Internet DRAFT - draft-sonoda-dnsop-accept-certificate
draft-sonoda-dnsop-accept-certificate
Domain Name System Operations Sonoda, Ed.
Internet-Draft Internet Initiative Japan Inc.
Intended status: Informational Mar 21, 2018
Expires: September 22, 2018
Accepting full resolver certificate
draft-sonoda-dnsop-accept-certificate-00
Abstract
Full service resolver uses x509 certificate to provide DNS over
TLS[RFC7858] DNS over DTLS [RFC8094]. This memo describes How to
accept this certificate.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 22, 2018.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Sonoda Expires September 22, 2018 [Page 1]
Internet-Draft Abbreviated Title Mar 2018
1. Method of using TLSA record - TLSA style
1.1. full service resolver certificate
The certificate common name can be decided freely. Must add full
service resolver ip addresses to Subject Alternative Name [RFC5280].
Add TLSA record [RFC7218] of the certificate to full resolver service
IP address reverse name. Tha TLSA record MUST validate DNSSec.
1.2. accepting full service resolver certificate
Stub resolver begins the TLS handshake and receives Full resolver
certificate. If Full service resolver ip not include Subject
Alternative Name, Stub resolver deny this certificate. Stub resolver
requests TLSA record of full resolver service IP address reverse name
and validates the TLSA recedes itself using. This process can use
not safety Server. If the TLSA recedes are not validate, Stub
resolver deny this certificate. If the TLSA recedes are secure and
The TLSA recedes include recede of handshake certificate, Stub
resolver can accept this certificate.
1.3. Distribution and update root trust anchor
Root trust anchor distribution and update SHOULD update by OS
periodic update.
2. Method of using TLS-PKI - HTTPS style
2.1. full service resolver certificate
The certificate common name can be decided freely. Must add full
service resolver ip addresses to Subject Alternative Name [RFC5280].
2.2. accepting full service resolver certificate
Stub resolver begins the TLS handshake and receives Full resolver
certificate. If Full service resolver ip not include Subject
Alternative Name, Stub resolver deny this certificate. The
certificate is trusted by root certificate, Stub resolver can accept
this certificate.
3. Operational Considerations
Case of DNSSec chains ot trust is break, TLSA style can't accept new
certificate.
Sonoda Expires September 22, 2018 [Page 2]
Internet-Draft Abbreviated Title Mar 2018
4. Security Considerations
Attack create certificate of full resolver service IP address reverse
name, HTTPS style can MIM attack.
5. Normative References
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify
Conversations about DNS-Based Authentication of Named
Entities (DANE)", RFC 7218, DOI 10.17487/RFC7218, April
2014, <https://www.rfc-editor.org/info/rfc7218>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/info/rfc7858>.
[RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
Transport Layer Security (DTLS)", RFC 8094,
DOI 10.17487/RFC8094, February 2017,
<https://www.rfc-editor.org/info/rfc8094>.
Author's Address
Manabu Sonoda (editor)
Internet Initiative Japan Inc.
Email: manabu-s@iij.ad.jp
Sonoda Expires September 22, 2018 [Page 3]