IETF Logo Mail Archive

Re: [certid] What DNS-ID if also using a DNS-SRV?

Alexey Melnikov <alexey.melnikov@isode.com> Wed, 23 June 2010 19:02 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 078EA3A6908 for <certid@core3.amsl.com>; Wed, 23 Jun 2010 12:02:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.207
X-Spam-Level:
X-Spam-Status: No, score=-2.207 tagged_above=-999 required=5 tests=[AWL=0.392, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQ8bgzG7deZp for <certid@core3.amsl.com>; Wed, 23 Jun 2010 12:02:40 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id D0FEE3A6AF7 for <certid@ietf.org>; Wed, 23 Jun 2010 12:02:34 -0700 (PDT)
Received: from [172.16.2.161] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <TCJaUAAJf7He@rufus.isode.com>; Wed, 23 Jun 2010 20:02:41 +0100
Message-ID: <4C225A1B.4070806@isode.com>
Date: Wed, 23 Jun 2010 20:01:47 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <p062408bbc8388055fb6d@[10.20.30.158]> <4C1CABA1.2050205@isode.com> <p0624082bc8427e79bd60@[10.20.30.158]>
In-Reply-To: <p0624082bc8427e79bd60@[10.20.30.158]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] What DNS-ID if also using a DNS-SRV?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jun 2010 19:02:42 -0000

Hi Paul,

Paul Hoffman wrote:

>At 12:36 PM +0100 6/19/10, Alexey Melnikov wrote:
>  
>
>>Hi Paul,
>>
>>Paul Hoffman wrote:
>>    
>>
>>> 1.  The certificate MUST include a "DNS-ID" (i.e., a subjectAltName
>>>     identifier of type dNSName).
>>>
>>> 2.  If the service using the certificate deploys a technology in
>>>     which a server is discovered by means of DNS SRV records
>>>     [DNS-SRV] (e.g., this is true of [XMPP]), then the certificate
>>>     SHOULD include an "SRV-ID" (i.e., an instance of the SRVName form
>>>     of otherName from the GeneralName structure in the subjectAltName
>>>     as specified in [SRVNAME]).
>>>
>>>If 2 is true, what is the value of the required DNS-ID?      
>>>
>>One or more hostname for machines that would provide the specified service. I.e. most likely some/all hostnames from the output of DNS SRV lookup, but I can think of some examples where other hostnames can be used in addition to or instead of these. E.g. a machine on internal network, hostname of a NAT box, etc.    
>>
>So a cert says "the hostname of this server is www.example.com, and you can look up the hostname for the server using SRV"? What does that mean in a security context?
>
This is a good question and it took me some time to gather thoughts on 
how to reply to it.

>If I get back one name of yyy.example.com, does that mean that the host has both names, or that there was a lookup error?
>  
>
In general it can be either, or neither. I don't think one can draw any 
conclusion. Let me try to do a more detailed explanation on how this is 
supposed to work (at least with the current version of the document):

Let's say we have a certificate with (I might be getting the syntax 
wrong, but you should get the idea of what I mean)

dNSName: imap.example.com
sRVName: _imap._tcp.example.com

I've change www.example.com to imap.isode.com, as there is now a 
specification about how to use DNS SRV for locating IMAP servers. But 
the idea applies to other services.

So the document says that a client using DNS SRV must check sRVName 
first. Only if sRVName is not found, then it can check the dNSName.
So a client doing DNS SRV lookup for service "imap" for domain 
"example.com" wouldn't care if the returned hostname is imap.example.com 
or yyy.example.com.

Another client which is explicitly configured with hostname will only 
check the dNSName value and will not check any sRVName values.

There might be several reasons why DNS SRV might return something 
different from "imap.example.com": different hostnames used on internal 
and external networks (due to NATs), clustering, etc. So clients 
shouldn't automatically check if sRVName resolves to one or more of 
dNSName values specified in the same certificate.

v2.8.7 | Report a Bug | By Email