1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
|
<pre>Internet Engineering Task Force (IETF) V. Dukhovni
Request for Comments: 7672 Two Sigma
Category: Standards Track W. Hardaker
ISSN: 2070-1721 Parsons
October 2015
<span class="h1">SMTP Security via Opportunistic DNS-Based Authentication of Named</span>
<span class="h1">Entities (DANE) Transport Layer Security (TLS)</span>
Abstract
This memo describes a downgrade-resistant protocol for SMTP transport
security between Message Transfer Agents (MTAs), based on the DNS-
Based Authentication of Named Entities (DANE) TLSA DNS record.
Adoption of this protocol enables an incremental transition of the
Internet email backbone to one using encrypted and authenticated
Transport Layer Security (TLS).
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc7672">http://www.rfc-editor.org/info/rfc7672</a>.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Terminology ................................................<a href="#page-4">4</a>
<a href="#section-1.2">1.2</a>. Background .................................................<a href="#page-6">6</a>
<a href="#section-1.3">1.3</a>. SMTP Channel Security ......................................<a href="#page-6">6</a>
<a href="#section-1.3.1">1.3.1</a>. STARTTLS Downgrade Attack ...........................<a href="#page-7">7</a>
<a href="#section-1.3.2">1.3.2</a>. Insecure Server Name without DNSSEC .................<a href="#page-7">7</a>
<a href="#section-1.3.3">1.3.3</a>. Sender Policy Does Not Scale ........................<a href="#page-8">8</a>
<a href="#section-1.3.4">1.3.4</a>. Too Many Certification Authorities ..................<a href="#page-9">9</a>
<a href="#section-2">2</a>. Identifying Applicable TLSA Records .............................<a href="#page-9">9</a>
<a href="#section-2.1">2.1</a>. DNS Considerations .........................................<a href="#page-9">9</a>
2.1.1. DNS Errors, "Bogus" Responses, and
"Indeterminate" Responses ...........................<a href="#page-9">9</a>
<a href="#section-2.1.2">2.1.2</a>. DNS Error Handling .................................<a href="#page-11">11</a>
<a href="#section-2.1.3">2.1.3</a>. Stub Resolver Considerations .......................<a href="#page-12">12</a>
<a href="#section-2.2">2.2</a>. TLS Discovery .............................................<a href="#page-13">13</a>
<a href="#section-2.2.1">2.2.1</a>. MX Resolution ......................................<a href="#page-14">14</a>
<a href="#section-2.2.2">2.2.2</a>. Non-MX Destinations ................................<a href="#page-16">16</a>
<a href="#section-2.2.3">2.2.3</a>. TLSA Record Lookup .................................<a href="#page-18">18</a>
<a href="#section-3">3</a>. DANE Authentication ............................................<a href="#page-20">20</a>
<a href="#section-3.1">3.1</a>. TLSA Certificate Usages ...................................<a href="#page-20">20</a>
<a href="#section-3.1.1">3.1.1</a>. Certificate Usage DANE-EE(3) .......................<a href="#page-21">21</a>
<a href="#section-3.1.2">3.1.2</a>. Certificate Usage DANE-TA(2) .......................<a href="#page-22">22</a>
<a href="#section-3.1.3">3.1.3</a>. Certificate Usages PKIX-TA(0) and PKIX-EE(1) .......<a href="#page-23">23</a>
<a href="#section-3.2">3.2</a>. Certificate Matching ......................................<a href="#page-24">24</a>
<a href="#section-3.2.1">3.2.1</a>. DANE-EE(3) Name Checks .............................<a href="#page-24">24</a>
<a href="#section-3.2.2">3.2.2</a>. DANE-TA(2) Name Checks .............................<a href="#page-24">24</a>
<a href="#section-3.2.3">3.2.3</a>. Reference Identifier Matching ......................<a href="#page-25">25</a>
<a href="#section-4">4</a>. Server Key Management ..........................................<a href="#page-26">26</a>
<a href="#section-5">5</a>. Digest Algorithm Agility .......................................<a href="#page-27">27</a>
<a href="#section-6">6</a>. Mandatory TLS Security .........................................<a href="#page-27">27</a>
<a href="#section-7">7</a>. Note on DANE for Message User Agents ...........................<a href="#page-28">28</a>
<a href="#section-8">8</a>. Interoperability Considerations ................................<a href="#page-28">28</a>
<a href="#section-8.1">8.1</a>. SNI Support ...............................................<a href="#page-28">28</a>
<a href="#section-8.2">8.2</a>. Anonymous TLS Cipher Suites ...............................<a href="#page-29">29</a>
<a href="#section-9">9</a>. Operational Considerations .....................................<a href="#page-29">29</a>
<a href="#section-9.1">9.1</a>. Client Operational Considerations .........................<a href="#page-29">29</a>
<a href="#section-9.2">9.2</a>. Publisher Operational Considerations ......................<a href="#page-30">30</a>
<a href="#section-10">10</a>. Security Considerations .......................................<a href="#page-30">30</a>
<a href="#section-11">11</a>. References ....................................................<a href="#page-31">31</a>
<a href="#section-11.1">11.1</a>. Normative References .....................................<a href="#page-31">31</a>
<a href="#section-11.2">11.2</a>. Informative References ...................................<a href="#page-33">33</a>
Acknowledgements ..................................................<a href="#page-34">34</a>
Authors' Addresses ................................................<a href="#page-34">34</a>
<span class="grey">Dukhovni & Hardaker Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This memo specifies a new connection security model for Message
Transfer Agents (MTAs). This model is motivated by key features of
inter-domain SMTP delivery, principally, the fact that the
destination server is selected indirectly via DNS Mail Exchange (MX)
records and that neither email addresses nor MX hostnames signal a
requirement for either secure or cleartext transport. Therefore,
aside from a few manually configured exceptions, SMTP transport
security is, by necessity, opportunistic (for a definition of
"Opportunistic Security", see [<a href="./rfc7435" title=""Opportunistic Security: Some Protection Most of the Time"">RFC7435</a>]).
This specification uses the presence of DANE TLSA records to securely
signal TLS support and to publish the means by which SMTP clients can
successfully authenticate legitimate SMTP servers. This becomes
"opportunistic DANE TLS" and is resistant to downgrade and
man-in-the-middle (MITM) attacks. It enables an incremental
transition of the email backbone to authenticated TLS delivery, with
increased global protection as adoption increases.
With opportunistic DANE TLS, traffic from SMTP clients to domains
that publish "usable" DANE TLSA records in accordance with this memo
is authenticated and encrypted. Traffic from legacy clients or to
domains that do not publish TLSA records will continue to be sent in
the same manner as before, via manually configured security,
(pre-DANE) opportunistic TLS, or just cleartext SMTP.
Problems with the existing use of TLS in MTA-to-MTA SMTP that
motivate this specification are described in <a href="#section-1.3">Section 1.3</a>. The
specification itself follows, in Sections <a href="#section-2">2</a> and <a href="#section-3">3</a>, which describe,
respectively, how to locate and use DANE TLSA records with SMTP. In
<a href="#section-6">Section 6</a>, we discuss the application of DANE TLS to destinations for
which channel integrity and confidentiality are mandatory. In
<a href="#section-7">Section 7</a>, we briefly comment on the potential applicability of this
specification to Message User Agents.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Terminology</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
The following terms or concepts are used throughout this document:
Man-in-the-middle (MITM) attack: Active modification of network
traffic by an adversary able to thereby compromise the
confidentiality or integrity of the data.
Downgrade attack: (From [<a href="./rfc4949" title=""Internet Security Glossary, Version 2"">RFC4949</a>].) A type of MITM attack in which
the attacker can cause two parties, at the time they negotiate a
security association, to agree on a lower level of protection than
the highest level that could have been supported by both of them.
Downgrade-resistant: A protocol is "downgrade-resistant" if it
employs effective countermeasures against downgrade attacks.
"Secure", "bogus", "insecure", "indeterminate": DNSSEC validation
results, as defined in <a href="./rfc4035#section-4.3">Section 4.3 of [RFC4035]</a>.
Validating security-aware stub resolver and non-validating
security-aware stub resolver:
Capabilities of the stub resolver in use, as defined in [<a href="./rfc4033" title=""DNS Security Introduction and Requirements"">RFC4033</a>];
note that this specification requires the use of a security-aware
stub resolver.
(Pre-DANE) opportunistic TLS: Best-effort use of TLS that is
generally vulnerable to DNS forgery and STARTTLS downgrade
attacks. When a TLS-encrypted communication channel is not
available, message transmission takes place in the clear. MX
record indirection generally precludes authentication even when
TLS is available.
Opportunistic DANE TLS: Best-effort use of TLS that is resistant to
downgrade attacks for destinations with DNSSEC-validated TLSA
records. When opportunistic DANE TLS is determined to be
unavailable, clients should fall back to pre-DANE opportunistic
TLS. Opportunistic DANE TLS requires support for DNSSEC, DANE,
and STARTTLS on the client side, and STARTTLS plus a DNSSEC
published TLSA record on the server side.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
Reference identifier: (Special case of [<a href="./rfc6125" title=""Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)"">RFC6125</a>] definition.) One
of the domain names associated by the SMTP client with the
destination SMTP server for performing name checks on the server
certificate. When name checks are applicable, at least one of the
reference identifiers MUST match an [<a href="./rfc6125" title=""Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)"">RFC6125</a>] DNS-ID (or, if none
are present, the [<a href="./rfc6125" title=""Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)"">RFC6125</a>] CN-ID) of the server certificate (see
<a href="#section-3.2.3">Section 3.2.3</a>).
MX hostname: The RRDATA of an MX record consists of a 16 bit
preference followed by a Mail Exchange domain name (see <a href="./rfc1035#section-3.3.9">[RFC1035],
Section 3.3.9</a>). We will use the term "MX hostname" to refer to
the latter, that is, the DNS domain name found after the
preference value in an MX record. Thus, an "MX hostname" is
specifically a reference to a DNS domain name rather than any host
that bears that name.
Delayed delivery: Email delivery is a multi-hop store-and-forward
process. When an MTA is unable to forward a message that may
become deliverable later, the message is queued and delivery is
retried periodically. Some MTAs may be configured with a fallback
next-hop destination that handles messages that the MTA would
otherwise queue and retry. When a fallback next-hop destination
is configured, messages that would otherwise have to be delayed
may be sent to the fallback next-hop destination instead. The
fallback destination may itself be subject to opportunistic or
mandatory DANE TLS (<a href="#section-6">Section 6</a>) as though it were the original
message destination.
Original next-hop destination: The logical destination for mail
delivery. By default, this is the domain portion of the recipient
address, but MTAs may be configured to forward mail for some or
all recipients via designated relays. The original next-hop
destination is, respectively, either the recipient domain or the
associated configured relay.
MTA: Message Transfer Agent (<a href="./rfc5598#section-4.3.2">[RFC5598], Section 4.3.2</a>).
MSA: Message Submission Agent (<a href="./rfc5598#section-4.3.1">[RFC5598], Section 4.3.1</a>).
MUA: Message User Agent (<a href="./rfc5598#section-4.2.1">[RFC5598], Section 4.2.1</a>).
RR: A DNS resource record as defined in <a href="./rfc1034#section-3.6">[RFC1034], Section 3.6</a>.
RRset: An RRset (<a href="./rfc2181#section-5">[RFC2181], Section 5</a>) is a group of DNS resource
records that share the same label, class, and type.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Background</span>
The Domain Name System Security Extensions (DNSSEC) add data origin
authentication, data integrity, and data nonexistence proofs to the
Domain Name System (DNS). DNSSEC is defined in [<a href="./rfc4033" title=""DNS Security Introduction and Requirements"">RFC4033</a>], [<a href="./rfc4034" title=""Resource Records for the DNS Security Extensions"">RFC4034</a>],
and [<a href="./rfc4035" title=""Protocol Modifications for the DNS Security Extensions"">RFC4035</a>].
As described in the introduction of [<a href="./rfc6698" title=""The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA"">RFC6698</a>], TLS authentication via
the existing public Certification Authority (CA) PKI suffers from an
overabundance of trusted parties capable of issuing certificates for
any domain of their choice. DANE leverages the DNSSEC infrastructure
to publish public keys and certificates for use with the Transport
Layer Security (TLS) [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>] protocol via the "TLSA" DNS record
type. With DNSSEC, each domain can only vouch for the keys of its
delegated sub-domains.
The TLS protocol enables secure TCP communication. In the context of
this memo, channel security is assumed to be provided by TLS. Used
without authentication, TLS provides only privacy protection against
eavesdropping attacks. Otherwise, TLS also provides data origin
authentication to guard against MITM attacks.
<span class="h3"><a class="selflink" id="section-1.3" href="#section-1.3">1.3</a>. SMTP Channel Security</span>
With HTTPS, TLS employs X.509 certificates [<a href="./rfc5280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC5280</a>] issued by one of
the many CAs bundled with popular web browsers to allow users to
authenticate their "secure" websites. Before we specify a new DANE
TLS security model for SMTP, we will explain why a new security model
is needed. In the process, we will explain why the familiar HTTPS
security model is inadequate to protect inter-domain SMTP traffic.
The subsections below outline four key problems with applying
traditional Web PKI [<a href="./rfc7435" title=""Opportunistic Security: Some Protection Most of the Time"">RFC7435</a>] to SMTP; these problems are addressed
by this specification. Since an SMTP channel security policy is not
explicitly specified in either the recipient address or the MX
record, a new signaling mechanism is required to indicate when
channel security is possible and should be used. The publication of
TLSA records allows server operators to securely signal to SMTP
clients that TLS is available and should be used. DANE TLSA makes it
possible to simultaneously discover which destination domains support
secure delivery via TLS and how to verify the authenticity of the
associated SMTP services, providing a path forward to ubiquitous SMTP
channel security.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h4"><a class="selflink" id="section-1.3.1" href="#section-1.3.1">1.3.1</a>. STARTTLS Downgrade Attack</span>
SMTP [<a href="./rfc5321" title=""Simple Mail Transfer Protocol"">RFC5321</a>] is a single-hop protocol in a multi-hop store-and-
forward email delivery process. An SMTP envelope recipient address
does not correspond to a specific transport-layer endpoint address;
rather, at each relay hop, the transport-layer endpoint is the
next-hop relay, while the envelope recipient address typically
remains the same. Unlike HTTP and its corresponding secured version,
HTTPS, where the use of TLS is signaled via the URI scheme, email
recipient addresses do not directly signal transport security policy.
Indeed, no such signaling could work well with SMTP, since TLS
encryption of SMTP protects email traffic on a hop-by-hop basis while
email addresses could only express end-to-end policy.
With no mechanism available to signal transport security policy, SMTP
relays employ a best-effort "opportunistic" security model for TLS.
A single SMTP server TCP listening endpoint can serve both TLS and
non-TLS clients; the use of TLS is negotiated via the SMTP STARTTLS
command [<a href="./rfc3207" title=""SMTP Service Extension for Secure SMTP over Transport Layer Security"">RFC3207</a>]. The server signals TLS support to the client over
a cleartext SMTP connection, and, if the client also supports TLS, it
may negotiate a TLS-encrypted channel to use for email transmission.
The server's indication of TLS support can be easily suppressed by an
MITM attacker. Thus, pre-DANE SMTP TLS security can be subverted by
simply downgrading a connection to cleartext. No TLS security
feature can prevent this. The attacker can simply disable TLS.
<span class="h4"><a class="selflink" id="section-1.3.2" href="#section-1.3.2">1.3.2</a>. Insecure Server Name without DNSSEC</span>
With SMTP, DNS MX records abstract the next-hop transport endpoint
and allow administrators to specify a set of target servers to which
SMTP traffic should be directed for a given domain.
A TLS client is vulnerable to MITM attacks unless it verifies that
the server's certificate binds the public key to a name that matches
one of the client's reference identifiers. A natural choice of
reference identifier is the server's domain name. However, with
SMTP, server names are not directly encoded in the recipient address;
instead, they are obtained indirectly via MX records. Without
DNSSEC, the MX lookup is vulnerable to MITM and DNS cache poisoning
attacks. Active attackers can forge DNS replies with fake MX records
and can redirect email to servers with names of their choice.
Therefore, secure verification of SMTP TLS certificates matching the
server name is not possible without DNSSEC.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
One might try to harden TLS for SMTP against DNS attacks by using the
envelope recipient domain as a reference identifier and by requiring
each SMTP server to possess a trusted certificate for the envelope
recipient domain rather than the MX hostname. Unfortunately, this is
impractical, as email for many domains is handled by third parties
that are not in a position to obtain certificates for all the domains
they serve. Deployment of the Server Name Indication (SNI) extension
to TLS (see <a href="./rfc6066#section-3">Section 3 of [RFC6066]</a>) is no panacea, since SNI key
management is operationally challenging except when the email service
provider is also the domain's registrar and its certificate issuer;
this is rarely the case for email.
Since the recipient domain name cannot be used as the SMTP server
reference identifier, and neither can the MX hostname without DNSSEC,
large-scale deployment of authenticated TLS for SMTP requires that
the DNS be secure.
Since SMTP security depends critically on DNSSEC, it is important to
point out that SMTP with DANE is consequently the most conservative
possible trust model. It trusts only what must be trusted and no
more. Adding any other trusted actors to the mix can only reduce
SMTP security. A sender may choose to further harden DNSSEC for
selected high-value receiving domains by configuring explicit trust
anchors for those domains instead of relying on the chain of trust
from the root domain. However, detailed discussion of DNSSEC
security practices is out of scope for this document.
<span class="h4"><a class="selflink" id="section-1.3.3" href="#section-1.3.3">1.3.3</a>. Sender Policy Does Not Scale</span>
Sending systems are in some cases explicitly configured to use TLS
for mail sent to selected peer domains, but this requires configuring
sending MTAs with appropriate subject names or certificate content
digests from their peer domains. Due to the resulting administrative
burden, such statically configured SMTP secure channels are used
rarely (generally only between domains that make bilateral
arrangements with their business partners). Internet email, on the
other hand, requires regularly contacting new domains for which
security configurations cannot be established in advance.
The abstraction of the SMTP transport endpoint via DNS MX records,
often across organizational boundaries, limits the use of public CA
PKI with SMTP to a small set of sender-configured peer domains. With
little opportunity to use TLS authentication, sending MTAs are rarely
configured with a comprehensive list of trusted CAs. SMTP services
that support STARTTLS often deploy X.509 certificates that are
self-signed or issued by a private CA.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h4"><a class="selflink" id="section-1.3.4" href="#section-1.3.4">1.3.4</a>. Too Many Certification Authorities</span>
Even if it were generally possible to determine a secure server name,
the SMTP client would still need to verify that the server's
certificate chain is issued by a trusted CA (a trust anchor). MTAs
are not interactive applications where a human operator can make a
decision (wisely or otherwise) to selectively disable TLS security
policy when certificate chain verification fails. With no user to
"click OK", the MTA's list of public CA trust anchors would need to
be comprehensive in order to avoid bouncing mail addressed to sites
that employ unknown CAs.
On the other hand, each trusted CA can issue certificates for any
domain. If even one of the configured CAs is compromised or operated
by an adversary, it can subvert TLS security for all destinations.
Any set of CAs is simultaneously both overly inclusive and not
inclusive enough.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Identifying Applicable TLSA Records</span>
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. DNS Considerations</span>
<span class="h4"><a class="selflink" id="section-2.1.1" href="#section-2.1.1">2.1.1</a>. DNS Errors, "Bogus" Responses, and "Indeterminate" Responses</span>
An SMTP client that implements opportunistic DANE TLS per this
specification depends critically on the integrity of DNSSEC lookups,
as discussed in <a href="#section-1.3.2">Section 1.3.2</a>. This section lists the DNS resolver
requirements needed to avoid downgrade attacks when using
opportunistic DANE TLS.
A DNS lookup may signal an error or return a definitive answer. A
security-aware resolver MUST be used for this specification.
Security-aware resolvers will indicate the security status of a DNS
RRset with one of four possible values defined in <a href="./rfc4035#section-4.3">Section 4.3 of
[RFC4035]</a>: "secure", "insecure", "bogus", and "indeterminate". In
[<a href="./rfc4035" title=""Protocol Modifications for the DNS Security Extensions"">RFC4035</a>], the meaning of the "indeterminate" security status is:
An RRset for which the resolver is not able to determine whether
the RRset should be signed, as the resolver is not able to obtain
the necessary DNSSEC RRs. This can occur when the security-aware
resolver is not able to contact security-aware name servers for
the relevant zones.
Note that the "indeterminate" security status has a conflicting
definition in <a href="./rfc4033#section-5">Section 5 of [RFC4033]</a>:
There is no trust anchor that would indicate that a specific
portion of the tree is secure.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
In this document, the term "indeterminate" will be used exclusively
in the [<a href="./rfc4035" title=""Protocol Modifications for the DNS Security Extensions"">RFC4035</a>] sense. Therefore, obtaining "indeterminate" lookup
results is a (transient) failure condition, namely, the inability to
locate the relevant DNS records. DNS records that would be
classified "indeterminate" in the sense of [<a href="./rfc4035" title=""Protocol Modifications for the DNS Security Extensions"">RFC4035</a>] are simply
classified as "insecure".
We do not need to distinguish between zones that lack a suitable
ancestor trust anchor, and delegations (ultimately) from a trust
anchor that designate a child zone as being "insecure". All
"insecure" RRsets MUST be handled identically: in either case,
non-validated data for the query domain is all that is and can be
available, and authentication using the data is impossible. As the
DNS root zone has been signed, we expect that validating resolvers
used by Internet-facing MTAs will be configured with trust anchor
data for the root zone and that therefore domains with no ancestor
trust anchor will not be possible in most deployments.
As noted in <a href="./rfc4035#section-4.3">Section 4.3 of [RFC4035]</a>, a security-aware DNS resolver
MUST be able to determine whether a given non-error DNS response is
"secure", "insecure", "bogus", or "indeterminate". It is expected
that most security-aware stub resolvers will not signal an
"indeterminate" security status (in the sense of [<a href="./rfc4035" title=""Protocol Modifications for the DNS Security Extensions"">RFC4035</a>]) to the
application and will instead signal a "bogus" or error result. If a
resolver does signal an [<a href="./rfc4035" title=""Protocol Modifications for the DNS Security Extensions"">RFC4035</a>] "indeterminate" security status,
this MUST be treated by the SMTP client as though a "bogus" or error
result had been returned.
An MTA using a non-validating security-aware stub resolver MAY use
the stub resolver's ability, if available, to signal DNSSEC
validation status based on information the stub resolver has learned
from an upstream validating recursive resolver. Security-oblivious
stub resolvers [<a href="./rfc4033" title=""DNS Security Introduction and Requirements"">RFC4033</a>] MUST NOT be used. In accordance with
<a href="./rfc4035#section-4.9.3">Section 4.9.3 of [RFC4035]</a>:
... a security-aware stub resolver MUST NOT place any reliance on
signature validation allegedly performed on its behalf, except
when the security-aware stub resolver obtained the data in
question from a trusted security-aware recursive name server via a
secure channel.
To avoid much repetition in the text below, we will pause to explain
the handling of "bogus" or "indeterminate" DNSSEC query responses.
These are not necessarily the result of a malicious actor; they can,
for example, occur when network packets are corrupted or lost in
transit. Therefore, "bogus" or "indeterminate" replies are equated
in this memo with lookup failure.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
There is an important non-failure condition we need to highlight in
addition to the obvious case of the DNS client obtaining a non-empty
"secure" or "insecure" RRset of the requested type. Namely, it is
not an error when either "secure" or "insecure" nonexistence is
determined for the requested data. When a DNSSEC response with a
validation status that is either "secure" or "insecure" reports
either no records of the requested type or nonexistence of the query
domain, the response is not a DNS error condition. The DNS client
has not been left without an answer; it has learned that records of
the requested type do not exist.
Security-aware stub resolvers will, of course, also signal DNS lookup
errors in other cases, for example, when processing a "SERVFAIL"
[<a href="./rfc2136" title=""Dynamic Updates in the Domain Name System (DNS UPDATE)"">RFC2136</a>] response code (RCODE) [<a href="./rfc1035" title=""Domain names - implementation and specification"">RFC1035</a>], which will not have an
associated DNSSEC status. All lookup errors are treated the same way
by this specification, regardless of whether they are from a "bogus"
or "indeterminate" DNSSEC status or from a more generic DNS error:
the information that was requested cannot be obtained by the
security-aware resolver at this time. Thus, a lookup error is either
a failure to obtain the relevant RRset if it exists or a failure to
determine that no such RRset exists when it does not.
In contrast to a "bogus" response or an "indeterminate" response, an
"insecure" DNSSEC response is not an error; rather, as explained
above, it indicates that the target DNS zone is either delegated as
an "insecure" child of a "secure" parent zone or not a descendant of
any of the configured DNSSEC trust anchors in use by the SMTP client.
"Insecure" results will leave the SMTP client with degraded channel
security but do not stand in the way of message delivery. See
<a href="#section-2.2">Section 2.2</a> for further details.
<span class="h4"><a class="selflink" id="section-2.1.2" href="#section-2.1.2">2.1.2</a>. DNS Error Handling</span>
When a DNS lookup failure (an error, "bogus", or "indeterminate", as
defined above) prevents an SMTP client from determining which SMTP
server or servers it should connect to, message delivery MUST be
delayed. This naturally includes, for example, the case when a
"bogus" or "indeterminate" response is encountered during MX
resolution. When multiple MX hostnames are obtained from a
successful MX lookup but a later DNS lookup failure prevents network
address resolution for a given MX hostname, delivery may proceed via
any remaining MX hosts.
When a particular SMTP server is securely identified as the delivery
destination, a set of DNS lookups (<a href="#section-2.2">Section 2.2</a>) MUST be performed to
locate any related TLSA records. If any DNS queries used to locate
TLSA records fail (due to "bogus" or "indeterminate" records,
timeouts, malformed replies, SERVFAIL responses, etc.), then the SMTP
<span class="grey">Dukhovni & Hardaker Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
client MUST treat that server as unreachable and MUST NOT deliver the
message via that server. If no servers are reachable, delivery is
delayed.
In the text that follows, we will only describe what happens when all
relevant DNS queries succeed. If any DNS failure occurs, the SMTP
client MUST behave as described in this section, by "skipping" the
SMTP server or destination that is problematic. Queries for
candidate TLSA records are explicitly part of "all relevant DNS
queries", and SMTP clients MUST NOT continue to connect to an SMTP
server or destination whose TLSA record lookup fails.
<span class="h4"><a class="selflink" id="section-2.1.3" href="#section-2.1.3">2.1.3</a>. Stub Resolver Considerations</span>
A note about DNAME aliases: a query for a domain name whose ancestor
domain is a DNAME alias returns the DNAME RR for the ancestor domain
along with a CNAME that maps the query domain to the corresponding
sub-domain of the target domain of the DNAME alias [<a href="./rfc6672" title=""DNAME Redirection in the DNS"">RFC6672</a>].
Therefore, whenever we speak of CNAME aliases, we implicitly allow
for the possibility that the alias in question is the result of an
ancestor domain DNAME record. Consequently, no explicit support for
DNAME records is needed in SMTP software; it is sufficient to process
the resulting CNAME aliases. DNAME records only require special
processing in the validating stub resolver library that checks the
integrity of the combined DNAME + CNAME reply. When DNSSEC
validation is handled by a local caching resolver rather than the MTA
itself, even that part of the DNAME support logic is outside the MTA.
When a stub resolver returns a response containing a CNAME alias that
does not also contain the corresponding query results for the target
of the alias, the SMTP client will need to repeat the query at the
target of the alias and should do so recursively up to some
configured or implementation-dependent recursion limit. If at any
stage of CNAME expansion an error is detected, the lookup of the
original requested records MUST be considered to have failed.
Whether a chain of CNAME records was returned in a single stub
resolver response or via explicit recursion by the SMTP client, if at
any stage of recursive expansion an "insecure" CNAME record is
encountered, then it and all subsequent results (in particular, the
final result) MUST be considered "insecure", regardless of whether or
not any earlier CNAME records leading to the "insecure" record were
"secure".
Note that a security-aware non-validating stub resolver may return to
the SMTP client an "insecure" reply received from a validating
recursive resolver that contains a CNAME record along with additional
answers recursively obtained starting at the target of the CNAME. In
<span class="grey">Dukhovni & Hardaker Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
this case, the only possible conclusion is that some record in the
set of records returned is "insecure", and it is, in fact, possible
that the initial CNAME record and a subset of the subsequent records
are "secure".
If the SMTP client needs to determine the security status of the DNS
zone containing the initial CNAME record, it will need to issue a
separate query of type "CNAME" that returns only the initial CNAME
record. Specifically, as discussed in <a href="#section-2.2.2">Section 2.2.2</a>, when "insecure"
A or AAAA records are found for an SMTP server via a CNAME alias, the
SMTP client will need to perform an additional CNAME query in order
to determine whether or not the DNS zone in which the alias is
published is DNSSEC signed.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. TLS Discovery</span>
As noted previously (in <a href="#section-1.3.1">Section 1.3.1</a>), opportunistic TLS with SMTP
servers that advertise TLS support via STARTTLS is subject to an MITM
downgrade attack. Also, some SMTP servers that are not, in fact, TLS
capable erroneously advertise STARTTLS by default, and clients need
to be prepared to retry cleartext delivery after STARTTLS fails. In
contrast, DNSSEC-validated TLSA records MUST NOT be published for
servers that do not support TLS. Clients can safely interpret their
presence as a commitment by the server operator to implement TLS and
STARTTLS.
This memo defines four actions to be taken after the search for a
TLSA record returns "secure" usable results, "secure" unusable
results, "insecure" or no results, or an error signal. The term
"usable" in this context is in the sense of <a href="./rfc6698#section-4.1">Section 4.1 of [RFC6698]</a>.
Specifically, if the DNS lookup for a TLSA record returns:
A "secure" TLSA RRset with at least one usable record: Any
connection to the MTA MUST employ TLS encryption and MUST
authenticate the SMTP server using the techniques discussed in the
rest of this document. Failure to establish an authenticated TLS
connection MUST result in falling back to the next SMTP server or
delayed delivery.
A "secure" non-empty TLSA RRset where all the records are unusable:
Any connection to the MTA MUST be made via TLS, but authentication
is not required. Failure to establish an encrypted TLS connection
MUST result in falling back to the next SMTP server or delayed
delivery.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
An "insecure" TLSA RRset or DNSSEC-authenticated denial of existence
of the TLSA records:
A connection to the MTA SHOULD be made using (pre-DANE)
opportunistic TLS; this includes using cleartext delivery when the
remote SMTP server does not appear to support TLS. The MTA MAY
retry in cleartext when delivery via TLS fails during the
handshake or even during data transfer.
Any lookup error: Lookup errors, including "bogus" and
"indeterminate" as explained in <a href="#section-2.1.1">Section 2.1.1</a>, MUST result in
falling back to the next SMTP server or delayed delivery.
An SMTP client MAY be configured to mandate DANE-verified delivery
for some destinations. With mandatory DANE TLS (<a href="#section-6">Section 6</a>), delivery
proceeds only when "secure" TLSA records are used to establish an
encrypted and authenticated TLS channel with the SMTP server.
When the original next-hop destination is an address literal rather
than a DNS domain, DANE TLS does not apply. Delivery proceeds using
any relevant security policy configured by the MTA administrator.
Similarly, when an MX RRset incorrectly lists a network address in
lieu of an MX hostname, if an MTA chooses to connect to the network
address in the nonconformant MX record, DANE TLSA does not apply for
such a connection.
In the subsections that follow, we explain how to locate the SMTP
servers and the associated TLSA records for a given next-hop
destination domain. We also explain which name or names are to be
used in identity checks of the SMTP server certificate.
<span class="h4"><a class="selflink" id="section-2.2.1" href="#section-2.2.1">2.2.1</a>. MX Resolution</span>
In this section, we consider next-hop domains that are subject to MX
resolution and have MX records. The TLSA records and the associated
base domain are derived separately for each MX hostname that is used
to attempt message delivery. DANE TLS can authenticate message
delivery to the intended next-hop domain only when the MX records are
obtained securely via a DNSSEC-validated lookup.
MX records MUST be sorted by preference; an MX hostname with a worse
(numerically higher) MX preference that has TLSA records MUST NOT
preempt an MX hostname with a better (numerically lower) preference
that has no TLSA records. In other words, prevention of delivery
loops by obeying MX preferences MUST take precedence over channel
security considerations. Even with two equal-preference MX records,
an MTA is not obligated to choose the MX hostname that offers more
<span class="grey">Dukhovni & Hardaker Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
security. Domains that want secure inbound mail delivery need to
ensure that all their SMTP servers and MX records are configured
accordingly.
In the language of <a href="./rfc5321#section-5.1">[RFC5321], Section 5.1</a>, the original next-hop
domain is the "initial name". If the MX lookup of the initial name
results in a CNAME alias, the MTA replaces the initial name with the
resulting name and performs a new lookup with the new name. MTAs
typically support recursion in CNAME expansion, so this replacement
is performed repeatedly (up to the MTA's recursion limit) until the
ultimate non-CNAME domain is found.
If the MX RRset (or any CNAME leading to it) is "insecure" (see
<a href="#section-2.1.1">Section 2.1.1</a>) and DANE TLS for the given destination is mandatory
(<a href="#section-6">Section 6</a>), delivery MUST be delayed. If the MX RRset is "insecure"
and DANE TLS is not mandatory, the SMTP client is free to use
pre-DANE opportunistic TLS (possibly even cleartext).
Since the protocol in this memo is an Opportunistic Security protocol
[<a href="./rfc7435" title=""Opportunistic Security: Some Protection Most of the Time"">RFC7435</a>], the SMTP client MAY elect to use DANE TLS (as described in
<a href="#section-2.2.2">Section 2.2.2</a> below), even with MX hosts obtained via an "insecure"
MX RRset. For example, when a hosting provider has a signed DNS zone
and publishes TLSA records for its SMTP servers, hosted domains that
are not signed may still benefit from the provider's TLSA records.
Deliveries via the provider's SMTP servers will not be subject to
active attacks when sending SMTP clients elect to use the provider's
TLSA records (active attacks that tamper with the "insecure" MX RRset
are of course still possible in this case).
When the MX records are not (DNSSEC) signed, an active attacker can
redirect SMTP clients to MX hosts of his choice. Such redirection is
tamper-evident when SMTP servers found via "insecure" MX records are
recorded as the next-hop relay in the MTA delivery logs in their
original (rather than CNAME-expanded) form. Sending MTAs SHOULD log
unexpanded MX hostnames when these result from "insecure" MX lookups.
Any successful authentication via an insecurely determined MX host
MUST NOT be misrepresented in the mail logs as secure delivery to the
intended next-hop domain.
In the absence of DNS lookup errors (<a href="#section-2.1.1">Section 2.1.1</a>), if the MX RRset
is not "insecure", then it is "secure", and the SMTP client MUST
treat each MX hostname as described in <a href="#section-2.2.2">Section 2.2.2</a>. When, for a
given MX hostname, no TLSA records are found or only "insecure" TLSA
records are found, DANE TLSA is not applicable with the SMTP server
in question, and delivery proceeds to that host as with pre-DANE
opportunistic TLS. To avoid downgrade attacks, any errors during
TLSA lookups MUST, as explained in <a href="#section-2.1.2">Section 2.1.2</a>, cause the SMTP
server in question to be treated as unreachable.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h4"><a class="selflink" id="section-2.2.2" href="#section-2.2.2">2.2.2</a>. Non-MX Destinations</span>
This section describes the algorithm used to locate the TLSA records
and associated TLSA base domain for an input domain that is not
subject to MX resolution, that represents a hostname from a "secure"
MX RRset, or that lacks MX records. Such domains include:
o Any host that is configured by the sending MTA administrator as
the next-hop relay for some or all domains and that is not subject
to MX resolution.
o A domain that has MX records. When a domain has MX records, we
treat each MX host listed in those MX records as though it were a
non-MX destination -- that is, in the same way as we would treat
an administrator-configured relay that handles mail for that
domain. (Unlike administrator-specified relays, MTAs are not
required to support CNAME expansion of next-hop names found via MX
lookups.)
o A next-hop destination domain subject to MX resolution that has no
MX records. In this case, the domain's name is implicitly also
its sole SMTP server name.
Note that DNS queries with type TLSA are mishandled by load-balancing
nameservers that serve the MX hostnames of some large email
providers. The DNS zones served by these nameservers are not signed
and contain no TLSA records. These nameservers SHOULD provide
"insecure" negative replies that indicate the nonexistence of the
TLSA records, but instead they fail by not responding at all or by
responding with a DNS RCODE [<a href="./rfc1035" title=""Domain names - implementation and specification"">RFC1035</a>] other than NXDOMAIN, e.g.,
SERVFAIL or NOTIMP [<a href="./rfc2136" title=""Dynamic Updates in the Domain Name System (DNS UPDATE)"">RFC2136</a>].
To avoid problems delivering mail to domains whose SMTP servers are
served by these problematic nameservers, the SMTP client MUST perform
any A and/or AAAA queries for the destination before attempting to
locate the associated TLSA records. This lookup is needed in any
case to determine (1) whether or not the destination domain is
reachable and (2) the DNSSEC validation status of the chain of CNAME
queries required to reach the ultimate address records.
If no address records are found, the destination is unreachable. If
address records are found but the DNSSEC validation status of the
first query response is "insecure" (see <a href="#section-2.1.3">Section 2.1.3</a>), the SMTP
client SHOULD NOT proceed to search for any associated TLSA records.
In the case of these problematic domains, TLSA queries would lead to
DNS lookup errors and would cause messages to be consistently delayed
and ultimately returned to the sender. We don't expect to find any
<span class="grey">Dukhovni & Hardaker Standards Track [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
"secure" TLSA records associated with a TLSA base domain that lies in
an unsigned DNS zone. Therefore, skipping TLSA lookups in this case
will also reduce latency, with no detrimental impact on security.
If the A and/or AAAA lookup of the initial name yields a CNAME, we
replace it with the resulting name as if it were the initial name and
perform a lookup again using the new name. This replacement is
performed recursively (up to the MTA's recursion limit).
We consider the following cases for handling a DNS response for an
A or AAAA DNS lookup:
Not found: When the DNS queries for A and/or AAAA records yield
neither a list of addresses nor a CNAME (or CNAME expansion is not
supported), the destination is unreachable.
Non-CNAME: The answer is not a CNAME alias. If the address RRset is
"secure", TLSA lookups are performed as described in <a href="#section-2.2.3">Section 2.2.3</a>
with the initial name as the candidate TLSA base domain. If no
"secure" TLSA records are found, DANE TLS is not applicable and
mail delivery proceeds with pre-DANE opportunistic TLS (which,
being best-effort, degrades to cleartext delivery when STARTTLS is
not available or the TLS handshake fails).
Insecure CNAME: The input domain is a CNAME alias, but the ultimate
network address RRset is "insecure" (see <a href="#section-2.1.1">Section 2.1.1</a>). If the
initial CNAME response is also "insecure", DANE TLS does not
apply. Otherwise, this case is treated just like the non-CNAME
case above, where a search is performed for a TLSA record with the
original input domain as the candidate TLSA base domain.
Secure CNAME: The input domain is a CNAME alias, and the ultimate
network address RRset is "secure" (see <a href="#section-2.1.1">Section 2.1.1</a>). Two
candidate TLSA base domains are tried: the fully CNAME-expanded
initial name and, failing that, the initial name itself.
In summary, if it is possible to securely obtain the full,
CNAME-expanded, DNSSEC-validated address records for the input
domain, then that name is the preferred TLSA base domain. Otherwise,
the unexpanded input domain is the candidate TLSA base domain. When
no "secure" TLSA records are found at either the CNAME-expanded or
unexpanded domain, then DANE TLS does not apply for mail delivery via
the input domain in question. And, as always, errors, "bogus"
results, or "indeterminate" results for any query in the process MUST
result in delaying or abandoning delivery.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h4"><a class="selflink" id="section-2.2.3" href="#section-2.2.3">2.2.3</a>. TLSA Record Lookup</span>
When the SMTP server's hostname is not a CNAME or DNAME alias, the
list of associated candidate TLSA base domains (see below) consists
of just the server hostname.
When the hostname is an alias with a "secure" (at every stage) full
expansion, the list of candidate TLSA base domains (see below) is a
pair of domains: the fully expanded server hostname first, and the
unexpanded server hostname second.
Each candidate TLSA base domain (alias-expanded or original) is in
turn prefixed with service labels of the form "_<port>._tcp". The
resulting domain name is used to issue a DNSSEC query with the query
type set to TLSA (<a href="./rfc6698#section-7.1">[RFC6698], Section 7.1</a>).
The first of these candidate domains to yield a "secure" TLSA RRset
becomes the actual TLSA base domain.
For SMTP, the destination TCP port is typically 25, but this may be
different with custom routes specified by the MTA administrator, in
which case the SMTP client MUST use the appropriate number in the
"_<port>" prefix in place of "_25". If, for example, the candidate
base domain is "mx.example.com" and the SMTP connection is to port
25, the TLSA RRset is obtained via a DNSSEC query of the form:
_25._tcp.mx.example.com. IN TLSA ?
The query response may be a CNAME or the actual TLSA RRset. If the
response is a CNAME, the SMTP client (through the use of its
security-aware stub resolver) restarts the TLSA query at the target
domain, following CNAMEs as appropriate, and keeps track of whether
or not the entire chain is "secure". If any "insecure" records are
encountered or the TLSA records don't exist, the next candidate TLSA
base domain is tried instead.
If the ultimate response is a "secure" TLSA RRset, then the candidate
TLSA base domain will be the actual TLSA base domain, and the TLSA
RRset will constitute the TLSA records for the destination. If none
of the candidate TLSA base domains yield "secure" TLSA records, then
the SMTP client is free to use pre-DANE opportunistic TLS (possibly
even cleartext).
TLSA record publishers may leverage CNAMEs to reference a single
authoritative TLSA RRset specifying a common CA or a common
end-entity certificate to be used with multiple TLS services. Such
CNAME expansion does not change the SMTP client's notion of the TLSA
base domain; thus, when _25._tcp.mx.example.com is a CNAME, the base
<span class="grey">Dukhovni & Hardaker Standards Track [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
domain remains mx.example.com, and this is still the reference
identifier used together with the next-hop domain in peer certificate
name checks.
Note that shared end-entity certificate associations expose the
publishing domain to substitution attacks, where an MITM attacker can
reroute traffic to a different server that shares the same end-entity
certificate. Such shared end-entity TLSA records SHOULD be avoided
unless the servers in question are functionally equivalent or employ
mutually incompatible protocols (an active attacker gains nothing by
diverting client traffic from one such server to another).
A better example, employing a shared trust anchor rather than shared
end-entity certificates, is illustrated by the DNSSEC-validated
records below:
example.com. IN MX 0 mx1.example.com.
example.com. IN MX 0 mx2.example.com.
_25._tcp.mx1.example.com. IN CNAME tlsa201._dane.example.com.
_25._tcp.mx2.example.com. IN CNAME tlsa201._dane.example.com.
tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c149a...
The SMTP servers mx1.example.com and mx2.example.com will be expected
to have certificates issued under a common trust anchor, but each MX
hostname's TLSA base domain remains unchanged despite the above CNAME
records. Correspondingly, each SMTP server will be associated with a
pair of reference identifiers consisting of its hostname plus the
next-hop domain "example.com".
If, during TLSA resolution (including possible CNAME indirection), at
least one "secure" TLSA record is found (even if not usable because
it is unsupported by the implementation or support is
administratively disabled), then the corresponding host has signaled
its commitment to implement TLS. The SMTP client MUST NOT deliver
mail via the corresponding host unless a TLS session is negotiated
via STARTTLS. This is required to avoid MITM STARTTLS downgrade
attacks.
As noted previously (in <a href="#section-2.2.2">Section 2.2.2</a>), when no "secure" TLSA records
are found at the fully CNAME-expanded name, the original unexpanded
name MUST be tried instead. This supports customers of hosting
providers where the provider's zone cannot be validated with DNSSEC
but the customer has shared appropriate key material with the hosting
provider to enable TLS via SNI. Intermediate names that arise during
CNAME expansion that are neither the original name nor the final name
are never candidate TLSA base domains, even if "secure".
<span class="grey">Dukhovni & Hardaker Standards Track [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. DANE Authentication</span>
This section describes which TLSA records are applicable to SMTP
opportunistic DANE TLS and how to apply such records to authenticate
the SMTP server. With opportunistic DANE TLS, both the TLS support
implied by the presence of DANE TLSA records and the verification
parameters necessary to authenticate the TLS peer are obtained
together. In contrast to protocols where channel security policy is
set exclusively by the client, authentication via this protocol is
expected to be less prone to connection failure caused by
incompatible configuration of the client and server.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. TLSA Certificate Usages</span>
The DANE TLSA specification [<a href="./rfc6698" title=""The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA"">RFC6698</a>] defines multiple TLSA RR types
via combinations of three numeric parameters. The numeric values of
these parameters were later given symbolic names in [<a href="./rfc7218" title=""Adding Acronyms to Simplify Conversations about DNS-Based Authentication of Named Entities (DANE)"">RFC7218</a>]. The
rest of the TLSA record is the "certificate association data field",
which specifies the full or digest value of a certificate or
public key.
Since opportunistic DANE TLS will be used by non-interactive MTAs,
with no user to "click OK" when authentication fails, reliability of
peer authentication is paramount. Server operators are advised to
publish TLSA records that are least likely to fail authentication due
to interoperability or operational problems. Because DANE TLS relies
on coordinated changes to DNS and SMTP server settings, the best
choice of records to publish will depend on site-specific practices.
The certificate usage element of a TLSA record plays a critical role
in determining how the corresponding certificate association data
field is used to authenticate a server's certificate chain.
Sections <a href="#section-3.1.1">3.1.1</a> and <a href="#section-3.1.2">3.1.2</a> explain the process for certificate usages
DANE-EE(3) and DANE-TA(2), respectively. <a href="#section-3.1.3">Section 3.1.3</a> briefly
explains why certificate usages PKIX-TA(0) and PKIX-EE(1) are not
applicable with opportunistic DANE TLS.
In summary, we RECOMMEND the use of "DANE-EE(3) SPKI(1) SHA2-256(1)",
with "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records as a second
choice, depending on site needs. See Sections <a href="#section-3.1.1">3.1.1</a> and <a href="#section-3.1.2">3.1.2</a> for
more details. Other combinations of TLSA parameters either (1) are
explicitly unsupported or (2) offer little to recommend them over
these two.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h4"><a class="selflink" id="section-3.1.1" href="#section-3.1.1">3.1.1</a>. Certificate Usage DANE-EE(3)</span>
Authentication via certificate usage DANE-EE(3) TLSA records involves
simply checking that the server's leaf certificate matches the TLSA
record. In particular, the binding of the server public key to its
name is based entirely on the TLSA record association. The server
MUST be considered authenticated even if none of the names in the
certificate match the client's reference identity for the server.
The expiration date of the server certificate MUST be ignored: the
validity period of the TLSA record key binding is determined by the
validity interval of the TLSA record DNSSEC signature.
With DANE-EE(3), servers need not employ SNI (they may ignore the
client's SNI message) even when the server is known under independent
names that would otherwise require separate certificates. It is
instead sufficient for the TLSA RRsets for all the domains in
question to match the server's default certificate. Of course, with
SMTP servers it is simpler still to publish the same MX hostname for
all the hosted domains.
For domains where it is practical to make coordinated changes in DNS
TLSA records during SMTP server key rotation, it is often best to
publish end-entity DANE-EE(3) certificate associations. DANE-EE(3)
certificates don't suddenly stop working when leaf or intermediate
certificates expire, nor do they fail when the server operator
neglects to configure all the required issuer certificates in the
server certificate chain.
TLSA records published for SMTP servers SHOULD, in most cases, be
"DANE-EE(3) SPKI(1) SHA2-256(1)" records. Since all DANE
implementations are required to support SHA2-256, this record type
works for all clients and need not change across certificate renewals
with the same key.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h4"><a class="selflink" id="section-3.1.2" href="#section-3.1.2">3.1.2</a>. Certificate Usage DANE-TA(2)</span>
Some domains may prefer to avoid the operational complexity of
publishing unique TLSA RRs for each TLS service. If the domain
employs a common issuing CA to create certificates for multiple TLS
services, it may be simpler to publish the issuing authority as a
trust anchor (TA) for the certificate chains of all relevant
services. The TLSA query domain (TLSA base domain with port and
protocol prefix labels) for each service issued by the same TA may
then be set to a CNAME alias that points to a common TLSA RRset that
matches the TA. For example:
example.com. IN MX 0 mx1.example.com.
example.com. IN MX 0 mx2.example.com.
_25._tcp.mx1.example.com. IN CNAME tlsa201._dane.example.com.
_25._tcp.mx2.example.com. IN CNAME tlsa201._dane.example.com.
tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c14....
With usage DANE-TA(2), the server certificates will need to have
names that match one of the client's reference identifiers (see
[<a href="./rfc6125" title=""Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)"">RFC6125</a>]). The server MAY employ SNI to select the appropriate
certificate to present to the client.
SMTP servers that rely on certificate usage DANE-TA(2) TLSA records
for TLS authentication MUST include the TA certificate as part of the
certificate chain presented in the TLS handshake server certificate
message even when it is a self-signed root certificate. Many SMTP
servers are not configured with a comprehensive list of trust
anchors, nor are they expected to be at any point in the future.
Some MTAs will ignore all locally trusted certificates when
processing usage DANE-TA(2) TLSA records. Thus, even when the TA
happens to be a public CA known to the SMTP client, authentication is
likely to fail unless the TA certificate is included in the TLS
server certificate message.
With some SMTP server software, it is not possible to configure the
server to include self-signed (root) CA certificates in the server
certificate chain. Such servers either MUST publish DANE-TA(2)
records for an intermediate certificate or MUST instead use
DANE-EE(3) TLSA records.
TLSA records with a matching type of Full(0) are discouraged. While
these potentially obviate the need to transmit the TA certificate in
the TLS server certificate message, client implementations may not be
able to augment the server certificate chain with the data obtained
from DNS, especially when the TLSA record supplies a bare key
(selector SPKI(1)). Since the server will need to transmit the TA
certificate in any case, server operators SHOULD publish TLSA records
<span class="grey">Dukhovni & Hardaker Standards Track [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
with a matching type other than Full(0) and avoid potential
interoperability issues with large TLSA records containing full
certificates or keys.
TLSA Publishers employing DANE-TA(2) records SHOULD publish records
with a selector of Cert(0). Such TLSA records are associated with
the whole trust anchor certificate, not just with the trust anchor
public key. In particular, the SMTP client SHOULD then apply any
relevant constraints from the trust anchor certificate, such as, for
example, path length constraints.
While a selector of SPKI(1) may also be employed, the resulting TLSA
record will not specify the full trust anchor certificate content,
and elements of the trust anchor certificate other than the public
key become mutable. This may, for example, allow a subsidiary CA to
issue a chain that violates the trust anchor's path length or name
constraints.
<span class="h4"><a class="selflink" id="section-3.1.3" href="#section-3.1.3">3.1.3</a>. Certificate Usages PKIX-TA(0) and PKIX-EE(1)</span>
Note that this section applies to MTA-to-MTA SMTP, which is normally
on port 25 -- that is, to servers that are the SMTP servers for one
or more destination domains. Other uses of SMTP, such as in
MUA-to-MSA submission on ports 587 or 465, are out of scope for this
document. Where those other uses also employ TLS opportunistically
and/or depend on DNSSEC as a result of DNS-based discovery of service
location, the relevant specifications should, as appropriate, arrive
at similar conclusions.
As noted in Sections <a href="#section-1.3.1">1.3.1</a> and <a href="#section-1.3.2">1.3.2</a>, sending MTAs cannot, without
relying on DNSSEC for "secure" MX records and DANE for STARTTLS
support signaling, perform server identity verification or prevent
STARTTLS downgrade attacks. The use of PKIX CAs offers no added
security, since an attacker capable of compromising DNSSEC is free to
replace any PKIX-TA(0) or PKIX-EE(1) TLSA records with records
bearing any convenient non-PKIX certificate usage. Finally, as
explained in <a href="#section-1.3.4">Section 1.3.4</a>, there is no list of trusted CAs agreed
upon by all MTAs and no user to "click OK" when a server's CA is not
trusted by a client.
Therefore, TLSA records for the port 25 SMTP service used by client
MTAs SHOULD NOT include TLSA RRs with certificate usage PKIX-TA(0) or
PKIX-EE(1). SMTP client MTAs cannot be expected to be configured
with a suitably complete set of trusted public CAs. Lacking a
complete set of public CAs, MTA clients would not be able to verify
the certificates of SMTP servers whose issuing root CAs are not
trusted by the client.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
Opportunistic DANE TLS needs to interoperate without bilateral
coordination of security settings between client and server systems.
Therefore, parameter choices that are fragile in the absence of
bilateral coordination are unsupported. Nothing is lost; since the
PKIX certificate usages cannot aid SMTP TLS security, they can only
impede SMTP TLS interoperability.
SMTP client treatment of TLSA RRs with certificate usages PKIX-TA(0)
or PKIX-EE(1) is undefined. As with any other unsupported
certificate usage, SMTP clients MAY treat such records as "unusable".
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Certificate Matching</span>
When at least one usable "secure" TLSA record is found, the SMTP
client MUST use TLSA records to authenticate the SMTP server.
Messages MUST NOT be delivered via the SMTP server if authentication
fails; otherwise, the SMTP client is vulnerable to MITM attacks.
<span class="h4"><a class="selflink" id="section-3.2.1" href="#section-3.2.1">3.2.1</a>. DANE-EE(3) Name Checks</span>
The SMTP client MUST NOT perform certificate name checks with
certificate usage DANE-EE(3) (<a href="#section-3.1.1">Section 3.1.1</a>).
<span class="h4"><a class="selflink" id="section-3.2.2" href="#section-3.2.2">3.2.2</a>. DANE-TA(2) Name Checks</span>
To match a server via a TLSA record with certificate usage
DANE-TA(2), the client MUST perform name checks to ensure that it has
reached the correct server. In all DANE-TA(2) cases, the SMTP client
MUST employ the TLSA base domain as the primary reference identifier
for matching the server certificate.
TLSA records for MX hostnames: If the TLSA base domain was obtained
indirectly via a "secure" MX lookup (including any CNAME-expanded
name of an MX hostname), then the original next-hop domain used in
the MX lookup MUST be included as a second reference identifier.
The CNAME-expanded original next-hop domain MUST be included as a
third reference identifier if different from the original next-hop
domain. When the client MTA is employing DANE TLS security
despite "insecure" MX redirection, the MX hostname is the only
reference identifier.
TLSA records for non-MX hostnames: If MX records were not used
(e.g., if none exist) and the TLSA base domain is the
CNAME-expanded original next-hop domain, then the original
next-hop domain MUST be included as a second reference identifier.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
Accepting certificates with the original next-hop domain in addition
to the MX hostname allows a domain with multiple MX hostnames to
field a single certificate bearing a single domain name (i.e., the
email domain) across all the SMTP servers. This also aids
interoperability with pre-DANE SMTP clients that are configured to
look for the email domain name in server certificates -- for example,
with "secure" DNS records as shown below:
exchange.example.org. IN CNAME mail.example.org.
mail.example.org. IN CNAME example.com.
example.com. IN MX 10 mx10.example.com.
example.com. IN MX 15 mx15.example.com.
example.com. IN MX 20 mx20.example.com.
;
mx10.example.com. IN A 192.0.2.10
_25._tcp.mx10.example.com. IN TLSA 2 0 1 ...
;
mx15.example.com. IN CNAME mxbackup.example.com.
mxbackup.example.com. IN A 192.0.2.15
; _25._tcp.mxbackup.example.com. IN TLSA ? (NXDOMAIN)
_25._tcp.mx15.example.com. IN TLSA 2 0 1 ...
;
mx20.example.com. IN CNAME mxbackup.example.net.
mxbackup.example.net. IN A 198.51.100.20
_25._tcp.mxbackup.example.net. IN TLSA 2 0 1 ...
Certificate name checks for delivery of mail to exchange.example.org
via any of the associated SMTP servers MUST accept at least the names
"exchange.example.org" and "example.com", which are, respectively,
the original and fully expanded next-hop domain. When the SMTP
server is mx10.example.com, name checks MUST accept the TLSA base
domain "mx10.example.com". If, despite the fact that MX hostnames
are required to not be aliases, the MTA supports delivery via
"mx15.example.com" or "mx20.example.com", then name checks MUST
accept the respective TLSA base domains "mx15.example.com" and
"mxbackup.example.net".
<span class="h4"><a class="selflink" id="section-3.2.3" href="#section-3.2.3">3.2.3</a>. Reference Identifier Matching</span>
When name checks are applicable (certificate usage DANE-TA(2)), if
the server certificate contains a Subject Alternative Name extension
[<a href="./rfc5280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC5280</a>] with at least one DNS-ID [<a href="./rfc6125" title=""Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)"">RFC6125</a>], then only the DNS-IDs
are matched against the client's reference identifiers. The CN-ID
[<a href="./rfc6125" title=""Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)"">RFC6125</a>] is only considered when no DNS-IDs are present. The server
certificate is considered matched when one of its presented
identifiers [<a href="./rfc5280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC5280</a>] matches any of the client's reference
identifiers.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
Wildcards are valid in either DNS-IDs or the CN-ID when applicable.
The wildcard character must be the entire first label of the DNS-ID
or CN-ID. Thus, "*.example.com" is valid, while "smtp*.example.com"
and "*smtp.example.com" are not. SMTP clients MUST support wildcards
that match the first label of the reference identifier, with the
remaining labels matching verbatim. For example, the DNS-ID
"*.example.com" matches the reference identifier "mx1.example.com".
SMTP clients MAY, subject to local policy, allow wildcards to match
multiple reference identifier labels, but servers cannot expect broad
support for such a policy. Therefore, any wildcards in server
certificates SHOULD match exactly one label in either the TLSA base
domain or the next-hop domain.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Server Key Management</span>
Two TLSA records MUST be published before employing a new EE or TA
public key or certificate: one matching the currently deployed key
and the other matching the new key scheduled to replace it. Once
sufficient time has elapsed for all DNS caches to expire the previous
TLSA RRset and related signature RRsets, servers may be configured to
use the new EE private key and associated public key certificate or
may employ certificates signed by the new trust anchor.
Once the new public key or certificate is in use, the TLSA RR that
matches the retired key can be removed from DNS, leaving only RRs
that match keys or certificates in active use.
As described in <a href="#section-3.1.2">Section 3.1.2</a>, when server certificates are validated
via a DANE-TA(2) trust anchor and CNAME records are employed to store
the TA association data at a single location, the responsibility of
updating the TLSA RRset shifts to the operator of the trust anchor.
Before a new trust anchor is used to sign any new server
certificates, its certificate (digest) is added to the relevant TLSA
RRset. After enough time elapses for the original TLSA RRset to age
out of DNS caches, the new trust anchor can start issuing new server
certificates. Once all certificates issued under the previous trust
anchor have expired, its associated RRs can be removed from the TLSA
RRset.
In the DANE-TA(2) key management model, server operators do not
generally need to update DNS TLSA records after initially creating a
CNAME record that references the centrally operated DANE-TA(2) RRset.
If a particular server's key is compromised, its TLSA CNAME SHOULD be
replaced with a DANE-EE(3) association until the certificate for the
compromised key expires, at which point it can return to using a
CNAME record. If the central trust anchor is compromised, all
<span class="grey">Dukhovni & Hardaker Standards Track [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
servers need to be issued new keys by a new TA, and an updated
DANE-TA(2) TLSA RRset needs to be published containing just the
new TA.
SMTP servers cannot expect broad Certificate Revocation List (CRL) or
Online Certificate Status Protocol (OCSP) support from SMTP clients.
As outlined above, with DANE, compromised server or trust anchor keys
can be "revoked" by removing them from the DNS without the need for
client-side support for OCSP or CRLs.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Digest Algorithm Agility</span>
While [<a href="./rfc6698" title=""The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA"">RFC6698</a>] specifies multiple digest algorithms, it does not
specify a protocol by which the SMTP client and TLSA record publisher
can agree on the strongest shared algorithm. Such a protocol would
allow the client and server to avoid exposure to deprecated weaker
algorithms that are published for compatibility with less capable
clients. When stronger algorithms are an option, deprecated
algorithms SHOULD be avoided. Such a protocol is specified in
[<a href="./rfc7671" title=""The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance"">RFC7671</a>]. SMTP clients and servers that implement this
specification MUST comply with the requirements outlined in <a href="./rfc7671#section-9">Section 9
of [RFC7671]</a>.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Mandatory TLS Security</span>
An MTA implementing this protocol may require a stronger security
assurance when sending email to selected destinations. The sending
organization may need to send sensitive email and/or may have
regulatory obligations to protect its content. This protocol is not
in conflict with such a requirement and, in fact, can often simplify
authenticated delivery to such destinations.
Specifically, with domains that publish DANE TLSA records for their
MX hostnames, a sending MTA can be configured to use the receiving
domain's DANE TLSA records to authenticate the corresponding SMTP
server. Authentication via DANE TLSA records is easier to manage, as
changes in the receiver's expected certificate properties are made on
the receiver end and don't require manually communicated
configuration changes. With mandatory DANE TLS, when no usable TLSA
records are found, message delivery is delayed. Thus, mail is only
sent when an authenticated TLS channel is established to the remote
SMTP server.
Administrators of mail servers that employ mandatory DANE TLS need to
carefully monitor their mail logs and queues. If a partner domain
unwittingly misconfigures its TLSA records, disables DNSSEC, or
misconfigures SMTP server certificate chains, mail will be delayed
and may bounce if the issue is not resolved in a timely manner.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Note on DANE for Message User Agents</span>
We note that SMTP is also used between Message User Agents (MUAs) and
Message Submission Agents (MSAs) [<a href="./rfc6409" title=""Message Submission for Mail"">RFC6409</a>]. In [<a href="./rfc6186" title=""Use of SRV Records for Locating Email Submission/Access Services"">RFC6186</a>], a protocol
is specified that enables an MUA to dynamically locate the MSA based
on the user's email address. SMTP connection security considerations
for MUAs implementing [<a href="./rfc6186" title=""Use of SRV Records for Locating Email Submission/Access Services"">RFC6186</a>] are largely analogous to connection
security requirements for MTAs, and this specification could be
applied largely verbatim with DNS MX records replaced by
corresponding DNS Service (SRV) records [<a href="./rfc7673" title=""Using DNS-Based Authentication of Named Entities (DANE) TLSA Records with SRV Records"">RFC7673</a>].
However, until MUAs begin to adopt the dynamic configuration
mechanisms of [<a href="./rfc6186" title=""Use of SRV Records for Locating Email Submission/Access Services"">RFC6186</a>], they are adequately served by more
traditional static TLS security policies. Specification of DANE TLS
for MUA-to-MSA SMTP is left to future documents that focus
specifically on SMTP security between MUAs and MSAs.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Interoperability Considerations</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. SNI Support</span>
To ensure that the server sends the right certificate chain, the SMTP
client MUST send the TLS SNI extension containing the TLSA base
domain. This precludes the use of the Secure Socket Layer (SSL)
HELLO that is SSL 2.0 compatible by the SMTP client.
Each SMTP server MUST present a certificate chain (see <a href="./rfc5246#section-7.4.2">[RFC5246],
Section 7.4.2</a>) that matches at least one of the TLSA records. The
server MAY rely on SNI to determine which certificate chain to
present to the client. Clients that don't send SNI information may
not see the expected certificate chain.
If the server's TLSA records match the server's default certificate
chain, the server need not support SNI. In either case, the server
need not include the SNI extension in its TLS HELLO, as simply
returning a matching certificate chain is sufficient. Servers
MUST NOT enforce the use of SNI by clients, as the client may be
using unauthenticated opportunistic TLS and may not expect any
particular certificate from the server. If the client sends no SNI
extension or sends an SNI extension for an unsupported domain, the
server MUST simply send some fallback certificate chain of its
choice. The reason for not enforcing strict matching of the
requested SNI hostname is that DANE TLS clients are typically willing
to accept multiple server names but can only send one name in the SNI
extension. The server's fallback certificate may match a different
name acceptable to the client, e.g., the original next-hop domain.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Anonymous TLS Cipher Suites</span>
Since many SMTP servers either do not support or do not enable any
anonymous TLS cipher suites, SMTP client TLS HELLO messages SHOULD
offer to negotiate a typical set of non-anonymous cipher suites
required for interoperability with such servers. An SMTP client
employing pre-DANE opportunistic TLS MAY also include one or more
anonymous TLS cipher suites in its TLS HELLO. SMTP servers that need
to interoperate with opportunistic TLS clients SHOULD be prepared to
interoperate with such clients by either always selecting a mutually
supported non-anonymous cipher suite or correctly handling client
connections that negotiate anonymous cipher suites.
Note that while SMTP server operators are under no obligation to
enable anonymous cipher suites, no security is gained by sending
certificates to clients that will ignore them. Indeed, support for
anonymous cipher suites in the server makes audit trails more
informative. Log entries that record connections that employed an
anonymous cipher suite record the fact that the clients did not care
to authenticate the server.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Operational Considerations</span>
<span class="h3"><a class="selflink" id="section-9.1" href="#section-9.1">9.1</a>. Client Operational Considerations</span>
An operational error on the sending or receiving side that cannot be
corrected in a timely manner may, at times, lead to consistent
failure to deliver time-sensitive email. The sending MTA
administrator may have to choose between allowing email to queue
until the error is resolved and disabling opportunistic or mandatory
DANE TLS (<a href="#section-6">Section 6</a>) for one or more destinations. The choice to
disable DANE TLS security should not be made lightly. Every
reasonable effort should be made to determine that problems with mail
delivery are the result of an operational error and not an attack. A
fallback strategy may be to configure explicit out-of-band TLS
security settings if supported by the sending MTA.
SMTP clients may deploy opportunistic DANE TLS incrementally by
enabling it only for selected sites or may occasionally need to
disable opportunistic DANE TLS for peers that fail to interoperate
due to misconfiguration or software defects on either end. Some
implementations MAY support DANE TLS in an "audit only" mode in which
failure to achieve the requisite security level is logged as a
warning and delivery proceeds at a reduced security level. Unless
local policy specifies "audit only" or specifies that opportunistic
DANE TLS is not to be used for a particular destination, an SMTP
<span class="grey">Dukhovni & Hardaker Standards Track [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
client MUST NOT deliver mail via a server whose certificate chain
fails to match at least one TLSA record when usable TLSA records are
found for that server.
<span class="h3"><a class="selflink" id="section-9.2" href="#section-9.2">9.2</a>. Publisher Operational Considerations</span>
Some MTAs enable STARTTLS selectively. For example, they might only
support STARTTLS with clients that have previously demonstrated
"proper MTA behavior", e.g., by retrying the delivery of deferred
messages (greylisting). If such an MTA publishes DANE TLSA records,
sending MTAs that implement this specification will not attempt the
initial cleartext SMTP transaction needed to establish the "proper
MTA behavior", because they cannot establish the required channel
security. Server operators MUST NOT implement selective STARTTLS if
they also want to support DANE TLSA.
TLSA Publishers MUST follow the guidelines in <a href="./rfc7671#section-8">Section 8 of [RFC7671]</a>.
TLSA Publishers SHOULD follow the TLSA publication size guidance
found in <a href="./rfc7671#section-10.1">Section 10.1 of [RFC7671]</a>.
TLSA Publishers SHOULD follow the TLSA record TTL and signature
lifetime recommendations found in <a href="./rfc7671#section-13">Section 13 of [RFC7671]</a>.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Security Considerations</span>
This protocol leverages DANE TLSA records to implement MITM-resistant
Opportunistic Security [<a href="./rfc7435" title=""Opportunistic Security: Some Protection Most of the Time"">RFC7435</a>] for SMTP. For destination domains
that sign their MX records and publish signed TLSA records for their
MX hostnames, this protocol allows sending MTAs to securely discover
both the availability of TLS and how to authenticate the destination.
This protocol does not aim to secure all SMTP traffic, as that is not
practical until DNSSEC and DANE adoption are universal. The
incremental deployment provided by following this specification is a
best possible path for securing SMTP. This protocol coexists and
interoperates with the existing insecure Internet email backbone.
The protocol does not preclude existing non-opportunistic SMTP TLS
security arrangements, which can continue to be used as before via
manual configuration with negotiated out-of-band key and TLS
configuration exchanges.
Opportunistic SMTP TLS depends critically on DNSSEC for downgrade
resistance and secure resolution of the destination name. If DNSSEC
is compromised, it is not possible to fall back on the public CA PKI
to prevent MITM attacks. A successful breach of DNSSEC enables the
attacker to publish TLSA usage 3 certificate associations and thereby
<span class="grey">Dukhovni & Hardaker Standards Track [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
bypass any security benefit the legitimate domain owner might hope to
gain by publishing usage 0 or usage 1 TLSA RRs. Given the lack of
public CA PKI support in existing MTA deployments, avoiding
certificate usages 0 and 1 simplifies implementation and deployment
with no adverse security consequences.
Implementations must strictly follow Sections <a href="#section-2.1.2">2.1.2</a>, <a href="#section-2.1.3">2.1.3</a>, <a href="#section-2.2">2.2</a>,
2.2.1, 2.2.2, 2.2.3, 3.2, and 9.1 of this specification; these
sections indicate when it is appropriate to initiate a
non-authenticated connection or cleartext connection to an SMTP
server. Specifically, in order to prevent downgrade attacks on this
protocol, implementations must not initiate a connection when this
specification indicates that a particular SMTP server must be
considered unreachable.
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. References</span>
<span class="h3"><a class="selflink" id="section-11.1" href="#section-11.1">11.1</a>. Normative References</span>
[<a id="ref-RFC1034">RFC1034</a>] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, <a href="./rfc1034">RFC 1034</a>, DOI 10.17487/RFC1034, November 1987,
<<a href="http://www.rfc-editor.org/info/rfc1034">http://www.rfc-editor.org/info/rfc1034</a>>.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>,
DOI 10.17487/RFC2119, March 1997,
<<a href="http://www.rfc-editor.org/info/rfc2119">http://www.rfc-editor.org/info/rfc2119</a>>.
[<a id="ref-RFC3207">RFC3207</a>] Hoffman, P., "SMTP Service Extension for Secure SMTP over
Transport Layer Security", <a href="./rfc3207">RFC 3207</a>, DOI 10.17487/RFC3207,
February 2002, <<a href="http://www.rfc-editor.org/info/rfc3207">http://www.rfc-editor.org/info/rfc3207</a>>.
[<a id="ref-RFC4033">RFC4033</a>] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
<a href="./rfc4033">RFC 4033</a>, DOI 10.17487/RFC4033, March 2005,
<<a href="http://www.rfc-editor.org/info/rfc4033">http://www.rfc-editor.org/info/rfc4033</a>>.
[<a id="ref-RFC4034">RFC4034</a>] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
<a href="./rfc4034">RFC 4034</a>, DOI 10.17487/RFC4034, March 2005,
<<a href="http://www.rfc-editor.org/info/rfc4034">http://www.rfc-editor.org/info/rfc4034</a>>.
[<a id="ref-RFC4035">RFC4035</a>] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", <a href="./rfc4035">RFC 4035</a>, DOI 10.17487/RFC4035, March 2005,
<<a href="http://www.rfc-editor.org/info/rfc4035">http://www.rfc-editor.org/info/rfc4035</a>>.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
[<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", <a href="./rfc5246">RFC 5246</a>,
DOI 10.17487/RFC5246, August 2008,
<<a href="http://www.rfc-editor.org/info/rfc5246">http://www.rfc-editor.org/info/rfc5246</a>>.
[<a id="ref-RFC5280">RFC5280</a>] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", <a href="./rfc5280">RFC 5280</a>, DOI 10.17487/RFC5280, May 2008,
<<a href="http://www.rfc-editor.org/info/rfc5280">http://www.rfc-editor.org/info/rfc5280</a>>.
[<a id="ref-RFC5321">RFC5321</a>] Klensin, J., "Simple Mail Transfer Protocol", <a href="./rfc5321">RFC 5321</a>,
DOI 10.17487/RFC5321, October 2008,
<<a href="http://www.rfc-editor.org/info/rfc5321">http://www.rfc-editor.org/info/rfc5321</a>>.
[<a id="ref-RFC5598">RFC5598</a>] Crocker, D., "Internet Mail Architecture", <a href="./rfc5598">RFC 5598</a>,
DOI 10.17487/RFC5598, July 2009,
<<a href="http://www.rfc-editor.org/info/rfc5598">http://www.rfc-editor.org/info/rfc5598</a>>.
[<a id="ref-RFC6066">RFC6066</a>] Eastlake 3rd, D., "Transport Layer Security (TLS)
Extensions: Extension Definitions", <a href="./rfc6066">RFC 6066</a>,
DOI 10.17487/RFC6066, January 2011,
<<a href="http://www.rfc-editor.org/info/rfc6066">http://www.rfc-editor.org/info/rfc6066</a>>.
[<a id="ref-RFC6125">RFC6125</a>] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", <a href="./rfc6125">RFC 6125</a>, DOI 10.17487/RFC6125,
March 2011, <<a href="http://www.rfc-editor.org/info/rfc6125">http://www.rfc-editor.org/info/rfc6125</a>>.
[<a id="ref-RFC6186">RFC6186</a>] Daboo, C., "Use of SRV Records for Locating Email
Submission/Access Services", <a href="./rfc6186">RFC 6186</a>,
DOI 10.17487/RFC6186, March 2011,
<<a href="http://www.rfc-editor.org/info/rfc6186">http://www.rfc-editor.org/info/rfc6186</a>>.
[<a id="ref-RFC6672">RFC6672</a>] Rose, S. and W. Wijngaards, "DNAME Redirection in the
DNS", <a href="./rfc6672">RFC 6672</a>, DOI 10.17487/RFC6672, June 2012,
<<a href="http://www.rfc-editor.org/info/rfc6672">http://www.rfc-editor.org/info/rfc6672</a>>.
[<a id="ref-RFC6698">RFC6698</a>] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", <a href="./rfc6698">RFC 6698</a>, DOI 10.17487/RFC6698,
August 2012, <<a href="http://www.rfc-editor.org/info/rfc6698">http://www.rfc-editor.org/info/rfc6698</a>>.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
[<a id="ref-RFC7218">RFC7218</a>] Gudmundsson, O., "Adding Acronyms to Simplify
Conversations about DNS-Based Authentication of Named
Entities (DANE)", <a href="./rfc7218">RFC 7218</a>, DOI 10.17487/RFC7218,
April 2014, <<a href="http://www.rfc-editor.org/info/rfc7218">http://www.rfc-editor.org/info/rfc7218</a>>.
[<a id="ref-RFC7671">RFC7671</a>] Dukhovni, V. and W. Hardaker, "The DNS-Based
Authentication of Named Entities (DANE) Protocol: Updates
and Operational Guidance", <a href="./rfc7671">RFC 7671</a>, DOI 10.17487/RFC7671,
October 2015, <<a href="http://www.rfc-editor.org/info/rfc7671">http://www.rfc-editor.org/info/rfc7671</a>>.
<span class="h3"><a class="selflink" id="section-11.2" href="#section-11.2">11.2</a>. Informative References</span>
[<a id="ref-RFC1035">RFC1035</a>] Mockapetris, P., "Domain names - implementation and
specification", STD 13, <a href="./rfc1035">RFC 1035</a>, DOI 10.17487/RFC1035,
November 1987, <<a href="http://www.rfc-editor.org/info/rfc1035">http://www.rfc-editor.org/info/rfc1035</a>>.
[<a id="ref-RFC2136">RFC2136</a>] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)",
<a href="./rfc2136">RFC 2136</a>, DOI 10.17487/RFC2136, April 1997,
<<a href="http://www.rfc-editor.org/info/rfc2136">http://www.rfc-editor.org/info/rfc2136</a>>.
[<a id="ref-RFC2181">RFC2181</a>] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", <a href="./rfc2181">RFC 2181</a>, DOI 10.17487/RFC2181, July 1997,
<<a href="http://www.rfc-editor.org/info/rfc2181">http://www.rfc-editor.org/info/rfc2181</a>>.
[<a id="ref-RFC4949">RFC4949</a>] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, <a href="./rfc4949">RFC 4949</a>, DOI 10.17487/RFC4949, August 2007,
<<a href="http://www.rfc-editor.org/info/rfc4949">http://www.rfc-editor.org/info/rfc4949</a>>.
[<a id="ref-RFC6409">RFC6409</a>] Gellens, R. and J. Klensin, "Message Submission for Mail",
STD 72, <a href="./rfc6409">RFC 6409</a>, DOI 10.17487/RFC6409, November 2011,
<<a href="http://www.rfc-editor.org/info/rfc6409">http://www.rfc-editor.org/info/rfc6409</a>>.
[<a id="ref-RFC7435">RFC7435</a>] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", <a href="./rfc7435">RFC 7435</a>, DOI 10.17487/RFC7435,
December 2014, <<a href="http://www.rfc-editor.org/info/rfc7435">http://www.rfc-editor.org/info/rfc7435</a>>.
[<a id="ref-RFC7673">RFC7673</a>] Finch, T., Miller, M., and P. Saint-Andre, "Using
DNS-Based Authentication of Named Entities (DANE) TLSA
Records with SRV Records", <a href="./rfc7673">RFC 7673</a>, DOI 10.17487/RFC7673,
October 2015, <<a href="http://www.rfc-editor.org/info/rfc7673">http://www.rfc-editor.org/info/rfc7673</a>>.
<span class="grey">Dukhovni & Hardaker Standards Track [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc7672">RFC 7672</a> SMTP Security via Opportunistic DANE TLS October 2015</span>
Acknowledgements
The authors would like to extend great thanks to Tony Finch, who
started the original version of a DANE SMTP document. His work is
greatly appreciated and has been incorporated into this document.
The authors would like to additionally thank Phil Pennock for his
comments and advice on this document.
Acknowledgements from Viktor: Thanks to Paul Hoffman, who motivated
me to begin work on this memo and provided feedback on early draft
versions of this document. Thanks to Patrick Koetter, Perry Metzger,
and Nico Williams for valuable review comments. Thanks also to
Wietse Venema, who created Postfix, and whose advice and feedback
were essential to the development of the Postfix DANE implementation.
Authors' Addresses
Viktor Dukhovni
Two Sigma
Email: ietf-dane@dukhovni.org
Wes Hardaker
Parsons
P.O. Box 382
Davis, CA 95617
United States
Email: ietf@hardakers.net
Dukhovni & Hardaker Standards Track [Page 34]
</pre>
|
