DNSSEC for XMPP SRV Records
draft-hildebrand-xmpp-dnssec-00.txt

Abstract

This document proposes that DNS SRV records that can be trusted via DNSSEC signatures may be used to generate a list of acceptable names to check on server certificates offered by TLS.

Status of this Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on September 09, 2011.

Copyright Notice

Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.

Table of Contents

• 1. Introduction
• 2. Conventions Used In This Document
• 3. Overview
• 4. Dialback considerations
• 5. IANA Considerations
• 6. Security Considerations
• 7. References
• Appendix A. Acknowledgments
• Author's Address

1. Introduction

XMPP uses SRV records for clients and servers to find servers for a given domain. Today, since the SRV record cannot be trusted, the server has to offer a TLS certificate that matches the original domain name, rather than one for the hostname in the SRV record. Deployment of delegated hosts would be much easier if the host could offer a certificate with the host name, rather than having to offer a certificate with the original domain name.

This document proposes that the server may offer a cert with any of the names generated from looking up trusted DNS entries.

Note: this document is only intended as a placeholder; it will be dramatically expanded later. As well it is likely that this approach is useful for protocols other than XMPP.

2. Conventions Used In This Document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

3. Overview

The following steps are followed by a provider hosting "example.com" on the server "host1.example.net":

1. The owner of "example.com" serves an SRV record for "_xmpp-server._tcp.example.com" and "_xmpp-client._tcp.example.com", for example "0 1 5269 host1.example.net." might be used for each.
2. The owner of "example.com" MUST ensure that "example.com" is signed using DNSSEC [RFC4035], and that the SRV record is also signed using DNSSEC.
3. The hosting provider at "host1.example.net" generates a [RFC5280] PKIX certificate and has it signed by a widely-trusted Certificate Authority.
4. The hosting provider offers the generated certificate to anyone who connects and wants to talk to "example.com".

The following steps are followed by an initiating entity connecting to "example.com":

1. The initiator starts with an empty name list L.
2. The initiator adds the original domain name ("example.com" here) to L
3. The initiator does the normal SRV lookup, asking its resolver for DNSEC trust information.
4. For each hostname, CNAME, A or AAAA record that the initiator finds which is fully trustable according to DNSSEC, that name or IP address is added to L.
5. The initiator connects to the server as specified in XMPP [I-D.ietf-xmpp-3920bis], specifying "example.com" in the stream to attribute. Other protocols might use SNI [RFC4366] to indicate the desired host name.
6. The initiator MUST check each name in L against the certificate offered by the responder, using the rules specified in section 13.7.2 of [I-D.ietf-xmpp-3920bis] (or the equivalent rules for the target protocol).

4. Dialback considerations

TODO: how to share connections

TODO: interactions with dialback piggybacking

5. IANA Considerations

[TODO]

6. Security Considerations

Much more to follow here.

7. References

Appendix A. Acknowledgments

[TODO]

Author's Address