rfc9102.original   rfc9102.txt 
Network Working Group V. Dukhovni Independent Submission V. Dukhovni
Internet-Draft Two Sigma Request for Comments: 9102 Two Sigma
Intended status: Experimental S. Huque Category: Experimental S. Huque
Expires: 12 December 2021 Salesforce ISSN: 2070-1721 Salesforce
W. Toorop W. Toorop
NLnet Labs NLnet Labs
P. Wouters P. Wouters
Aiven Aiven
M. Shore M. Shore
Fastly Fastly
10 June 2021 July 2021
TLS DNSSEC Chain Extension TLS DNSSEC Chain Extension
draft-dukhovni-tls-dnssec-chain-08
Abstract Abstract
This document describes an experimental TLS extension for in-band This document describes an experimental TLS extension for the in-band
transport of the complete set of DNSSEC validatable records needed to transport of the complete set of records that can be validated by
perform DANE authentication of a TLS server without the need to DNSSEC and that are needed to perform DNS-Based Authentication of
perform separate out-of-band DNS lookups. When the requisite DNS Named Entities (DANE) of a TLS server. This extension obviates the
records do not exist, the extension conveys a validatable denial of need to perform separate, out-of-band DNS lookups. When the
existence proof. requisite DNS records do not exist, the extension conveys a denial-
of-existence proof that can be validated.
This experimental extension is developed outside the IETF and is This experimental extension is developed outside the IETF and is
published here to guide implementation of the extension and to ensure published here to guide implementation of the extension and to ensure
interoperability among implementations. interoperability among implementations.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for examination, experimental implementation, and
evaluation.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document defines an Experimental Protocol for the Internet
and may be updated, replaced, or obsoleted by other documents at any community. This is a contribution to the RFC Series, independently
time. It is inappropriate to use Internet-Drafts as reference of any other RFC stream. The RFC Editor has chosen to publish this
material or to cite them other than as "work in progress." document at its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not candidates for any level of Internet Standard;
see Section 2 of RFC 7841.
This Internet-Draft will expire on 12 December 2021. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9102.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Scope of the experiment . . . . . . . . . . . . . . . . . 4 1.1. Scope of the Experiment
1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4 1.2. Requirements Notation
2. DNSSEC Authentication Chain Extension . . . . . . . . . . . . 4 2. DNSSEC Authentication Chain Extension
2.1. Protocol, TLS 1.2 . . . . . . . . . . . . . . . . . . . . 5 2.1. Protocol, TLS 1.2
2.2. Protocol, TLS 1.3 . . . . . . . . . . . . . . . . . . . . 6 2.2. Protocol, TLS 1.3
2.3. DNSSEC Authentication Chain Data . . . . . . . . . . . . 6 2.3. DNSSEC Authentication Chain Data
2.3.1. Authenticated Denial of Existence . . . . . . . . . . 9 2.3.1. Authenticated Denial of Existence
3. Construction of Serialized Authentication Chains . . . . . . 10 3. Construction of Serialized Authentication Chains
4. Caching and Regeneration of the Authentication Chain . . . . 11 4. Caching and Regeneration of the Authentication Chain
5. Expired signatures in the Authentication Chain . . . . . . . 11 5. Expired Signatures in the Authentication Chain
6. Verification . . . . . . . . . . . . . . . . . . . . . . . . 11 6. Verification
7. Extension Pinning . . . . . . . . . . . . . . . . . . . . . . 12 7. Extension Pinning
8. Trust Anchor Maintenance . . . . . . . . . . . . . . . . . . 14 8. Trust Anchor Maintenance
9. Virtual Hosting . . . . . . . . . . . . . . . . . . . . . . . 15 9. Virtual Hosting
10. Operational Considerations . . . . . . . . . . . . . . . . . 15 10. Operational Considerations
11. Security Considerations . . . . . . . . . . . . . . . . . . . 17 11. Security Considerations
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 12. IANA Considerations
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 13. References
14. Normative References . . . . . . . . . . . . . . . . . . . . 18 13.1. Normative References
15. Informative References . . . . . . . . . . . . . . . . . . . 19 13.2. Informative References
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 20 Appendix A. Test Vectors
A.1. _443._tcp.www.example.com . . . . . . . . . . . . . . . . 22 A.1. "_443._tcp.www.example.com"
A.2. _25._tcp.example.com NSEC wildcard . . . . . . . . . . . 26 A.2. "_25._tcp.example.com" NSEC Wildcard
A.3. _25._tcp.example.org NSEC3 wildcard . . . . . . . . . . . 27 A.3. "_25._tcp.example.org" NSEC3 Wildcard
A.4. _443._tcp.www.example.org CNAME . . . . . . . . . . . . . 29 A.4. "_443._tcp.www.example.org" CNAME
A.5. _443._tcp.www.example.net DNAME . . . . . . . . . . . . . 30 A.5. "_443._tcp.www.example.net" DNAME
A.6. _25._tcp.smtp.example.com NSEC Denial of Existence . . . 32 A.6. "_25._tcp.smtp.example.com" NSEC Denial of Existence
A.7. _25._tcp.smtp.example.org NSEC3 Denial of Existence . . . 34 A.7. "_25._tcp.smtp.example.org" NSEC3 Denial of Existence
A.8. _443._tcp.www.insecure.example NSEC3 opt-out insecure A.8. "_443._tcp.www.insecure.example" NSEC3 Opt-Out Insecure
delegation . . . . . . . . . . . . . . . . . . . . . . . 35 Delegation
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 Acknowledgments
Authors' Addresses
1. Introduction 1. Introduction
This document describes an experimental TLS [RFC5246][RFC8446] This document describes an experimental TLS [RFC5246] [RFC8446]
extension for in-band transport of the complete set of DNSSEC extension for in-band transport of the complete set of resource
[RFC4033][RFC4034][RFC4035] validated Resource Records (RRs) that records (RRs) validated by DNSSEC [RFC4033] [RFC4034] [RFC4035].
enable a TLS client to perform DANE Authentication [RFC6698][RFC7671] This extension enables a TLS client to perform DANE authentication
of a TLS server without the need to perform out-of-band DNS lookups. [RFC6698] [RFC7671] of a TLS server without the need to perform out-
Retrieval of the required DNS records may be unavailable to the of-band DNS lookups. Retrieval of the required DNS records may be
client [NLNETLABS], or may incur undesirable additional latency. unavailable to the client [DISCOVERY] or may incur undesirable
additional latency.
The extension described here allows a TLS client to request that the The extension described here allows a TLS client to request that the
TLS server return the DNSSEC authentication chain corresponding to TLS server return the DNSSEC authentication chain corresponding to
its DNSSEC-validated DANE TLSA Resource Record set (RRset), or its DNSSEC-validated DANE TLSA resource record set (RRset) or
authenticated denial of existence of such an RRset (as described in authenticated denial of existence of such an RRset (as described in
Section 2.3.1). If the server supports this extension it performs Section 2.3.1). If the server supports this extension, it performs
the appropriate DNS queries, builds the authentication chain, and the appropriate DNS queries, builds the authentication chain, and
returns it to the client. The server will typically use a previously returns it to the client. The server will typically use a previously
cached authentication chain, but it will need to rebuild it cached authentication chain, but it will need to rebuild it
periodically as described in Section 4. The client then periodically as described in Section 4. The client then
authenticates the chain using a preconfigured DNSSEC trust anchor. authenticates the chain using a preconfigured DNSSEC trust anchor.
In the absence of TLSA records, this extension conveys the required In the absence of TLSA records, this extension conveys the required
authenticated denial of existence. Such proofs are needed to authenticated denial of existence. Such proofs are needed to
securely signal that specified TLSA records are not available so that securely signal that specified TLSA records are not available so that
TLS clients can safely fall back to Public-Key Infrastructure X.509 TLS clients can safely fall back to authentication based on Public
(PKIX, sometimes called WebPKI) based authentication if allowed by Key Infrastructure X.509 (PKIX, sometimes called WebPKI) if allowed
local policy. These proofs are also needed to avoid downgrade from by local policy. These proofs are also needed to avoid downgrade
opportunistic authenticated TLS (when DANE TLSA records are present) from opportunistic authenticated TLS (when DANE TLSA records are
to unauthenticated opportunistic TLS (in the absence of DANE). present) to unauthenticated opportunistic TLS (in the absence of
Denial of existence records are also used by the TLS client to clear DANE). Denial-of-existence records are also used by the TLS client
no longer relevant extension pins, as described in Section 7. to clear extension pins that are no longer relevant, as described in
Section 7.
This extension supports DANE authentication of either X.509 This extension supports DANE authentication of either X.509
certificates or raw public keys as described in the DANE certificates or raw public keys, as described in the DANE
specification [RFC6698][RFC7671] and [RFC7250]. specification [RFC6698] [RFC7671] [RFC7250].
This extension also mitigates against an unknown key share (UKS) This extension also mitigates against an unknown key share (UKS)
attack [I-D.barnes-dane-uks] when using raw public keys, since the attack [DANE-UKS] when using raw public keys since the server commits
server commits to its DNS name (normally found in its certificate) to its DNS name (normally found in its certificate) via the content
via the content of the returned TLSA RRset. of the returned TLSA RRset.
This experimental extension is developed outside the IETF and is This experimental extension is developed outside the IETF and is
published here to guide implementation of the extension and to ensure published here to guide implementation of the extension and to ensure
interoperability among implementations. interoperability among implementations.
1.1. Scope of the experiment 1.1. Scope of the Experiment
The mechanism described in this document is intended to be used with The mechanism described in this document is intended to be used with
applications on the wider internet. One application of TLS well applications on the wider internet. One application of TLS well
suited for the TLS DNSSEC Chain extension is DNS over TLS [RFC7858]. suited for the TLS DNSSEC Chain extension is DNS over TLS [RFC7858].
In fact, one of the authentication methods for DNS over TLS _is_ the In fact, one of the authentication methods for DNS over TLS _is_ the
mechanism described in this document, as specified in Section 8.2.2 mechanism described in this document, as specified in Section 8.2.2
of [RFC8310]. of [RFC8310].
The need for this mechanism when using DANE to authenticate a DNS The need for this mechanism when using DANE to authenticate a DNS-
over TLS resolver is obvious, since DNS may not be available to over-TLS resolver is obvious, since DNS may not be available to
perform the required DNS lookups. Other applications of TLS would perform the required DNS lookups. Other applications of TLS would
benefit from using this mechanism as well. The client sides of those benefit from using this mechanism as well. The client sides of those
applications would not be required to be used on end-points with a applications would not be required to be used on endpoints with a
working DNSSEC resolver in order for them to use DANE authentication working DNSSEC resolver in order for them to use the DANE
of the TLS service. Therefore we invite other TLS services to try authentication of the TLS service. Therefore, we invite other TLS
out this mechanism as well. services to try out this mechanism as well.
In the TLS working group, concerns have been raised that the pinning In the TLS Working Group, concerns have been raised that the pinning
technique as described in Section 7 would complicate deployability of technique as described in Section 7 would complicate deployability of
the TLS DNSSEC Chain extension. The goal of the experiment is to the TLS DNSSEC chain extension. The goal of the experiment is to
study these complications in real world deployments. This experiment study these complications in real-world deployments. This experiment
hopefully will give the TLS working group some insight into whether hopefully will give the TLS Working Group some insight into whether
or not this is a problem. or not this is a problem.
If the experiment is successful, it is expected that the findings of If the experiment is successful, it is expected that the findings of
the experiment will result in an updated document for standards track the experiment will result in an updated document for Standards Track
approval. approval.
1.2. Requirements Notation 1.2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. DNSSEC Authentication Chain Extension 2. DNSSEC Authentication Chain Extension
2.1. Protocol, TLS 1.2 2.1. Protocol, TLS 1.2
A client MAY include an extension of type "dnssec_chain" in the A client MAY include an extension of type "dnssec_chain" in the
(extended) ClientHello. The "extension_data" field of this extension (extended) ClientHello. The "extension_data" field of this extension
consists of the server's 16-bit TCP port number in network (big- consists of the server's 16-bit TCP port number in network (big-
endian) byte order. Clients sending this extension MUST also send endian) byte order. Clients sending this extension MUST also send
the Server Name Identification (SNI, [RFC6066]) extension. Together, the Server Name Identification (SNI) extension [RFC6066]. Together,
these make it possible for the TLS server to determine which these make it possible for the TLS server to determine which
authenticated TLSA RRset chain needs to be used for the authenticated TLSA RRset chain needs to be used for the
"dnssec_chain" extension. "dnssec_chain" extension.
When a server that implements (and is configured to enable the use When a server that implements (and is configured to enable the use
of) this extension receives a "dnssec_chain" extension in the of) this extension receives a "dnssec_chain" extension in the
ClientHello, it MUST first check whether the requested TLSA RRset ClientHello, it MUST first check whether the requested TLSA RRset
(based on the port number in this extension and hostname in the SNI (based on the port number in this extension and hostname in the SNI
extension) is associated with the server. If the extension, the SNI extension) is associated with the server. If the extension, the SNI
hostname or the port number is unsupported, the server's extended hostname, or the port number is unsupported, the server's extended
ServerHello message MUST NOT include the "dnssec_chain" extension. ServerHello message MUST NOT include the "dnssec_chain" extension.
Otherwise, the server's extended ServerHello message MUST contain a Otherwise, the server's extended ServerHello message MUST contain a
serialized authentication chain using the format described below. If serialized authentication chain using the format described below. If
the server does not have access to the requested DNS chain - for the server does not have access to the requested DNS chain -- for
example due to a misconfiguration or expired chain - the server MUST example, due to a misconfiguration or expired chain -- the server
omit the extension rather than send an incomplete chain. Clients MUST omit the extension rather than send an incomplete chain.
that are expecting this extension MUST interpret this as a downgrade Clients that are expecting this extension MUST interpret this as a
attack and MUST abort the TLS connection. Therefore, servers MUST downgrade attack and MUST abort the TLS connection. Therefore,
send denial of existence proofs, unless, for the particular servers MUST send denial-of-existence proofs unless, for the
application protocol or service, clients are expected to continue particular application protocol or service, clients are expected to
even in the absence of such a proof. As with all TLS extensions, if continue even in the absence of such a proof. As with all TLS
the server does not support this extension it will not return any extensions, if the server does not support this extension, it will
authentication chain. not return any authentication chain.
The set of supported combinations of port number and SNI name may be The set of supported combinations of a port number and SNI name may
configured explicitly by server administrators, or could be inferred be configured explicitly by server administrators or could be
from the available certificates combined with a list of supported inferred from the available certificates combined with a list of
ports. It is important to note that the client's notional port supported ports. It is important to note that the client's notional
number may be different from the actual port on which the server is port number may be different from the actual port on which the server
receiving connections. is receiving connections.
Differences between the client's notional port number and the actual Differences between the client's notional port number and the actual
port at the server could be a result of intermediate systems port at the server could be a result of intermediate systems
performing network address translation, or perhaps a result of a performing network address translation or a result of a redirect via
redirect via HTTPS or SVCB records (both defined in HTTPS or SVCB records (both defined in [DNSOP-SVCB-HTTPS]).
[I-D.ietf-dnsop-svcb-https]).
Though a DNS zone's HTTPS or SVCB records may be signed, a client Though a DNS zone's HTTPS or SVCB records may be signed, a client
using this protocol might not have direct access to a validating using this protocol might not have direct access to a validating
resolver, and might not be able to check the authenticity of the resolver and might not be able to check the authenticity of the
target port number or hostname. In order to avoid downgrade attacks target port number or hostname. In order to avoid downgrade attacks
via forged DNS records, the SNI name and port number inside the via forged DNS records, the SNI name and port number inside the
client extension MUST be based on the original SNI name and port and client extension MUST be based on the original SNI name and port and
MUST NOT be taken from the encountered HTTPS or SVCB record. The MUST NOT be taken from the encountered HTTPS or SVCB record. The
client supporting this document and HTTPS / SVCB records, MUST still client supporting this document and HTTPS or SVCB records MUST still
use the HTTPS or SVCB records to select the target transport use the HTTPS or SVCB records to select the target transport
endpoint. Servers supporting this extension that are targets of endpoint. Servers supporting this extension that are targets of
HTTPS or SVCB records MUST be provisioned to process client HTTPS or SVCB records MUST be provisioned to process client
extensions based on the client's logical service endpoint's SNI name extensions based on the client's logical service endpoint's SNI name
and port as it is prior to HTTPS or SVCB indirection. and port as it is prior to HTTPS or SVCB indirection.
2.2. Protocol, TLS 1.3 2.2. Protocol, TLS 1.3
In TLS 1.3 [RFC8446], when the server receives the "dnssec_chain" In TLS 1.3 [RFC8446], when the server receives the "dnssec_chain"
extension, it adds its "dnssec_chain" extension to the extension extension, it adds its "dnssec_chain" extension to the extension
block of the Certificate message containing the end entity block of the Certificate message containing the end-entity
certificate being validated, rather than to the extended ServerHello certificate being validated rather than to the extended ServerHello
message. message.
The extension protocol behavior otherwise follows that specified for The extension protocol behavior otherwise follows that specified for
TLS version 1.2 [RFC5246]. TLS version 1.2 [RFC5246].
2.3. DNSSEC Authentication Chain Data 2.3. DNSSEC Authentication Chain Data
The "extension_data" field of the client's "dnssec_chain" extension The "extension_data" field of the client's "dnssec_chain" extension
MUST contain the server's 16-bit TCP port number in network (big- MUST contain the server's 16-bit TCP port number in network (big-
endian) byte order: endian) byte order:
struct { struct {
uint16 PortNumber; uint16 PortNumber;
} DnssecChainExtension; } DnssecChainExtension;
The "extension_data" field of the server's "dnssec_chain" extension The "extension_data" field of the server's "dnssec_chain" extension
MUST contain a DNSSEC Authentication Chain encoded in the following MUST contain a DNSSEC authentication chain encoded in the following
form: form:
struct { struct {
uint16 ExtSupportLifetime; uint16 ExtSupportLifetime;
opaque AuthenticationChain<1..2^16-1> opaque AuthenticationChain<1..2^16-1>
} DnssecChainExtension; } DnssecChainExtension;
The ExtSupportLifetime value is the number of hours for which the TLS The ExtSupportLifetime value is the number of hours that the TLS
server has committed itself to serving this extension. A value of server has committed itself to serving this extension. A value of
zero prohibits the client from unilaterally requiring ongoing use of zero prohibits the client from unilaterally requiring ongoing use of
the extension based on prior observation of its use (extension the extension based on prior observation of its use (extension
pinning). This is further described in Section 7. pinning). This is further described in Section 7.
The AuthenticationChain is composed of a sequence of uncompressed The AuthenticationChain is composed of a sequence of uncompressed
wire format DNS RRs (including all requisite RRSIG [RFC4034] RRs) in wire format DNS RRs (including all requisite RRSIG RRs [RFC4034]) in
no particular order. The format of the Resource Record is described no particular order. The format of the resource record is described
in [RFC1035], Section 3.2.1. in [RFC1035], Section 3.2.1.
RR = { owner, type, class, TTL, RDATA length, RDATA } RR = { owner, type, class, TTL, RDATA length, RDATA }
The order of returned RRs is unspecified and a TLS client MUST NOT The order of returned RRs is unspecified, and a TLS client MUST NOT
assume any ordering of RRs. assume any ordering of RRs.
Use of native DNS wire format records enables easier generation of Use of DNS wire format records enables easier generation of the data
the data structure on the server and easier verification of the data structure on the server and easier verification of the data on the
on client by means of existing DNS library functions. client by means of existing DNS library functions.
The returned RRsets MUST contain either the TLSA RRset or else the The returned RRsets MUST contain either the TLSA RRset or the
associated denial of existence proof of the configured (and associated denial-of-existence proof of the configured (and
requested) SNI name and port. In either case, the chain of RRsets requested) SNI name and port. In either case, the chain of RRsets
MUST be accompanied by the full set of DNS records needed to MUST be accompanied by the full set of DNS records needed to
authenticate the TLSA record set or its denial of existence up the authenticate the TLSA record set or its denial of existence up the
DNS hierarchy to either the Root Zone or another trust anchor DNS hierarchy to either the root zone or another trust anchor
mutually configured by the TLS server and client. mutually configured by the TLS server and client.
When some subtree in the chain is subject to redirection via DNAME When some subtree in the chain is subject to redirection via DNAME
records, the associated inferred CNAME records need not be included. records, the associated inferred CNAME records need not be included.
They can be inferred by the DNS validation code in the client. Any They can be inferred by the DNS validation code in the client. Any
applicable ordinary CNAME records that are not synthesized from DNAME applicable ordinary CNAME records that are not synthesized from DNAME
records MUST be included along with their RRSIGs. records MUST be included along with their RRSIGs.
In case of a server-side DNS problem, servers may be unable to In case of a server-side DNS problem, servers may be unable to
construct the authentication chain and would then have no choice but construct the authentication chain and would then have no choice but
to omit the extension. to omit the extension.
In the case of a denial of existence response, the authentication In the case of a denial-of-existence response, the authentication
chain MUST include all DNSSEC signed records from the trust-anchor chain MUST include all DNSSEC-signed records, starting with those
zone to a proof of either the non-existence of the (possibly from the trust anchor zone, that chain together to reach a proof of
redirected via aliases) TLSA records or else of an insecure either:
delegation above or at the (possibly redirected) owner name of the
requested TLSA RRset. * the nonexistence of the TLSA records (possibly redirected via
aliases) or
* an insecure delegation above or at the (possibly redirected) owner
name of the requested TLSA RRset.
Names that are aliased via CNAME and/or DNAME records may involve Names that are aliased via CNAME and/or DNAME records may involve
multiple branches of the DNS tree. In this case, the authentication multiple branches of the DNS tree. In this case, the authentication
chain structure needs to include DS and DNSKEY record sets that cover chain structure needs to include DS and DNSKEY record sets that cover
all the necessary branches. all the necessary branches.
The returned chain SHOULD also include the DNSKEY RRSets of all The returned chain SHOULD also include the DNSKEY RRsets of all
relevant trust anchors (typically just the root DNS zone). Though relevant trust anchors (typically just the root DNS zone). Though
the same trust anchors are presumably also preconfigured in the TLS the same trust anchors are presumably also preconfigured in the TLS
client, including them in the response from the server permits TLS client, including them in the response from the server permits TLS
clients to use the automated trust anchor rollover mechanism defined clients to use the automated trust anchor rollover mechanism defined
in [RFC5011] to update their configured trust anchors. in [RFC5011] to update their configured trust anchors.
Barring prior knowledge of particular trust anchors that the server Barring prior knowledge of particular trust anchors that the server
shares with its clients, the chain constructed by the server MUST be shares with its clients, the chain constructed by the server MUST be
extended as close as possible to the root zone. Truncation of the extended as closely as possible to the root zone. Truncation of the
chain at some intermediate trust anchor is generally only appropriate chain at some intermediate trust anchor is generally only appropriate
inside private networks where all clients and the server are expected inside private networks where all clients and the server are expected
to be configured with DNS trust anchors for one or more non-root to be configured with DNS trust anchors for one or more non-root
domains. domains.
The following is an example of the records in the AuthenticationChain The following is an example of the records in the AuthenticationChain
structure for the HTTPS server at "www.example.com", where there are structure for the HTTPS server at "www.example.com", where there are
zone cuts at "com." and "example.com." (record data are omitted here zone cuts at "com" and "example.com" (record data are omitted here
for brevity): for brevity):
_443._tcp.www.example.com. TLSA _443._tcp.www.example.com. TLSA
RRSIG(_443._tcp.www.example.com. TLSA) RRSIG(_443._tcp.www.example.com. TLSA)
example.com. DNSKEY example.com. DNSKEY
RRSIG(example.com. DNSKEY) RRSIG(example.com. DNSKEY)
example.com. DS example.com. DS
RRSIG(example.com. DS) RRSIG(example.com. DS)
com. DNSKEY com. DNSKEY
RRSIG(com. DNSKEY) RRSIG(com. DNSKEY)
com. DS com. DS
RRSIG(com. DS) RRSIG(com. DS)
. DNSKEY . DNSKEY
RRSIG(. DNSKEY) RRSIG(. DNSKEY)
The following is an example of denial of existence for a TLSA RRset The following is an example of denial of existence for a TLSA RRset
at "_443._tcp.www.example.com". The NSEC record in this example at "_443._tcp.www.example.com". The NSEC record in this example
asserts the non-existence of both the requested RRset and any asserts the nonexistence of both the requested RRset and any
potentially relevant wildcard records. potentially relevant wildcard records.
www.example.com. IN NSEC example.com. A NSEC RRSIG www.example.com. IN NSEC example.com. A NSEC RRSIG
RRSIG(www.example.com. NSEC) RRSIG(www.example.com. NSEC)
example.com. DNSKEY example.com. DNSKEY
RRSIG(example.com. DNSKEY) RRSIG(example.com. DNSKEY)
example.com. DS example.com. DS
RRSIG(example.com. DS) RRSIG(example.com. DS)
com. DNSKEY com. DNSKEY
RRSIG(com. DNSKEY) RRSIG(com. DNSKEY)
com. DS com. DS
RRSIG(com. DS) RRSIG(com. DS)
. DNSKEY . DNSKEY
RRSIG(. DNSKEY) RRSIG(. DNSKEY)
The following is an example of (hypothetical) insecure delegation of The following is an example of (hypothetical) insecure delegation of
"example.com" from the ".com" zone. This example shows NSEC3 "example.com" from the ".com" zone. This example shows NSEC3 records
[RFC5155] records with opt-out. [RFC5155] with opt-out.
; covers example.com ; covers example.com
onib9mgub9h0rml3cdf5bgrj59dkjhvj.com. NSEC3 (1 1 0 - onib9mgub9h0rml3cdf5bgrj59dkjhvj.com. NSEC3 (1 1 0 -
onib9mgub9h0rml3cdf5bgrj59dkjhvl NS DS RRSIG) onib9mgub9h0rml3cdf5bgrj59dkjhvl NS DS RRSIG)
RRSIG(onib9mgub9h0rml3cdf5bgrj59dkjhvj.com. NSEC3) RRSIG(onib9mgub9h0rml3cdf5bgrj59dkjhvj.com. NSEC3)
; covers *.com ; covers *.com
3rl2r262eg0n1ap5olhae7mah2ah09hi.com. NSEC3 (1 1 0 - 3rl2r262eg0n1ap5olhae7mah2ah09hi.com. NSEC3 (1 1 0 -
3rl2r262eg0n1ap5olhae7mah2ah09hk NS DS RRSIG) 3rl2r262eg0n1ap5olhae7mah2ah09hk NS DS RRSIG)
RRSIG(3rl2r262eg0n1ap5olhae7mah2ah09hj.com. NSEC3) RRSIG(3rl2r262eg0n1ap5olhae7mah2ah09hj.com. NSEC3)
; closest-encloser "com" ; closest-encloser "com"
skipping to change at page 9, line 52 skipping to change at line 409
2.3.1. Authenticated Denial of Existence 2.3.1. Authenticated Denial of Existence
TLS servers that support this extension and respond to a request TLS servers that support this extension and respond to a request
containing this extension that do not have a signed TLSA record for containing this extension that do not have a signed TLSA record for
the configured (and requested) SNI name and port MUST instead return the configured (and requested) SNI name and port MUST instead return
a DNSSEC chain that provides authenticated denial of existence for a DNSSEC chain that provides authenticated denial of existence for
the configured SNI name and port. A TLS client receiving proof of the configured SNI name and port. A TLS client receiving proof of
authenticated denial of existence MUST use an alternative method to authenticated denial of existence MUST use an alternative method to
verify the TLS server identity or close the connection. Such an verify the TLS server identity or close the connection. Such an
alternative could be the classic PKIX model of preinstalled root alternative could be the classic PKIX model of preinstalled root
CA's. certificate authorities (CAs).
Authenticated denial chains include NSEC or NSEC3 records that Authenticated denial chains include NSEC or NSEC3 records that
demonstrate one of the following facts: demonstrate one of the following facts:
* The TLSA record (after any DNSSEC validated alias redirection) * The TLSA record (after any DNSSEC-validated alias redirection)
does not exist. does not exist.
* There is no signed delegation to a DNS zone which is either an * There is no signed delegation to a DNS zone that is either an
ancestor of, or the same as, the TLSA record name (after any ancestor of or the same as the TLSA record name (after any DNSSEC-
DNSSEC validated alias redirection). validated alias redirection).
3. Construction of Serialized Authentication Chains 3. Construction of Serialized Authentication Chains
This section describes a possible procedure for the server to use to This section describes a possible procedure for the server to use to
build the serialized DNSSEC chain. build the serialized DNSSEC chain.
When the goal is to perform DANE authentication [RFC6698][RFC7671] of When the goal is to perform DANE authentication [RFC6698] [RFC7671]
the server, the DNS record set to be serialized is a TLSA record set of the server, the DNS record set to be serialized is a TLSA record
corresponding to the server's domain name, protocol, and port number. set corresponding to the server's domain name, protocol, and port
number.
The domain name of the server MUST be that included in the TLS The domain name of the server MUST be that included in the TLS
"server_name" (SNI) extension [RFC6066]. If the server does not "server_name" (SNI) extension [RFC6066]. If the server does not
recognize the SNI name as one if its own names, but wishes to proceed recognize the SNI name as one of its own names but wishes to proceed
with the handshake rather than to abort the connection, the server with the handshake rather than abort the connection, the server MUST
MUST NOT send a "dnssec_chain" extension to the client. NOT send a "dnssec_chain" extension to the client.
The name in client's SNI extension MUST NOT be CNAME-expanded by the The name in the client's SNI extension MUST NOT be CNAME expanded by
server. The TLSA base domain (Section 3 of [RFC6698]) SHALL be the the server. The TLSA base domain (Section 3 of [RFC6698]) SHALL be
hostname from the client's SNI extension and the guidance in the hostname from the client's SNI extension, and the guidance in
Section 7 of [RFC7671] does not apply. See Section 9 for further Section 7 of [RFC7671] does not apply. See Section 9 for further
discussion. discussion.
The TLSA record to be queried is constructed by prepending The TLSA record to be queried is constructed by prepending
underscore-prefixed port number and transport name labels to the underscore-prefixed port number and transport name labels to the
domain name as described in [RFC6698]. The port number is taken from domain name as described in [RFC6698]. The port number is taken from
the client's "dnssec_chain" extension. The transport name is "tcp" the client's "dnssec_chain" extension. The transport name is "tcp"
for TLS servers, and "udp" for DTLS servers. The port number label for TLS servers and "udp" for DTLS servers. The port number label is
is the left-most label, followed by the transport name label, the leftmost label, followed by the transport name label, followed by
followed by the server domain name (from SNI). the server domain name (from SNI).
The components of the authentication chain are typically built by The components of the authentication chain are typically built by
starting at the target record set and its corresponding RRSIG. Then starting at the target record set and its corresponding RRSIG, then
traversing the DNS tree upwards towards the trust anchor zone traversing the DNS tree upwards towards the trust anchor zone
(normally the DNS root). For each zone cut, the DNSKEY and DS RRsets (normally the DNS root). For each zone cut, the DNSKEY, DS RRsets,
and their signatures are added. However, see Section 2.3 for and their signatures are added. However, see Section 2.3 for
specific processing needed for aliases. If DNS response messages specific processing needed for aliases. If DNS response messages
contain any domain names utilizing name compression [RFC1035], then contain any domain names utilizing name compression [RFC1035], then
they MUST be uncompressed prior to inclusion in the chain. they MUST be uncompressed prior to inclusion in the chain.
Implementations of EDNS Chain Query Requests as specified in Implementations of EDNS CHAIN query requests as specified in
[RFC7901] may offer an easier way to obtain all of the chain data in [RFC7901] may offer an easier way to obtain all of the chain data in
one transaction with an upstream DNSSEC aware recursive server. one transaction with an upstream DNSSEC-aware recursive server.
4. Caching and Regeneration of the Authentication Chain 4. Caching and Regeneration of the Authentication Chain
DNS records have Time To Live (TTL) parameters, and DNSSEC signatures DNS records have Time To Live (TTL) parameters, and DNSSEC signatures
have validity periods (specifically signature expiration times). have validity periods (specifically signature expiration times).
After the TLS server constructs the serialized authentication chain, After the TLS server constructs the serialized authentication chain,
it SHOULD cache and reuse it in multiple TLS connection handshakes. it SHOULD cache and reuse it in multiple TLS connection handshakes.
However, it SHOULD refresh and rebuild the chain as TTL values However, it SHOULD refresh and rebuild the chain as TTL values
require. A server implementation could carefully track TTL require. A server implementation could carefully track TTL
parameters and requery component records in the chain parameters and requery component records in the chain
correspondingly. Alternatively, it could be configured to rebuild correspondingly. Alternatively, it could be configured to rebuild
the entire chain at some predefined periodic interval that does not the entire chain at some predefined periodic interval that does not
exceed the DNS TTLs of the component records in the chain. If a exceed the DNS TTLs of the component records in the chain. If a
record in the chain has a very short TTL (eg 0 up to a few seconds), record in the chain has a very short TTL (e.g., 0 up to a few
the server MAY decide to serve the authentication chain a few seconds seconds), the server MAY decide to serve the authentication chain a
past the minimum TTL in the chain. This allows an implementation to few seconds past the minimum TTL in the chain. This allows an
dedicate a process or single thread to building the authentication implementation to dedicate a process or single thread to building the
chain and re-use it for more than a single waiting TLS client before authentication chain and reuse it for more than a single waiting TLS
needing to rebuild the authentication chain. client before needing to rebuild the authentication chain.
5. Expired signatures in the Authentication Chain 5. Expired Signatures in the Authentication Chain
A server MAY look at the signature expiration of RRSIG records. A server MAY look at the signature expiration of RRSIG records.
While these should never expire before the TTL of the corresponding While these should never expire before the TTL of the corresponding
DNS record is reached, if this situation is encountered nevertheless, DNS record is reached, if this situation is nevertheless encountered,
the server MAY lower the TTL to prevent serving expired RRSIGs if the server MAY lower the TTL to prevent serving expired RRSIGs if
possible. If the signatures are already expired, the server MUST possible. If the signatures are already expired, the server MUST
still include these records into the authentication chain. This still include these records in the authentication chain. This allows
allows the TLS client to either support a grace period for staleness, the TLS client to either support a grace period for staleness or give
or allows the TLS client to give a detailed error, either as log a detailed error, either as a log message or a message to a potential
message or to a potential interactive user of the TLS connection. interactive user of the TLS connection. The TLS client SHOULD handle
The TLS client SHOULD handle expired RRSIGs similar to how it handles expired RRSIGs similarly to how it handles expired PKIX certificates.
expired PKIX certificates.
6. Verification 6. Verification
A TLS client performing DANE based verification might not need to use A TLS client performing DANE-based verification might not need to use
this extension. For example, the TLS client could perform native DNS this extension. For example, the TLS client could perform DNS
lookups and perform DANE verification without this extension. Or it lookups and DANE verification without this extension, or it could
could fetch authentication chains via another protocol. If the TLS fetch authentication chains via another protocol. If the TLS client
client already possesses a valid TLSA record, it MAY omit using this already possesses a valid TLSA record, it MAY bypass use of this
extension. However, if it includes this extension, it MUST use the extension. However, if it includes this extension, it MUST use the
TLS server reply to update the extension pinning status of the TLS TLS server reply to update the extension pinning status of the TLS
server's extension lifetime. See Section 7. server's extension lifetime. See Section 7.
A TLS client making use of this specification, and which receives a A TLS client making use of this specification that receives a valid
valid DNSSEC authentication chain extension from a TLS server, MUST DNSSEC authentication chain extension from a TLS server MUST use this
use this information to perform DANE authentication of the TLS information to perform DANE authentication of the TLS server. In
server. In order to perform the validation, it uses the mechanism order to perform the validation, it uses the mechanism specified by
specified by the DNSSEC protocol [RFC4035][RFC5155]. This mechanism the DNSSEC protocol [RFC4035] [RFC5155]. This mechanism is sometimes
is sometimes implemented in a DNSSEC validation engine or library. implemented in a DNSSEC validation engine or library.
If the authentication chain validates, the TLS client then performs If the authentication chain validates, the TLS client then performs
DANE authentication of the server according to the DANE TLS protocol DANE authentication of the server according to the DANE TLS protocol
[RFC6698][RFC7671]. [RFC6698] [RFC7671].
Clients MAY cache the server's validated TLSA RRset to amortize the Clients MAY cache the server's validated TLSA RRset to amortize the
cost of receiving and validating the chain over multiple connections. cost of receiving and validating the chain over multiple connections.
The period of such caching MUST NOT exceed the TTL associated with The period of such caching MUST NOT exceed the TTL associated with
those records. A client that possesses a validated and unexpired those records. A client that possesses a validated and unexpired
TLSA RRset or the full chain in its cache does not need to send the TLSA RRset or the full chain in its cache does not need to send the
"dnssec_chain" extension for subsequent connections to the same TLS "dnssec_chain" extension for subsequent connections to the same TLS
server. It can use the cached information to perform DANE server. It can use the cached information to perform DANE
authentication. authentication.
Note that when a client and server perform TLS session resumption the Note that when a client and server perform TLS session resumption,
server sends no "dnssec_chain". This is particularly clear with TLS the server sends no "dnssec_chain". This is particularly clear with
1.3, where the certificate message to which the chain might be TLS 1.3, where the certificate message to which the chain might be
attached is also not sent on resumption. attached is also not sent on resumption.
7. Extension Pinning 7. Extension Pinning
TLS applications can be designed to unconditionally mandate this TLS applications can be designed to unconditionally mandate this
extension. Such TLS clients requesting this extension would abort a extension. Such TLS clients requesting this extension would abort a
connection to a TLS server that does not respond with a validatable connection to a TLS server that does not respond with an extension
extension reply. reply that can be validated.
However, in a mixed-use deployment of PKIX and DANE, there is the However, in a mixed-use deployment of PKIX and DANE, there is the
possibility that the security of a TLS client is downgraded from DANE possibility that the security of a TLS client is downgraded from DANE
to PKIX. This can happen when a TLS client connection is intercepted to PKIX. This can happen when a TLS client connection is intercepted
and redirected to a rogue TLS server presenting a TLS certificate and redirected to a rogue TLS server presenting a TLS certificate
that is considered valid from a PKIX point of view, but one that does that is considered valid from a PKIX point of view but does not match
not match the legitimate server's TLSA records. By omitting this the legitimate server's TLSA records. By omitting this extension,
extension, such a rogue TLS server could downgrade the TLS client to such a rogue TLS server could downgrade the TLS client to validate
validate the mis-issued certificate using only PKIX and not via DANE, the mis-issued certificate using only PKIX and not via DANE, provided
provided the TLS client is also not able to fetch the TLSA records the TLS client is also not able to fetch the TLSA records directly
directly from DNS. from DNS.
The ExtSupportLifetime element of the extension provides a The ExtSupportLifetime element of the extension provides a
countermeasure against such downgrade attacks. Its value represents countermeasure against such downgrade attacks. Its value represents
the number of hours that the TLS server (or cluster of servers the number of hours that the TLS server (or cluster of servers
serving the same Server Name) commit to serving this extension in the serving the same server name) commits to serving this extension in
future. This is referred to as the "pinning time" or "extension pin" the future. This is referred to as the "pinning time" or "extension
of the extension. A non-zero extension pin value received MUST ONLY pin" of the extension. A non-zero extension pin value received MUST
be used if the extension also contains a valid TLSA authentication ONLY be used if the extension also contains a valid TLSA
chain that matches the server's certificate chain (the server passes authentication chain that matches the server's certificate chain (the
DANE authentication based on the enclosed TLSA RRset). server passes DANE authentication based on the enclosed TLSA RRset).
Any existing extension pin for the server instance (name and port) Any existing extension pin for the server instance (name and port)
MUST be cleared on receipt of a valid denial of existence for the MUST be cleared on receipt of a valid denial of existence for the
associated TLSA RRset. The same also applies if the client obtained associated TLSA RRset. The same also applies if the client obtained
the denial of existence proof via another method, such as through the denial-of-existence proof via another method, such as through
direct DNS queries. Based on the TLS client's local policy, it MAY direct DNS queries. Based on the TLS client's local policy, it MAY
then terminate the connection or MAY continue using PKIX based server then terminate the connection or MAY continue using PKIX-based server
authentication. authentication.
Extension pins MUST also be cleared upon the completion of a DANE Extension pins MUST also be cleared upon the completion of a DANE-
authenticated handshake with a server that returns a "dnssec_chain" authenticated handshake with a server that returns a "dnssec_chain"
extension with a zero ExtSupportLifetime. extension with a zero ExtSupportLifetime.
Upon completion of a full validated handshake with a server that Upon completion of a fully validated handshake with a server that
returns a "dnssec_chain" extension with a non-zero ExtSupport returns a "dnssec_chain" extension with a non-zero ExtSupport
lifetime, the client MUST update any existing pin lifetime for the lifetime, the client MUST update any existing pin lifetime for the
service (name and port) to a value that is no longer than that service (name and port) to a value that is not longer than that
indicated by the server. The client MAY, subject to local policy, indicated by the server. The client MAY, subject to local policy,
create a previously non-existent pin, again for a lifetime that is create a previously nonexistent pin, again for a lifetime that is not
not longer than that indicated by the server. longer than that indicated by the server.
The extension support lifetime is not constrained by any DNS TTLs or The extension support lifetime is not constrained by any DNS TTLs or
RRSIG expirations in the returned chain. The extension support RRSIG expirations in the returned chain. The extension support
lifetime is the time for which the TLS server is committing itself to lifetime is the time for which the TLS server is committing itself to
serve the extension; it is not a validity time for the returned chain serve the extension; it is not a validity time for the returned chain
data. During this period the DNSSEC chain may be updated. data. During this period, the DNSSEC chain may be updated.
Therefore, the ExtSupportLifetime value is not constrained by any DNS Therefore, the ExtSupportLifetime value is not constrained by any DNS
TTLs or RRSIG expirations in the returned chain. TTLs or RRSIG expirations in the returned chain.
Clients MAY implement support for a subset of DANE certificate Clients MAY implement support for a subset of DANE certificate
usages. For example, clients may support only DANE-EE(3) and DANE- usages. For example, clients may support only DANE-EE(3) and DANE-
TA(2) [RFC7218], only PKIX-EE(1) and PKIX-TA(0) or all four. Clients TA(2) [RFC7218], only PKIX-EE(1) and PKIX-TA(0), or all four.
that implement DANE-EE(3) and DANE-TA(2) MUST implement the relevant Clients that implement DANE-EE(3) and DANE-TA(2) MUST implement the
updates in [RFC7671]. relevant updates in [RFC7671].
For a non-zero saved value ("pin") of the ExtSupportLifetime element For a non-zero saved value ("pin") of the ExtSupportLifetime element
of the extension, TLS clients that do not have a cached TLSA RRset of the extension, TLS clients that do not have a cached TLSA RRset
with an unexpired TTL MUST use the extension for the associated name with an unexpired TTL MUST use the extension for the associated name
and port to obtain this information from the TLS server. This TLS and port to obtain this information from the TLS server. This TLS
client then MUST require that the TLS server responds with this client then MUST require that the TLS server respond with this
extension that MUST contain a valid TLSA RRset or proof of non- extension, which MUST contain a valid TLSA RRset or proof of
existence of the TLSA RRset that covers the requested name and port. nonexistence of the TLSA RRset that covers the requested name and
Note that a non-existence proof or proof of insecure delegation will port. Note that a nonexistence proof or proof of insecure delegation
clear the pin. The TLS client MUST require this for as long as the will clear the pin. The TLS client MUST require this for as long as
time period specified by the pin value, independent of the DNS TTLs. the time period specified by the pin value, independent of the DNS
If during this process, the TLS client fails to receive this TTLs. During this process, if the TLS client fails to receive this
information, it MUST either abort the connection or delay information, it MUST either abort the connection or delay
communication with the server via the TLS connection until it is able communication with the server via the TLS connection until it is able
to obtain valid TLSA records (or proof of non-existence) out of band, to obtain valid TLSA records (or proof of nonexistence) out of band,
such as via direct DNS lookups. If attempts to obtain the TLSA RRset such as via direct DNS lookups. If attempts to obtain the TLSA RRset
out of band fail, the client MUST abort the TLS connection. It MAY out of band fail, the client MUST abort the TLS connection. It MAY
try a new TLS connection again, for example using an exponential try a new TLS connection again (for example, using an exponential
back-off timer, in an attempt to reach a different TLS server back-off timer) in an attempt to reach a different TLS server
instance that does properly serve the extension. instance that does properly serve the extension.
A TLS client that has a cached validated TLSA RRset and a valid non- A TLS client that has a cached validated TLSA RRset and a valid non-
zero extension pin time MAY still refrain from requesting the zero extension pin time MAY still refrain from requesting the
extension as long as it uses the cached TLSA RRset to authenticate extension as long as it uses the cached TLSA RRset to authenticate
the TLS server. This RRset MUST NOT be used beyond its received TTL. the TLS server. This RRset MUST NOT be used beyond its received TTL.
Once the TLSA RRset's TTL has expired, the TLS client with a valid Once the TLSA RRset's TTL has expired, the TLS client with a valid
non-zero extension pin time MUST request the extension and MUST abort non-zero extension pin time MUST request the extension and MUST abort
the TLS connection if the server responds without the extension. A the TLS connection if the server responds without the extension. A
TLS client MAY attempt to obtain the valid TLSA RRset by some other TLS client MAY attempt to obtain the valid TLSA RRset by some other
means before initiating a new TLS connection. means before initiating a new TLS connection.
Note that requiring the extension is NOT the same as requiring the Note that requiring the extension is NOT the same as requiring the
use of DANE TLSA records or even DNSSEC. A DNS zone operator may at use of DANE TLSA records or even DNSSEC. A DNS zone operator may at
any time delete the TLSA records, or even remove the DS records to any time delete the TLSA records or even remove the DS records to
disable the secure delegation of the server's DNS zone. The TLS disable the secure delegation of the server's DNS zone. The TLS
server will, when it updates its cached TLSA authentication chain, server will replace the chain with the corresponding denial-of-
replace the chain with the corresponding denial of existence chain. existence chain when it updates its cached TLSA authentication chain.
The server's only obligation is continued support for this extension. The server's only obligation is continued support for this extension.
8. Trust Anchor Maintenance 8. Trust Anchor Maintenance
The trust anchor may change periodically, e.g. when the operator of The trust anchor may change periodically, e.g., when the operator of
the trust anchor zone performs a DNSSEC key rollover. TLS clients the trust anchor zone performs a DNSSEC key rollover. TLS clients
using this specification MUST implement a mechanism to keep their using this specification MUST implement a mechanism to keep their
trust anchors up to date. They could use the method defined in trust anchors up to date. They could use the method defined in
[RFC5011] to perform trust anchor updates inband in TLS, by tracking [RFC5011] to perform trust anchor updates in-band in TLS by tracking
the introduction of new keys seen in the trust anchor DNSKEY RRset. the introduction of new keys seen in the trust anchor DNSKEY RRset.
However, alternative mechanisms external to TLS may also be utilized. However, alternative mechanisms external to TLS may also be utilized.
Some operating systems may have a system-wide service to maintain and Some operating systems may have a system-wide service to maintain and
keep the root trust anchor up to date. In such cases, the TLS client keep the root trust anchor up to date. In such cases, the TLS client
application could simply reference that as its trust anchor, application could simply reference that as its trust anchor,
periodically checking whether it has changed. Some applications may periodically checking whether it has changed. Some applications may
prefer to implement trust anchor updates as part of their automated prefer to implement trust anchor updates as part of their automated
software updates. software updates.
9. Virtual Hosting 9. Virtual Hosting
Delivery of application services is often provided by a third party Delivery of application services is often provided by a third party
on behalf of the domain owner (hosting customer). Since the domain on behalf of the domain owner (hosting customer). Since the domain
owner may want to be able to move the service between providers, non- owner may want to be able to move the service between providers, non-
zero support lifetimes for this extension should only be enabled by zero support lifetimes for this extension should only be enabled by
mutual agreement between the provider and domain owner. mutual agreement between the provider and domain owner.
When CNAME records are employed to redirect network connections to When CNAME records are employed to redirect network connections to
the provider's network, as mentioned in Section 3 the server uses the the provider's network, as mentioned in Section 3, the server uses
client's SNI hostname as the TLSA base domain without CNAME the client's SNI hostname as the TLSA base domain without CNAME
expansion. When the certificate chain for the service is managed by expansion. When the certificate chain for the service is managed by
the provider, it is impractical to coordinate certificate changes by the provider, it is impractical to coordinate certificate changes by
the provider with updates in the hosting customer's DNS. Therefore, the provider with updates in the hosting customer's DNS. Therefore,
the TLSA RRset for the hosted domain is best configured as a CNAME the TLSA RRset for the hosted domain is best configured as a CNAME
from the customer's domain to a TLSA RRset that is managed by the from the customer's domain to a TLSA RRset that is managed by the
provider as part of delivering the hosted service. For example: provider as part of delivering the hosted service. For example:
; Customer DNS ; Customer DNS
www.example.com. IN CNAME node1.provider.example. www.example.com. IN CNAME node1.provider.example.
_443._tcp.www.example.com. IN CNAME _dane443.node1.provider.example. _443._tcp.www.example.com. IN CNAME _dane443.node1.provider.example.
; Provider DNS ; Provider DNS
node1.provider.example. IN A 192.0.2.1 node1.provider.example. IN A 192.0.2.1
_dane443.node1.provider.example. IN TLSA 1 1 1 ... _dane443.node1.provider.example. IN TLSA 1 1 1 ...
Clients that obtain TLSA records directly from DNS, bypassing this Clients that obtain TLSA records directly from DNS, bypassing this
extension, may however perform CNAME-expansion as in Section 7 of extension, may perform CNAME expansion as in Section 7 of [RFC7671].
[RFC7671], and if TLSA records are associated with the fully-expanded If TLSA records are associated with the fully expanded name, that
name, may use that name as the TLSA base domain and SNI name for the name may be used as the TLSA base domain and SNI name for the TLS
TLS handshake. handshake.
To avoid confusion, it is RECOMMENDED that server operators not To avoid confusion, it is RECOMMENDED that server operators not
publish TLSA RRs (_port._tcp. + base domain) based on the expanded publish TLSA RRs (_port._tcp. + base domain) based on the expanded
CNAMEs used to locate their network addresses. Instead, the server CNAMEs used to locate their network addresses. Instead, the server
operator SHOULD publish TLSA RRs at an alternative DNS node (as in operator SHOULD publish TLSA RRs at an alternative DNS node (as in
the example above), to which the hosting customer will publish a the example above), to which the hosting customer will publish a
CNAME alias. This results in all clients (whether they obtain TLSA CNAME alias. This results in all clients (whether they obtain TLSA
records from DNS directly, or employ this extension) seeing the same records from DNS directly or employ this extension) seeing the same
TLSA records and sending the same SNI name. TLSA records and sending the same SNI name.
10. Operational Considerations 10. Operational Considerations
When DANE is being introduced incrementally into an existing PKIX When DANE is being introduced incrementally into an existing PKIX
environment, there may be scenarios in which DANE authentication for environment, there may be scenarios in which DANE authentication for
a server fails but PKIX succeeds, or vice versa. What happens here a server fails but PKIX succeeds, or vice versa. What happens here
depends on TLS client policy. If DANE authentication fails, the depends on TLS client policy. If DANE authentication fails, the
client may decide to fall back to traditional PKIX authentication. client may decide to fall back to regular PKIX authentication. In
In order to do so efficiently within the same TLS handshake, the TLS order to do so efficiently within the same TLS handshake, the TLS
server needs to have provided the full X.509 certificate chain. When server needs to have provided the full X.509 certificate chain. When
TLS servers only support DANE-EE or DANE-TA modes, they have the TLS servers only support DANE-EE or DANE-TA modes, they have the
option to send a much smaller certificate chain: just the EE option to send a much smaller certificate chain: just the EE
certificate for the former, and a short certificate chain from the certificate for the former and a short certificate chain from the
DANE trust anchor to the EE certificate for the latter. If the TLS DANE trust anchor to the EE certificate for the latter. If the TLS
server supports both DANE and traditional PKIX, and wants to allow server supports both DANE and regular PKIX and wants to allow
efficient PKIX fallback within the same handshake, they should always efficient PKIX fallback within the same handshake, they should always
provide the full X.509 certificate chain. provide the full X.509 certificate chain.
When a TLS server operator wishes to no longer deploy this extension, When a TLS server operator wishes to no longer deploy this extension,
it must properly decommission its use. If a non-zero pin lifetime is it must properly decommission its use. If a non-zero pin lifetime is
presently advertised, it must first be changed to 0. The extension presently advertised, it must first be changed to 0. The extension
can be disabled once all previously advertised pin lifetimes have can be disabled once all previously advertised pin lifetimes have
expired. Removal of TLSA records or even DNSSEC signing of the zone expired. Removal of TLSA records or even DNSSEC signing of the zone
can be done at any time, but the server MUST still be able to return can be done at any time, but the server MUST still be able to return
the associated denial of existence proofs to any clients that have the associated denial-of-existence proofs to any clients that have
unexpired pins. unexpired pins.
TLS clients MAY reduce the received extension pin value to a maximum TLS clients MAY reduce the received extension pin value to a maximum
set by local policy. This can mitigate a theoretical yet unlikely set by local policy. This can mitigate a theoretical yet unlikely
attack where a compromised TLS server is modified to advertise a pin attack where a compromised TLS server is modified to advertise a pin
value set to the maximum of 7 years. Care should be taken not to set value set to the maximum of 7 years. Care should be taken not to set
a local maximum that is too short as that would reduce the downgrade a local maximum that is too short as that would reduce the downgrade
attack protection that the extension pin offers. attack protection that the extension pin offers.
If the hosting provider intends to use end-entity TLSA records If the hosting provider intends to use end-entity TLSA records
(certificate usage PKIX-EE(1) or DANE-EE(3)) then the simplest (certificate usage PKIX-EE(1) or DANE-EE(3)), then the simplest
approach is to use the same key-pair for all the certificates at a approach is to use the same key pair for all the certificates at a
given hosting node, and publish "1 1 1" or "3 1 1" RRs matching the given hosting node and publish "1 1 1" or "3 1 1" RRs matching the
common public key. Since key rollover cannot be simultaneous across common public key. Since key rollover cannot be simultaneous across
multiple certificate updates, there will be times when multiple "1 1 multiple certificate updates, there will be times when multiple "1 1
1" (or "3 1 1") records will be required to match all the extant 1" (or "3 1 1") records will be required to match all the extant
certificates. Multiple TLSA records are in any case needed a few certificates. Multiple TLSA records are, in any case, needed a few
TTLs before certificate updates as explained in Section 8 of TTLs before certificate updates as explained in Section 8 of
[RFC7671]. [RFC7671].
If the hosting provider intends to use trust-anchor TLSA records If the hosting provider intends to use trust anchor TLSA records
(certificate usage PKIX-TA(0) or DANE-TA(2)) then the same TLSA (certificate usage PKIX-TA(0) or DANE-TA(2)), then the same TLSA
record can match all end-entity certificates issues by the record can match all end-entity certificates issues by the
certification authority in question, and continues to work across certification authority in question and continues to work across end-
end-entity certificate updates, so long as the issuer certificate or entity certificate updates so long as the issuer certificate or
public keys remains unchanged. This can be easier to implement, at public keys remain unchanged. This can be easier to implement at the
the cost of greater reliance on the security of the selected cost of greater reliance on the security of the selected
certification authority. certification authority.
The provider can of course publish separate TLSA records for each The provider can, of course, publish separate TLSA records for each
customer, which increases the number of such RRsets that need to be customer, which increases the number of such RRsets that need to be
managed, but makes each one independent of the rest. managed but makes each one independent of the rest.
11. Security Considerations 11. Security Considerations
The security considerations of the normatively referenced RFCs all The security considerations of the normatively referenced RFCs all
pertain to this extension. Since the server is delivering a chain of pertain to this extension. Since the server is delivering a chain of
DNS records and signatures to the client, it MUST rebuild the chain DNS records and signatures to the client, it MUST rebuild the chain
in accordance with TTL and signature expiration of the chain in accordance with TTL and signature expiration of the chain
components as described in Section 4. TLS clients need roughly components as described in Section 4. TLS clients need roughly
accurate time in order to properly authenticate these signatures. accurate time in order to properly authenticate these signatures.
This could be achieved by running a time synchronization protocol This could be achieved by running a time synchronization protocol
like NTP [RFC5905] or SNTP [RFC5905], which are already widely used like NTP [RFC5905] or SNTP [RFC5905], which are already widely used
today. TLS clients MUST support a mechanism to track and roll over today. TLS clients MUST support a mechanism to track and roll over
the trust anchor key, or be able to avail themselves of a service the trust anchor key or be able to avail themselves of a service that
that does this, as described in Section 8. Security considerations does this, as described in Section 8. Security considerations
related to mandating the use of this extension are described in related to mandating the use of this extension are described in
Section 7. Section 7.
The received DNSSEC chain could contain DNS RRs that are not related The received DNSSEC chain could contain DNS RRs that are not related
to the TLSA verification of the intended DNS name. If such a to the TLSA verification of the intended DNS name. If such an
unrelated RR is not DNSSEC signed, it MUST be disgarded. If the unrelated RR is not DNSSEC signed, it MUST be discarded. If the
unrelated RRset is DNSSEC signed, the TLS client MAY decide to add unrelated RRset is DNSSEC signed, the TLS client MAY decide to add
these RRsets and their DNSSEC signatures to its cache. It MAY even these RRsets and their DNSSEC signatures to its cache. It MAY even
pass this data to the local system resolver for caching outside the pass this data to the local system resolver for caching outside the
application. However, care must be taken that caching these records application. However, care must be taken because caching these
could be used for timing and caching attacks to de-anonymize the TLS records could be used for timing and caching attacks to de-anonymize
client or its user. A TLS client that wants to present the strongest the TLS client or its user. A TLS client that wants to present the
anonymity protection to their users, MUST refrain from using and strongest anonymity protection to their users MUST refrain from using
caching all unrelated RRs. and caching all unrelated RRs.
12. IANA Considerations 12. IANA Considerations
This document defines one new entry in the TLS ExtensionType Values IANA has made the following assignment in the "TLS ExtensionType
registry: Values" registry:
+-------+----------------+---------+-------------+-----------------+ +=======+================+=========+=============+===========+
| Value | Extension Name | TLS 1.3 | Recommended | Reference | | Value | Extension Name | TLS 1.3 | Recommended | Reference |
+-------+----------------+---------+-------------+-----------------+ +=======+================+=========+=============+===========+
| TBD | dnssec_chain | CH | No | [this document] | | 59 | dnssec_chain | CH | No | RFC 9102 |
+-------+----------------+---------+-------------+-----------------+ +-------+----------------+---------+-------------+-----------+
Table 1 Table 1
13. Acknowledgments 13. References
Many thanks to Adam Langley for laying the groundwork for this
extension in [I-D.agl-dane-serializechain]. The original idea is his
but our acknowledgment in no way implies his endorsement. This
document also benefited from discussions with and review from the
following people: Daniel Kahn Gillmor, Jeff Hodges, Allison Mankin,
Patrick McManus, Rick van Rein, Ilari Liusvaara, Eric Rescorla, Gowri
Visweswaran, Duane Wessels, Nico Williams, and Richard Barnes.
14. Normative References 13.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>. November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 19, line 43 skipping to change at line 862
[RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles [RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles
for DNS over TLS and DNS over DTLS", RFC 8310, for DNS over TLS and DNS over DTLS", RFC 8310,
DOI 10.17487/RFC8310, March 2018, DOI 10.17487/RFC8310, March 2018,
<https://www.rfc-editor.org/info/rfc8310>. <https://www.rfc-editor.org/info/rfc8310>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
15. Informative References 13.2. Informative References
[I-D.agl-dane-serializechain]
Langley, A., "Serializing DNS Records with DNSSEC
Authentication", Work in Progress, Internet-Draft, draft-
agl-dane-serializechain-01, 1 July 2011,
<https://tools.ietf.org/html/draft-agl-dane-
serializechain-01>.
[I-D.barnes-dane-uks] [DANE-UKS] Barnes, R., Thomson, M., and E. Rescorla, "Unknown Key-
Barnes, R., Thomson, M., and E. Rescorla, "Unknown Key- Share Attacks on DNS-Based Authentications of Named
Share Attacks on DNS-based Authentications of Named
Entities (DANE)", Work in Progress, Internet-Draft, draft- Entities (DANE)", Work in Progress, Internet-Draft, draft-
barnes-dane-uks-00, 9 October 2016, barnes-dane-uks-00, 9 October 2016,
<https://tools.ietf.org/html/draft-barnes-dane-uks-00>. <https://datatracker.ietf.org/doc/html/draft-barnes-dane-
uks-00>.
[I-D.ietf-dnsop-svcb-https]
Schwartz, B., Bishop, M., and E. Nygren, "Service binding
and parameter specification via the DNS (DNS SVCB and
HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf-
dnsop-svcb-https-05, 21 April 2021,
<https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-
05>.
[NLNETLABS] [DISCOVERY]
Gorjon, X. and W. Toorop, "Discovery method for a DNSSEC Gorjon, X. and W. Toorop, "Discovery method for a DNSSEC
validating stub resolver", 14 July 2015, validating stub resolver", 14 July 2015,
<https://www.nlnetlabs.nl/downloads/publications/ <https://www.nlnetlabs.nl/downloads/publications/
os3-2015-rp2-xavier-torrent-gorjon.pdf>. os3-2015-rp2-xavier-torrent-gorjon.pdf>.
[DNSOP-SVCB-HTTPS]
Schwartz, B., Bishop, M., and E. Nygren, "Service Binding
and Parameter Specification via the DNS (DNS SVCB and
HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf-
dnsop-svcb-https-06, 16 June 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-
svcb-https-06>.
[RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC)
Trust Anchors", STD 74, RFC 5011, DOI 10.17487/RFC5011, Trust Anchors", STD 74, RFC 5011, DOI 10.17487/RFC5011,
September 2007, <https://www.rfc-editor.org/info/rfc5011>. September 2007, <https://www.rfc-editor.org/info/rfc5011>.
[RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
"Network Time Protocol Version 4: Protocol and Algorithms "Network Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010,
<https://www.rfc-editor.org/info/rfc5905>. <https://www.rfc-editor.org/info/rfc5905>.
[RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
Weiler, S., and T. Kivinen, "Using Raw Public Keys in Weiler, S., and T. Kivinen, "Using Raw Public Keys in
Transport Layer Security (TLS) and Datagram Transport Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
June 2014, <https://www.rfc-editor.org/info/rfc7250>. June 2014, <https://www.rfc-editor.org/info/rfc7250>.
[RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901, [RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901,
DOI 10.17487/RFC7901, June 2016, DOI 10.17487/RFC7901, June 2016,
<https://www.rfc-editor.org/info/rfc7901>. <https://www.rfc-editor.org/info/rfc7901>.
[SERIALIZECHAIN]
Langley, A., "Serializing DNS Records with DNSSEC
Authentication", Work in Progress, Internet-Draft, draft-
agl-dane-serializechain-01, 1 July 2011,
<https://datatracker.ietf.org/doc/html/draft-agl-dane-
serializechain-01>.
Appendix A. Test Vectors Appendix A. Test Vectors
The test vectors in this appendix are representations of the content The test vectors in this appendix are representations of the content
of the "opaque AuthenticationChain" field in DNS presentation format. of the "opaque AuthenticationChain" field in DNS presentation format
And except for the "extension_data" in Appendix A.1, do not contain and, except for the "extension_data" in Appendix A.1, do not contain
the "uint16 ExtSupportLifetime" field. the "uint16 ExtSupportLifetime" field.
For brevity and reproducibility all DNS zones involved with the test For brevity and reproducibility, all DNS zones involved with the test
vectors are signed using keys with algorithm 13: ECDSA Curve P-256 vectors are signed using keys with algorithm 13 (ECDSA Curve P-256
with SHA-256. with SHA-256).
To reflect operational practice, different zones in the examples are To reflect operational practice, different zones in the examples are
in different phases of rolling their signing keys: in different phases of rolling their signing keys:
* All zones use a Key Signing Key (KSK) and Zone Signing Key (ZSK), * All zones use a Key Signing Key (KSK) and Zone Signing Key (ZSK),
except for the example.com and example.net zones which use a except for the "example.com" and "example.net" zones, which use a
Combined Signing Key (CSK). Combined Signing Key (CSK).
* The root and org zones are rolling their ZSK's. * The root and org zones are rolling their ZSKs.
* The com and org zones are rolling their KSK's. * The com and org zones are rolling their KSKs.
The test vectors are DNSSEC valid in the same period as the The test vectors are DNSSEC valid in the same period as the
certificate is valid, which is in between November 28, 2018 and certificate is valid, which is between November 28, 2018 and December
December 2, 2020 and with the following root trust anchor: 2, 2020 with the following root trust anchor:
. IN DS ( 47005 13 2 2eb6e9f2480126691594d649a5a613de3052e37861634 . IN DS ( 47005 13 2 2eb6e9f2480126691594d649a5a613de3052e37861634
641bb568746f2ffc4d4 ) 641bb568746f2ffc4d4 )
The test vectors will authenticate the certificate used with The test vectors will authenticate the certificate used with
https://example.com/ (https://example.com/), https://example.net/ "https://example.com/", "https://example.net/", and
(https://example.net/) and https://example.org/ "https://example.org/" at the time of writing:
(https://example.org/) at the time of writing:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIHQDCCBiigAwIBAgIQD9B43Ujxor1NDyupa2A4/jANBgkqhkiG9w0BAQsFADBN MIIHQDCCBiigAwIBAgIQD9B43Ujxor1NDyupa2A4/jANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgxMTI4MDAwMDAwWhcN aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgxMTI4MDAwMDAwWhcN
MjAxMjAyMTIwMDAwWjCBpTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju MjAxMjAyMTIwMDAwWjCBpTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExFDASBgNVBAcTC0xvcyBBbmdlbGVzMTwwOgYDVQQKEzNJbnRlcm5ldCBDb3Jw aWExFDASBgNVBAcTC0xvcyBBbmdlbGVzMTwwOgYDVQQKEzNJbnRlcm5ldCBDb3Jw
b3JhdGlvbiBmb3IgQXNzaWduZWQgTmFtZXMgYW5kIE51bWJlcnMxEzARBgNVBAsT b3JhdGlvbiBmb3IgQXNzaWduZWQgTmFtZXMgYW5kIE51bWJlcnMxEzARBgNVBAsT
ClRlY2hub2xvZ3kxGDAWBgNVBAMTD3d3dy5leGFtcGxlLm9yZzCCASIwDQYJKoZI ClRlY2hub2xvZ3kxGDAWBgNVBAMTD3d3dy5leGFtcGxlLm9yZzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANDwEnSgliByCGUZElpdStA6jGaPoCkrp9vV hvcNAQEBBQADggEPADCCAQoCggEBANDwEnSgliByCGUZElpdStA6jGaPoCkrp9vV
skipping to change at page 22, line 47 skipping to change at line 986
wQApBo2yCJo32RMAAAFnXDGWnAAABAMARzBFAiEA5Hn7Q4SOyqHkT+kDsHq7ku7z wQApBo2yCJo32RMAAAFnXDGWnAAABAMARzBFAiEA5Hn7Q4SOyqHkT+kDsHq7ku7z
RDuM7P4UDX2ft2Mpny0CIE13WtxJAUr0aASFYZ/XjSAMMfrB0/RxClvWVss9LHKM RDuM7P4UDX2ft2Mpny0CIE13WtxJAUr0aASFYZ/XjSAMMfrB0/RxClvWVss9LHKM
MA0GCSqGSIb3DQEBCwUAA4IBAQBzcIXvQEGnakPVeJx7VUjmvGuZhrr7DQOLeP4R MA0GCSqGSIb3DQEBCwUAA4IBAQBzcIXvQEGnakPVeJx7VUjmvGuZhrr7DQOLeP4R
8CmgDM1pFAvGBHiyzvCH1QGdxFl6cf7wbp7BoLCRLR/qPVXFMwUMzcE1GLBqaGZM 8CmgDM1pFAvGBHiyzvCH1QGdxFl6cf7wbp7BoLCRLR/qPVXFMwUMzcE1GLBqaGZM
v1Yh2lvZSLmMNSGRXdx113pGLCInpm/TOhfrvr0TxRImc8BdozWJavsn1N2qdHQu v1Yh2lvZSLmMNSGRXdx113pGLCInpm/TOhfrvr0TxRImc8BdozWJavsn1N2qdHQu
N+UBO6bQMLCD0KHEdSGFsuX6ZwAworxTg02/1qiDu7zW7RyzHvFYA4IAjpzvkPIa N+UBO6bQMLCD0KHEdSGFsuX6ZwAworxTg02/1qiDu7zW7RyzHvFYA4IAjpzvkPIa
X6KjBtpdvp/aXabmL95YgBjT8WJ7pqOfrqhpcmOBZa6Cg6O1l4qbIFH/Gj9hQB5I X6KjBtpdvp/aXabmL95YgBjT8WJ7pqOfrqhpcmOBZa6Cg6O1l4qbIFH/Gj9hQB5I
0Gs4+eH6F9h3SojmPTYkT+8KuZ9w84Mn+M8qBXUQoYoKgIjN 0Gs4+eH6F9h3SojmPTYkT+8KuZ9w84Mn+M8qBXUQoYoKgIjN
-----END CERTIFICATE----- -----END CERTIFICATE-----
A.1. _443._tcp.www.example.com A.1. "_443._tcp.www.example.com"
_443._tcp.www.example.com. 3600 IN TLSA ( 3 1 1 _443._tcp.www.example.com. 3600 IN TLSA ( 3 1 1
8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b
922 ) 922 )
_443._tcp.www.example.com. 3600 IN RRSIG ( TLSA 13 5 3600 _443._tcp.www.example.com. 3600 IN RRSIG ( TLSA 13 5 3600
20201202000000 20181128000000 1870 example.com. 20201202000000 20181128000000 1870 example.com.
rqY69NnTf4CN3GBGQjKEJCLAMsRkUrXe0JW8IqDb5rQHHzxNqqPeEoi+2vI6S rqY69NnTf4CN3GBGQjKEJCLAMsRkUrXe0JW8IqDb5rQHHzxNqqPeEoi+2vI6S
z2BhaswpGLVVuoijuVdzxYjmw== ) z2BhaswpGLVVuoijuVdzxYjmw== )
example.com. 3600 IN DNSKEY ( 257 3 13 example.com. 3600 IN DNSKEY ( 257 3 13
JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s
/TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870 /TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870
skipping to change at page 24, line 17 skipping to change at line 1048
xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635
. 86400 IN DNSKEY ( 257 3 13 . 86400 IN DNSKEY ( 257 3 13
yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv
Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005
. 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000
20181128000000 47005 . 20181128000000 47005 .
0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m
nBT1dtNjIczvLG9pQTnOKUsHQ== ) nBT1dtNjIczvLG9pQTnOKUsHQ== )
A hex dump of the "extension_data" of the server's "dnssec_chain" A hex dump of the "extension_data" of the server's "dnssec_chain"
extension represention this with an ExtSupportLifetime value of 0 is: extension representation of this with an ExtSupportLifetime value of
0 is:
0000: 00 00 04 5f 34 34 33 04 5f 74 63 70 03 77 77 77 0000: 00 00 04 5f 34 34 33 04 5f 74 63 70 03 77 77 77
0010: 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 34 00 0010: 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 34 00
0020: 01 00 00 0e 10 00 23 03 01 01 8b d1 da 95 27 2f 0020: 01 00 00 0e 10 00 23 03 01 01 8b d1 da 95 27 2f
0030: 7f a4 ff b2 41 37 fc 0e d0 3a ae 67 e5 c4 d8 b3 0030: 7f a4 ff b2 41 37 fc 0e d0 3a ae 67 e5 c4 d8 b3
0040: c5 07 34 e1 05 0a 79 20 b9 22 04 5f 34 34 33 04 0040: c5 07 34 e1 05 0a 79 20 b9 22 04 5f 34 34 33 04
0050: 5f 74 63 70 03 77 77 77 07 65 78 61 6d 70 6c 65 0050: 5f 74 63 70 03 77 77 77 07 65 78 61 6d 70 6c 65
0060: 03 63 6f 6d 00 00 2e 00 01 00 00 0e 10 00 5f 00 0060: 03 63 6f 6d 00 00 2e 00 01 00 00 0e 10 00 5f 00
0070: 34 0d 05 00 00 0e 10 5f c6 d9 00 5b fd da 80 07 0070: 34 0d 05 00 00 0e 10 5f c6 d9 00 5b fd da 80 07
0080: 4e 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ce 1d 0080: 4e 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ce 1d
skipping to change at page 26, line 21 skipping to change at line 1150
0590: 21 55 ba cf 57 d1 fa ad 5b ac 42 d1 7d 94 8c 42 0590: 21 55 ba cf 57 d1 fa ad 5b ac 42 d1 7d 94 8c 42
05a0: 17 36 d9 38 9c 4c 40 11 66 6e a9 5c f1 77 25 bd 05a0: 17 36 d9 38 9c 4c 40 11 66 6e a9 5c f1 77 25 bd
05b0: 0f a0 0c e5 e7 14 e4 ec 82 cf df ac c9 b1 c8 63 05b0: 0f a0 0c e5 e7 14 e4 ec 82 cf df ac c9 b1 c8 63
05c0: ad 46 00 00 2e 00 01 00 01 51 80 00 53 00 30 0d 05c0: ad 46 00 00 2e 00 01 00 01 51 80 00 53 00 30 0d
05d0: 00 00 01 51 80 5f c6 d9 00 5b fd da 80 b7 9d 00 05d0: 00 00 01 51 80 5f c6 d9 00 5b fd da 80 b7 9d 00
05e0: de 7a 67 40 ee ec ba 4b da 1e 5c 2d d4 89 9b 2c 05e0: de 7a 67 40 ee ec ba 4b da 1e 5c 2d d4 89 9b 2c
05f0: 96 58 93 f3 78 6c e7 47 f4 1e 50 d9 de 8c 0a 72 05f0: 96 58 93 f3 78 6c e7 47 f4 1e 50 d9 de 8c 0a 72
0600: df 82 56 0d fb 48 d7 14 de 32 83 ae 99 a4 9c 0f 0600: df 82 56 0d fb 48 d7 14 de 32 83 ae 99 a4 9c 0f
0610: cb 50 d3 aa ad b1 a3 fc 62 ee 3a 8a 09 88 b6 be 0610: cb 50 d3 aa ad b1 a3 fc 62 ee 3a 8a 09 88 b6 be
A.2. _25._tcp.example.com NSEC wildcard A.2. "_25._tcp.example.com" NSEC Wildcard
_25._tcp.example.com. 3600 IN TLSA ( 3 1 1 _25._tcp.example.com. 3600 IN TLSA ( 3 1 1
8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b
922 ) 922 )
_25._tcp.example.com. 3600 IN RRSIG ( TLSA 13 3 3600 _25._tcp.example.com. 3600 IN RRSIG ( TLSA 13 3 3600
20201202000000 20181128000000 1870 example.com. 20201202000000 20181128000000 1870 example.com.
BZawXvte5SyF8hnXviKDWqll5E2v+RMXqaSE+NOcAMlZOrSMUkfyPqvkv53K2 BZawXvte5SyF8hnXviKDWqll5E2v+RMXqaSE+NOcAMlZOrSMUkfyPqvkv53K2
rfL4DFP8rO3VMgI0v+ogrox0w== ) rfL4DFP8rO3VMgI0v+ogrox0w== )
*._tcp.example.com. 3600 IN NSEC ( smtp.example.com. RRSIG *._tcp.example.com. 3600 IN NSEC ( smtp.example.com. RRSIG
NSEC TLSA ) NSEC TLSA )
skipping to change at page 27, line 41 skipping to change at line 1217
8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW
xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635
. 86400 IN DNSKEY ( 257 3 13 . 86400 IN DNSKEY ( 257 3 13
yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv
Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005
. 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000
20181128000000 47005 . 20181128000000 47005 .
0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m
nBT1dtNjIczvLG9pQTnOKUsHQ== ) nBT1dtNjIczvLG9pQTnOKUsHQ== )
A.3. _25._tcp.example.org NSEC3 wildcard A.3. "_25._tcp.example.org" NSEC3 Wildcard
_25._tcp.example.org. 3600 IN TLSA ( 3 1 1 _25._tcp.example.org. 3600 IN TLSA ( 3 1 1
8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b
922 ) 922 )
_25._tcp.example.org. 3600 IN RRSIG ( TLSA 13 3 3600 _25._tcp.example.org. 3600 IN RRSIG ( TLSA 13 3 3600
20201202000000 20181128000000 56566 example.org. 20201202000000 20181128000000 56566 example.org.
lNp6th/CJel5WsYlLsLadcQ/YdSTJAIOttzYKnNkNzeZ0jxtDyEP818Q1R4lL lNp6th/CJel5WsYlLsLadcQ/YdSTJAIOttzYKnNkNzeZ0jxtDyEP818Q1R4lL
cYzJ7vCvqb9gFCiCJjK2gAamw== ) cYzJ7vCvqb9gFCiCJjK2gAamw== )
dlm7rss9pejqnh0ev6h7k1ikqqcl5mae.example.org. 3600 IN NSEC3 ( dlm7rss9pejqnh0ev6h7k1ikqqcl5mae.example.org. 3600 IN NSEC3 (
1 0 1 - t6lf7uuoi0qofq0nvdjroavo46pp20im RRSIG TLSA ) 1 0 1 - t6lf7uuoi0qofq0nvdjroavo46pp20im RRSIG TLSA )
skipping to change at page 29, line 19 skipping to change at line 1291
8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW
xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635
. 86400 IN DNSKEY ( 257 3 13 . 86400 IN DNSKEY ( 257 3 13
yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv
Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005
. 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000
20181128000000 47005 . 20181128000000 47005 .
0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m
nBT1dtNjIczvLG9pQTnOKUsHQ== ) nBT1dtNjIczvLG9pQTnOKUsHQ== )
A.4. _443._tcp.www.example.org CNAME A.4. "_443._tcp.www.example.org" CNAME
_443._tcp.www.example.org. 3600 IN CNAME ( _443._tcp.www.example.org. 3600 IN CNAME (
dane311.example.org. ) dane311.example.org. )
_443._tcp.www.example.org. 3600 IN RRSIG ( CNAME 13 5 3600 _443._tcp.www.example.org. 3600 IN RRSIG ( CNAME 13 5 3600
20201202000000 20181128000000 56566 example.org. 20201202000000 20181128000000 56566 example.org.
R0dUe6Rt4G+2ablrQH9Zw8j9NhBLMgNYTI5+H7nO8SNz5Nm8w0NZrXv3Qp7gx R0dUe6Rt4G+2ablrQH9Zw8j9NhBLMgNYTI5+H7nO8SNz5Nm8w0NZrXv3Qp7gx
Qb/a90O696120NsYaZX2+ebBA== ) Qb/a90O696120NsYaZX2+ebBA== )
dane311.example.org. 3600 IN TLSA ( 3 1 1 dane311.example.org. 3600 IN TLSA ( 3 1 1
8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b
922 ) 922 )
skipping to change at page 30, line 44 skipping to change at line 1364
8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW
xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635
. 86400 IN DNSKEY ( 257 3 13 . 86400 IN DNSKEY ( 257 3 13
yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv
Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005
. 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000
20181128000000 47005 . 20181128000000 47005 .
0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m
nBT1dtNjIczvLG9pQTnOKUsHQ== ) nBT1dtNjIczvLG9pQTnOKUsHQ== )
A.5. _443._tcp.www.example.net DNAME A.5. "_443._tcp.www.example.net" DNAME
example.net. 3600 IN DNAME example.com. example.net. 3600 IN DNAME example.com.
example.net. 3600 IN RRSIG ( DNAME 13 2 3600 20201202000000 example.net. 3600 IN RRSIG ( DNAME 13 2 3600 20201202000000
20181128000000 48085 example.net. 20181128000000 48085 example.net.
o3uV5k5Ewp5fdrOZt0n4QuH+/Hpku2Lo3CzGRt9/MS2zZt2Qb/AXz435UFQBx o3uV5k5Ewp5fdrOZt0n4QuH+/Hpku2Lo3CzGRt9/MS2zZt2Qb/AXz435UFQBx
OI/pDnjJcLSd/gBLtqR52WLMA== ) OI/pDnjJcLSd/gBLtqR52WLMA== )
; _443._tcp.www.example.net. 3600 IN CNAME ( ; _443._tcp.www.example.net. 3600 IN CNAME (
; _443._tcp.www.example.com. ) ; _443._tcp.www.example.com. )
_443._tcp.www.example.com. 3600 IN TLSA ( 3 1 1 _443._tcp.www.example.com. 3600 IN TLSA ( 3 1 1
8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b
skipping to change at page 32, line 44 skipping to change at line 1461
mDXqz6KEhhQjT+aQWDt6WFHlA== ) mDXqz6KEhhQjT+aQWDt6WFHlA== )
com. 86400 IN DS ( 18931 13 2 20f7a9db42d0e2042fbbb9f9ea015941202 com. 86400 IN DS ( 18931 13 2 20f7a9db42d0e2042fbbb9f9ea015941202
f9eabb94487e658c188e7bcb52115 ) f9eabb94487e658c188e7bcb52115 )
com. 86400 IN DS ( 28809 13 2 ad66b3276f796223aa45eda773e92c6d98e com. 86400 IN DS ( 28809 13 2 ad66b3276f796223aa45eda773e92c6d98e
70643bbde681db342a9e5cf2bb380 ) 70643bbde681db342a9e5cf2bb380 )
com. 86400 IN RRSIG ( DS 13 1 86400 20201202000000 com. 86400 IN RRSIG ( DS 13 1 86400 20201202000000
20181128000000 31918 . 20181128000000 31918 .
nDiDlBjXEE/6AudhC++Hui1ckPcuAnGbjEASNoxA3ZHjlXRzL050UzePko5Pb nDiDlBjXEE/6AudhC++Hui1ckPcuAnGbjEASNoxA3ZHjlXRzL050UzePko5Pb
vBKTf6pk8JRCqnfzlo2QY+WXA== ) vBKTf6pk8JRCqnfzlo2QY+WXA== )
A.6. _25._tcp.smtp.example.com NSEC Denial of Existence A.6. "_25._tcp.smtp.example.com" NSEC Denial of Existence
smtp.example.com. 3600 IN NSEC ( www.example.com. A AAAA smtp.example.com. 3600 IN NSEC ( www.example.com. A AAAA
RRSIG NSEC ) RRSIG NSEC )
smtp.example.com. 3600 IN RRSIG ( NSEC 13 3 3600 smtp.example.com. 3600 IN RRSIG ( NSEC 13 3 3600
20201202000000 20181128000000 1870 example.com. 20201202000000 20181128000000 1870 example.com.
rH/K4wghCOm4jpEHwQKiyZzvFIa7qpFySuKIGGetW4SE4O2Mh5jPxcEzf78Hf rH/K4wghCOm4jpEHwQKiyZzvFIa7qpFySuKIGGetW4SE4O2Mh5jPxcEzf78Hf
crlsQZmnAUlfmBNCygxAd7JNw== ) crlsQZmnAUlfmBNCygxAd7JNw== )
example.com. 3600 IN DNSKEY ( 257 3 13 example.com. 3600 IN DNSKEY ( 257 3 13
JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s
/TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870 /TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870
example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600 example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600
20201202000000 20181128000000 1870 example.com. 20201202000000 20181128000000 1870 example.com.
nYisnu/26Sw1qmGuREa9o/fLgYuA4oNPt4+6PMBZoN0MS8Gjtli9NVRYeSIzt nYisnu/26Sw1qmGuREa9o/fLgYuA4oNPt4+6PMBZoN0MS8Gjtli9NVRYeSIzt
QHPGSpvRxTUC4tZi62z1UgGDw== ) QHPGSpvRxTUC4tZi62z1UgGDw== )
example.com. 172800 IN DS ( 1870 13 2 e9b533a049798e900b5c29c90cd example.com. 172800 IN DS ( 1870 13 2 e9b533a049798e900b5c29c90cd
25a986e8a44f319ac3cd302bafc08f5b81e16 ) 25a986e8a44f319ac3cd302bafc08f5b81e16 )
example.com. 172800 IN RRSIG ( DS 13 2 172800 example.com. 172800 IN RRSIG ( DS 13 2 172800
skipping to change at page 34, line 8 skipping to change at line 1521
8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW
xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635
. 86400 IN DNSKEY ( 257 3 13 . 86400 IN DNSKEY ( 257 3 13
yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv
Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005
. 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000
20181128000000 47005 . 20181128000000 47005 .
0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m
nBT1dtNjIczvLG9pQTnOKUsHQ== ) nBT1dtNjIczvLG9pQTnOKUsHQ== )
A.7. _25._tcp.smtp.example.org NSEC3 Denial of Existence A.7. "_25._tcp.smtp.example.org" NSEC3 Denial of Existence
vkv62jbv85822q8rtmfnbhfnmnat9ve3.example.org. 3600 IN NSEC3 ( vkv62jbv85822q8rtmfnbhfnmnat9ve3.example.org. 3600 IN NSEC3 (
1 0 1 - 93u63bg57ppj6649al2n31l92iedkjd6 A AAAA RRSIG ) 1 0 1 - 93u63bg57ppj6649al2n31l92iedkjd6 A AAAA RRSIG )
vkv62jbv85822q8rtmfnbhfnmnat9ve3.example.org. 3600 IN RRSIG ( vkv62jbv85822q8rtmfnbhfnmnat9ve3.example.org. 3600 IN RRSIG (
NSEC3 13 3 3600 20201202000000 20181128000000 56566 NSEC3 13 3 3600 20201202000000 20181128000000 56566
example.org. example.org.
wn3cePVdc5VPPniYzGp+1CBPOY2m83/A3cjnAb7FTZuwL45B25fwVUyjKQksh wn3cePVdc5VPPniYzGp+1CBPOY2m83/A3cjnAb7FTZuwL45B25fwVUyjKQksh
gQeV5KgP1cdvPt1BEowKqK4Sw== ) gQeV5KgP1cdvPt1BEowKqK4Sw== )
dlm7rss9pejqnh0ev6h7k1ikqqcl5mae.example.org. 3600 IN NSEC3 ( dlm7rss9pejqnh0ev6h7k1ikqqcl5mae.example.org. 3600 IN NSEC3 (
1 0 1 - t6lf7uuoi0qofq0nvdjroavo46pp20im RRSIG TLSA ) 1 0 1 - t6lf7uuoi0qofq0nvdjroavo46pp20im RRSIG TLSA )
skipping to change at page 35, line 41 skipping to change at line 1602
8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW
xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635
. 86400 IN DNSKEY ( 257 3 13 . 86400 IN DNSKEY ( 257 3 13
yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv
Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005
. 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000
20181128000000 47005 . 20181128000000 47005 .
0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m
nBT1dtNjIczvLG9pQTnOKUsHQ== ) nBT1dtNjIczvLG9pQTnOKUsHQ== )
A.8. _443._tcp.www.insecure.example NSEC3 opt-out insecure delegation A.8. "_443._tcp.www.insecure.example" NSEC3 Opt-Out Insecure Delegation
c1kgc91hrn9nqi2qjh1ms78ki8p7s75o.example. 43200 IN NSEC3 ( c1kgc91hrn9nqi2qjh1ms78ki8p7s75o.example. 43200 IN NSEC3 (
1 1 1 - shn05itmoa45mmnv74lc4p0nnfmimtjt NS SOA RRSIG DNSKEY 1 1 1 - shn05itmoa45mmnv74lc4p0nnfmimtjt NS SOA RRSIG DNSKEY
NSEC3PARAM ) NSEC3PARAM )
c1kgc91hrn9nqi2qjh1ms78ki8p7s75o.example. 43200 IN RRSIG ( c1kgc91hrn9nqi2qjh1ms78ki8p7s75o.example. 43200 IN RRSIG (
NSEC3 13 2 43200 20201202000000 20181128000000 15903 NSEC3 13 2 43200 20201202000000 20181128000000 15903
example. example.
pW16gQOLhLpKYgXpGt4XB4o92W/QoPYyG5CjQ+t+g7LBVcCiPQv8ars1j9UOg pW16gQOLhLpKYgXpGt4XB4o92W/QoPYyG5CjQ+t+g7LBVcCiPQv8ars1j9UOg
RpXUsJhZBDax2dfDhK7zOk7ow== ) RpXUsJhZBDax2dfDhK7zOk7ow== )
shn05itmoa45mmnv74lc4p0nnfmimtjt.example. 43200 IN NSEC3 ( shn05itmoa45mmnv74lc4p0nnfmimtjt.example. 43200 IN NSEC3 (
1 1 1 - a3ib1dvf1bdtfmd91usrdem5fiiepi6p NS DS RRSIG ) 1 1 1 - a3ib1dvf1bdtfmd91usrdem5fiiepi6p NS DS RRSIG )
skipping to change at page 36, line 46 skipping to change at line 1646
8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW
xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635
. 86400 IN DNSKEY ( 257 3 13 . 86400 IN DNSKEY ( 257 3 13
yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv
Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005
. 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000
20181128000000 47005 . 20181128000000 47005 .
0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m
nBT1dtNjIczvLG9pQTnOKUsHQ== ) nBT1dtNjIczvLG9pQTnOKUsHQ== )
Acknowledgments
Many thanks to Adam Langley for laying the groundwork for this
extension in [SERIALIZECHAIN]. The original idea is his, but our
acknowledgment in no way implies his endorsement. This document also
benefited from discussions with and review from the following people:
Daniel Kahn Gillmor, Jeff Hodges, Allison Mankin, Patrick McManus,
Rick van Rein, Ilari Liusvaara, Eric Rescorla, Gowri Visweswaran,
Duane Wessels, Nico Williams, and Richard Barnes.
Authors' Addresses Authors' Addresses
Viktor Dukhovni Viktor Dukhovni
Two Sigma Two Sigma
Email: ietf-dane@dukhovni.org Email: ietf-dane@dukhovni.org
Shumon Huque Shumon Huque
Salesforce Salesforce
415 Mission Street, 3rd Floor 3rd Floor
San Francisco, CA 94105 415 Mission Street
San Francisco, CA 94105
United States of America United States of America
Email: shuque@gmail.com Email: shuque@gmail.com
Willem Toorop Willem Toorop
NLnet Labs NLnet Labs
Science Park 400 Science Park 400
1098 XH Amsterdam 1098 XH Amsterdam
Netherlands Netherlands
 End of changes. 127 change blocks. 
329 lines changed or deleted 343 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/