117 TLSA records for Non-MX hostnames: If MX records were not used 1118 (e.g., if none exist) and the TLSA base domain is the CNAME- 1119 expanded original next-hop domain, then the original next-hop 1120 domain MUST be included as a second reference identifier. 1122 Accepting certificates with the original next-hop domain in addition 1123 to the MX hostname allows a domain with multiple MX hostnames to 1124 field a single certificate bearing a single domain name (i.e., the 1125 email domain) across all the SMTP servers. This also aids 1126 interoperability with pre-DANE SMTP clients that are configured to 1127 look for the email domain name in server certificates. For example, 1128 with "secure" DNS records as below: 1130 exchange.example.org. IN CNAME mail.example.org. 1131 mail.example.org. IN CNAME example.com. 1132 example.com. IN MX 10 mx10.example.com. 1133 example.com. IN MX 15 mx15.example.com. 1134 example.com. IN MX 20 mx20.example.com. 1135 ; 1136 mx10.example.com. IN A 192.0.2.10 1137 _25._tcp.mx10.example.com. IN TLSA 2 0 1 ... 1138 ; 1139 mx15.example.com. IN CNAME mxbackup.example.com. 1140 mxbackup.example.com. IN A 192.0.2.15 1141 ; _25._tcp.mxbackup.example.com. IN TLSA ? (NXDOMAIN) 1142 _25._tcp.mx15.example.com. IN TLSA 2 0 1 ... 1143 ; 1144 mx20.example.com. IN CNAME mxbackup.example.net. 1145 mxbackup.example.net. IN A 198.51.100.20 1146 _25._tcp.mxbackup.example.net. IN TLSA 2 0 1 ... 1148 Certificate name checks for delivery of mail to exchange.example.org 1149 via any of the associated SMTP servers MUST accept at least the names 1150 "exchange.example.org" and "example.com", which are respectively the 1151 original and fully expanded next-hop domain. When the SMTP server is 1152 mx10.example.com, name checks MUST accept the TLSA base domain 1153 "mx10.example.com". If, despite the fact that MX hostnames are 1154 required to not be aliases, the MTA supports delivery via 1155 "mx15.example.com" or "mx20.example.com" then name checks MUST accept 1156 the respective TLSA base domains "mx15.example.com" and 1157 "mxbackup.example.net". 1159 3.2.3. Reference identifier matching 1161 When name checks are applicable (certificate usage DANE-TA(2)), if 1162 the server certificate contains a Subject Alternative Name extension 1163 ([RFC5280]), with at least one DNS-ID ([RFC6125]) then only the DNS- 1164 IDs are matched against the client's reference identifiers. The CN- 1165 ID ([RFC6125]) is only considered when no DNS-IDs are present. The 1166 server certificate is considered matched when one of its presented 1167 identifiers ([RFC5280]) matches any of the client's reference 1168 identifiers. 1170 Wildcards are valid in either DNS-IDs or the CN-ID when applicable. 1171 The wildcard character must be the entire first label of the DNS-ID 1172 or CN-ID. Thus, "*.example.com" is valid, while "smtp*.example.com" 1173 and "*smtp.example.com" are not. SMTP clients MUST support wildcards 1174 that match the first label of the reference identifier, with the 1175 remaining labels matching verbatim. For example, the DNS-ID 1176 "*.example.com" matches the reference identifier "mx1.example.com". 1177 SMTP clients MAY, subject to local policy allow wildcards to match 1178 multiple reference identifier labels, but servers cannot expect broad 1179 support for such a policy. Therefore any wildcards in server 1180 certificates SHOULD match exactly one label in either the TLSA base 1181 domain or the next-hop domain. 1183 4. Server key management 1185 Two TLSA records MUST be published before employing a new EE or TA 1186 public key or certificate, one matching the currently deployed key 1187 and the other matching the new key scheduled to replace it. Once 1188 sufficient time has elapsed for all DNS caches to expire the previous 1189 TLSA RRSet and related signature RRsets, servers may be configured to 1190 use the new EE private key and associated public key certificate or 1191 may employ certificates signed by the new trust anchor. 1193 Once the new public key or certificate is in use, the TLSA RR that 1194 matches the retired key can be removed from DNS, leaving only RRs 1195 that match keys or certificates in active use. 1197 As described in Section 3.1.2, when server certificates are validated 1198 via a DANE-TA(2) trust anchor, and CNAME records are employed to 1199 store the TA association data at a single location, the 1200 responsibility of updating the TLSA RRSet shifts to the operator of 1201 the trust anchor. Before a new trust anchor is used to sign any new 1202 server certificates, its certificate (digest) is added to the 1203 relevant TLSA RRSet. After enough time elapses for the original TLSA 1204 RRSet to age out of DNS caches, the new trust anchor can start 1205 issuing new server certificates. Once all certificates issued under 1206 the previous trust anchor have expired, its associated RRs can be 1207 removed from the TLSA RRSet. 1209 In the DANE-TA(2) key management model server operators do not 1210 generally need to update DNS TLSA records after initially creating a 1211 CNAME record that references the centrally operated DANE-TA(2) RRSet. 1212 If a particular server's key is compromised, its TLSA CNAME SHOULD be 1213 replaced with a DANE-EE(3) association until the certificate for the 1214 compromised key expires, at which point it can return to using a 1215 CNAME record. If the central trust anchor is compromised, all 1216 servers need to be issued new keys by a new TA, and an updated DANE- 1217 TA(2) TLSA RRSet needs to be published containing just the new TA. 1219 SMTP servers cannot expect broad CRL or OCSP support from SMTP 1220 clients. As outlined above, with DANE, compromised server or trust 1221 anchor keys can be "revoked" by removing them from the DNS without 1222 the need for client-side support for OCSP or CRLs. 1224 5. Digest algorithm agility 1226 While [RFC6698] specifies multiple digest algorithms, it does not 1227 specify a protocol by which the SMTP client and TLSA record publisher 1228 can agree on the strongest shared algorithm. Such a protocol would 1229 allow the client and server to avoid exposure to any deprecated 1230 weaker algorithms that are published for compatibility with less 1231 capable clients, but should be ignored when possible. Such a 1232 protocol is specified in [I-D.ietf-dane-ops]. SMTP clients and 1233 servers that implement this specification MUST comply with the 1234 requirements outlined under "Digest Algorithm Agility" in 1235 [I-D.ietf-dane-ops]. 1237 6. Mandatory TLS Security 1239 An MTA implementing this protocol may require a stronger security 1240 assurance when sending email to selected destinations. The sending 1241 organization may need to send sensitive email and/or may have 1242 regulatory obligations to protect its content. This protocol is not 1243 in conflict with such a requirement, and in fact can often simplify 1244 authenticated delivery to such destinations. 1246 Specifically, with domains that publish DANE TLSA records for their 1247 MX hostnames, a sending MTA can be configured to use the receiving 1248 domains's DANE TLSA records to authenticate the corresponding SMTP 1249 server. Authentication via DANE TLSA records is easier to manage, as 1250 changes in the receiver's expected certificate properties are made on 1251 the receiver end and don't require manually communicated 1252 configuration changes. With mandatory DANE TLS, when no usable TLSA 1253 records are found, message delivery is delayed. Thus, mail is only 1254 sent when an authenticated TLS channel is established to the remote 1255 SMTP server. 1257 Administrators of mail servers that employ mandatory DANE TLS, need 1258 to carefully monitor their mail logs and queues. If a partner domain 1259 unwittingly misconfigures their TLSA records, disables DNSSEC, or 1260 misconfigures SMTP server certificate chains, mail will be delayed 1261 and may bounce if the issue is not resolved in a timely manner. 1263 7. Note on DANE for Message User Agents 1265 We note that the SMTP protocol is also used between Message User 1266 Agents (MUAs) and Message Submission Agents (MSAs) [RFC6409]. In 1267 [RFC6186] a protocol is specified that enables an MUA to dynamically 1268 locate the MSA based on the user's email address. SMTP connection 1269 security considerations for MUAs implementing [RFC6186] are largely 1270 analogous to connection security requirements for MTAs, and this 1271 specification could be applied largely verbatim with DNS MX records 1272 replaced by corresponding DNS Service (SRV) records 1273 [I-D.ietf-dane-srv]. 1275 However, until MUAs begin to adopt the dynamic configuration 1276 mechanisms of [RFC6186] they are adequately served by more 1277 traditional static TLS security policies. Specification of DANE TLS 1278 for Message User Agent (MUA) to Message Submission Agent (MSA) SMTP 1279 is left to future documents that focus specifically on SMTP security 1280 between MUAs and MSAs. 1282 8. Interoperability considerations 1284 8.1. SNI support 1286 To ensure that the server sends the right certificate chain, the SMTP 1287 client MUST send the TLS SNI extension containing the TLSA base 1288 domain. This precludes the use of the backward compatible SSL 2.0 1289 compatible SSL HELLO by the SMTP client. The minimum SSL/TLS client 1290 HELLO version for SMTP clients performing DANE authentication is SSL 1291 3.0, but a client that offers SSL 3.0 MUST also offer at least TLS 1292 1.0 and MUST include the SNI extension. Servers that don't make use 1293 of SNI MAY negotiate SSL 3.0 if offered by the client. 1295 Each SMTP server MUST present a certificate chain (see [RFC5246] 1296 Section 7.4.2) that matches at least one of the TLSA records. The 1297 server MAY rely on SNI to determine which certificate chain to 1298 present to the client. Clients that don't send SNI information may 1299 not see the expected certificate chain. 1301 If the server's TLSA records match the server's default certificate 1302 chain, the server need not support SNI. In either case, the server 1303 need not include the SNI extension in its TLS HELLO as simply 1304 returning a matching certificate chain is sufficient. Servers MUST 1305 NOT enforce the use of SNI by clients, as the client may be using 1306 unauthenticated opportunistic TLS and may not expect any particular 1307 certificate from the server. If the client sends no SNI extension, 1308 or sends an SNI extension for an unsupported domain, the server MUST 1309 simply send some fallback certificate chain of its choice. The 1310 reason for not enforcing strict matching of the requested SNI 1311 hostname is that DANE TLS clients are typically willing to accept 1312 multiple server names, but can only send one name in the SNI 1313 extension. The server's fallback certificate may match a different 1314 name acceptable to the client, e.g., the original next-hop domain. 1316 8.2. Anonymous TLS cipher suites 1318 Since many SMTP servers either do not support or do not enable any 1319 anonymous TLS cipher suites, SMTP client TLS HELLO messages SHOULD 1320 offer to negotiate a typical set of non-anonymous cipher suites 1321 required for interoperability with such servers. An SMTP client 1322 employing pre-DANE opportunistic TLS MAY in addition include one or 1323 more anonymous TLS cipher suites in its TLS HELLO. SMTP servers, 1324 that need to interoperate with opportunistic TLS clients SHOULD be 1325 prepared to interoperate with such clients by either always selecting 1326 a mutually supported non-anonymous cipher suite or by correctly 1327 handling client connections that negotiate anonymous cipher suites. 1329 Note that while SMTP server operators are under no obligation to 1330 enable anonymous cipher suites, no security is gained by sending 1331 certificates to clients that will ignore them. Indeed support for 1332 anonymous cipher suites in the server makes audit trails more 1333 informative. Log entries that record connections that employed an 1334 anonymous cipher suite record the fact that the clients did not care 1335 to authenticate the server. 1337 9. Operational Considerations 1338 9.1. Client Operational Considerations 1340 An operational error on the sending or receiving side that cannot be 1341 corrected in a timely manner may, at times, lead to consistent 1342 failure to deliver time-sensitive email. The sending MTA 1343 administrator may have to choose between letting email queue until 1344 the error is resolved and disabling opportunistic or mandatory DANE 1345 TLS (Section 6) for one or more destinations. The choice to disable 1346 DANE TLS security should not be made lightly. Every reasonable 1347 effort should be made to determine that problems with mail delivery 1348 are the result of an operational error, and not an attack. A 1349 fallback strategy may be to configure explicit out-of-band TLS 1350 security settings if supported by the sending MTA. 1352 SMTP clients may deploy opportunistic DANE TLS incrementally by 1353 enabling it only for selected sites, or may occasionally need to 1354 disable opportunistic DANE TLS for peers that fail to interoperate 1355 due to misconfiguration or software defects on either end. Some 1356 implementations MAY support DANE TLS in an "audit only" mode in which 1357 failure to achieve the requisite security level is logged as a 1358 warning and delivery proceeds at a reduced security level. Unless 1359 local policy specifies "audit only" or that opportunistic DANE TLS is 1360 not to be used for a particular destination, an SMTP client MUST NOT 1361 deliver mail via a server whose certificate chain fails to match at 1362 least one TLSA record when usable TLSA records are found for that 1363 server. 1365 9.2. Publisher Operational Considerations 1367 As explained in Section 3.1.3 server operators SHOULD NOT publish 1368 TLSA records for their MTAs (port 25 SMTP) with certificate usages 1369 PKIX-TA(0) or PKIX-EE(1). 1371 Some MTAs enable STARTTLS selectively. For example they might only 1372 support STARTTLS with clients that have previously demonstrated 1373 "proper MTA behavior", for example by retrying the delivery of 1374 deferred messages (greylisting). If such an MTA publishes DANE TLSA 1375 records, sending MTAs that implement this specification will not 1376 attempt the initial cleartext SMTP transaction needed to establish 1377 the "proper MTA behavior", because they cannot establish the required 1378 channel security. Server operators MUST NOT implement selective 1379 STARTTLS if they also want to support DANE TLSA. 1381 SMTP servers that publish certificate usage DANE-TA(2) associations 1382 MUST include the TA certificate in their TLS server certificate 1383 chain, even when that TA certificate is a self-signed root 1384 certificate. With some SMTP server software it is not possible to 1385 include root CA certificates in the server chain. Such servers need 1386 to either publish DANE-TA(2) records for an intermediate certificate 1387 or to use DANE-EE(3). 1389 TLSA Publishers MUST follow the guidelines in the "TLSA Publisher 1390 Requirements" section of [I-D.ietf-dane-ops]. 1392 TLSA Publishers SHOULD follow the TLSA publication size guidance 1393 found in [I-D.ietf-dane-ops] under "DANE DNS Record Size Guidelines". 1395 TLSA Publishers SHOULD follow the TLSA record TTL and signature 1396 lifetime recommendations found in [I-D.ietf-dane-ops] under 1397 "Operational Considerations". 1399 10. Security Considerations 1401 This protocol leverages DANE TLSA records to implement MITM resistant 1402 opportunistic security ([RFC7435]) for SMTP. For destination domains 1403 that sign their MX records and publish signed TLSA records for their 1404 MX hostnames, this protocol allows sending MTAs to securely discover 1405 both the availability of TLS and how to authenticate the destination. 1407 This protocol does not aim to secure all SMTP traffic, as that is not 1408 practical until DNSSEC and DANE adoption are universal. The 1409 incremental deployment provided by following this specification is a 1410 best possible path for securing SMTP. This protocol coexists and 1411 interoperates with the existing insecure Internet email backbone. 1413 The protocol does not preclude existing non-opportunistic SMTP TLS 1414 security arrangements, which can continue to be used as before via 1415 manual configuration with negotiated out-of-band key and TLS 1416 configuration exchanges. 1418 Opportunistic SMTP TLS depends critically on DNSSEC for downgrade 1419 resistance and secure resolution of the destination name. If DNSSEC 1420 is compromised, it is not possible to fall back on the public CA PKI 1421 to prevent MITM attacks. A successful breach of DNSSEC enables the 1422 attacker to publish TLSA usage 3 certificate associations, and 1423 thereby bypass any security benefit the legitimate domain owner might 1424 hope to gain by publishing usage 0 or 1 TLSA RRs. Given the lack of 1425 public CA PKI support in existing MTA deployments, avoiding 1426 certificate usages 0 and 1 simplifies implementation and deployment 1427 with no adverse security consequences. 1429 Implementations must strictly follow the portions of this 1430 specification that indicate when it is appropriate to initiate a non- 1431 authenticated connection or cleartext connection to a SMTP server. 1432 Specifically, in order to prevent downgrade attacks on this protocol, 1433 implementation must not initiate a connection when this specification 1434 indicates a particular SMTP server must be considered unreachable. 1436 11. IANA considerations 1438 This specification requires no support from IANA. 1440 12. Acknowledgements 1442 The authors would like to extend great thanks to Tony Finch, who 1443 started the original version of a DANE SMTP document. His work is 1444 greatly appreciated and has been incorporated into this document. 1445 The authors would like to additionally thank Phil Pennock for his 1446 comments and advice on this document. 1448 Acknowledgments from Viktor: Thanks to Paul Hoffman who motivated me 1449 to begin work on this memo and provided feedback on early drafts. 1450 Thanks to Patrick Koetter, Perry Metzger and Nico Williams for 1451 valuable review comments. Thanks also to Wietse Venema who created 1452 Postfix, and whose advice and feedback were essential to the 1453 development of the Postfix DANE implementation. 1455 13. References 1457 13.1. Normative References 1459 [I-D.ietf-dane-ops] 1460 Dukhovni, V. and W. Hardaker, "Updates to and Operational 1461 Guidance for the DANE Protocol", draft-ietf-dane-ops-07 1462 (work in progress), October 2014. 1464 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1465 Requirement Levels", BCP 14, RFC 2119, March 1997. 1467 [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over 1468 Transport Layer Security", RFC 3207, February 2002. 1470 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1471 Rose, "DNS Security Introduction and Requirements", RFC 1472 4033, March 2005. 1474 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1475 Rose, "Resource Records for the DNS Security Extensions", 1476 RFC 4034, March 2005. 1478 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1479 Rose, "Protocol Modifications for the DNS Security 1480 Extensions", RFC 4035, March 2005. 1482 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1483 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1485 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1486 Housley, R., and W. Polk, "Internet X.509 Public Key 1487 Infrastructure Certificate and Certificate Revocation List 1488 (CRL) Profile", RFC 5280, May 2008. 1490 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 1491 October 2008. 1493 [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: 1494 Extension Definitions", RFC 6066, January 2011. 1496 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 1497 Verification of Domain-Based Application Service Identity 1498 within Internet Public Key Infrastructure Using X.509 1499 (PKIX) Certificates in the Context of Transport Layer 1500 Security (TLS)", RFC 6125, March 2011. 1502 [RFC6186] Daboo, C., "Use of SRV Records for Locating Email 1503 Submission/Access Services", RFC 6186, March 2011. 1505 [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the 1506 DNS", RFC 6672, June 2012. 1508 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication 1509 of Named Entities (DANE) Transport Layer Security (TLS) 1510 Protocol: TLSA", RFC 6698, August 2012. 1512 [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify 1513 Conversations about DNS-Based Authentication of Named 1514 Entities (DANE)", RFC 7218, April 2014. 1516 [X.690] International Telecommunications Union, "Recommendation 1517 ITU-T X.690 (2002) | ISO/IEC 8825-1:2002, Information 1518 technology - ASN.1 encoding rules: Specification of Basic 1519 Encoding Rules (BER), Canonical Encoding Rules (CER) and 1520 Distinguished Encoding Rules (DER)", July 2002. 1522 13.2. Informative References 1524 [I-D.ietf-dane-srv] 1525 Finch, T., Miller, M., and P. Saint-Andre, "Using DNS- 1526 Based Authentication of Named Entities (DANE) TLSA Records 1527 with SRV Records", draft-ietf-dane-srv-11 (work in 1528 progress), February 2015. 1530 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1531 STD 13, RFC 1034, November 1987. 1533 [RFC1035] Mockapetris, P., "Domain names - implementation and 1534 specification", STD 13, RFC 1035, November 1987. 1536 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 1537 Specification", RFC 2181, July 1997. 1539 [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July 1540 2009. 1542 [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", 1543 STD 72, RFC 6409, November 2011. 1545 [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection 1546 Most of the Time", RFC 7435, December 2014. 1548 Authors' Addresses 1550 Viktor Dukhovni 1551 Two Sigma 1553 Email: ietf-dane@dukhovni.org 1555 Wes Hardaker 1556 Parsons 1557 P.O. Box 382 1558 Davis, CA 95617 1559 US 1561 Email: ietf@hardakers.net