TLS Downgrade protection extension for TLS DNSSEC Authentication Chain Extension

Document Type Expired Internet-Draft (individual)
Authors Paul Wouters  , Viktor Dukhovni 
Last updated 2018-11-16 (latest revision 2018-05-15)
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This draft specifies a TLS extension that adds downgrade protection for another TLS extension, [dnssec-chain-extension]. Without the downgrade protection specified in this TLS extension, the only effect of deploying [dnssec-chain-extension] is to reduce TLS security from the standard "WebPKI security" to "WebPKI or DANE, whichever is weaker". This draft dictates that [dnssec-chain-extension] MUST only be used in combination with this TLS extension, whose only content is a two octet SupportLifetime value. A value of 0 prohibits the TLS client from unilaterally requiring ongoing use of both TLS extensions based on prior observation of their use (pinning). A non-zero value is the value in hours for which this TLS extension as well as [dnssec-chain-extension] MUST appear in subsequent TLS handshakes to the same TLS hostname and port. If this TLS extention or [dnssec-chain-extension] is missing from the TLS handshake within this observed pinning time, the TLS client MUST assume it is under attack and abort the TLS connection.


Paul Wouters (
Viktor Dukhovni (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)