[TLS] Service Binding DNS Records (draft-nygren-service-bindings-00)

Erik Nygren <erik+ietf@nygren.org> Tue, 08 July 2014 14:42 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 902FC1B2ADE for <tls@ietfa.amsl.com>; Tue, 8 Jul 2014 07:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 5cMO9zSKvXdI for <tls@ietfa.amsl.com>; Tue, 8 Jul 2014 07:42:12 -0700 (PDT)
Received: from mail-vc0-x233.google.com (mail-vc0-x233.google.com [IPv6:2607:f8b0:400c:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE89D1A00F6 for <tls@ietf.org>; Tue, 8 Jul 2014 07:42:11 -0700 (PDT)
Received: by mail-vc0-f179.google.com with SMTP id id10so5513316vcb.38 for <tls@ietf.org>; Tue, 08 Jul 2014 07:42:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=T9zT47I86vAVmp40Jlog0q2zx2yI8xo9mDtR+Jbcipw=; b=vzo6UzK88u7s3D3KHLw+iYJ/BgZNj+70QHF9jtxFiXP2kp5YbCgNHD7gtZqC2eCm2X eU2boJS8UbIpvkRoxB5QYGcDVukYxRHF0SXYnX3Nd2P31lqdWGOPShV0UOqfX6dsed88 9/nVW2bf1ka0vj2saqcb2hUCTjwB1Ch1T0KfgQElqgtk3LhVNXPwOn6BEAFdgdt4zmGz jLdbhCFL32OH/ZZCoCi/tFHtDoXLjx/1NohG0wY/L/bXogPxtH8qD0zuYt6LYN2B1iz6 Sk3H46qWtN2vEboga9GNbGicB18z/oL3x8sms1fLMCzesFKXbeyvzmERL2RPVUQQvZ8G 7VYA==
MIME-Version: 1.0
X-Received: by with SMTP id c12mr1971740veu.35.1404830530981; Tue, 08 Jul 2014 07:42:10 -0700 (PDT)
Sender: nygren@gmail.com
Received: by with HTTP; Tue, 8 Jul 2014 07:42:10 -0700 (PDT)
Date: Tue, 8 Jul 2014 10:42:10 -0400
X-Google-Sender-Auth: 5vfhPx6uOAcyCK1IlxaUJuT9EbY
Message-ID: <CAKC-DJgamUz3Xm9mw3+y8En5aaoX_f4Zj7PS-Gsv3PFgstoECQ@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=047d7b3a9bcec4d46f04fdaf985c
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/bOG0GMrRgGOsZZMXdelNU46bQAY
Subject: [TLS] Service Binding DNS Records (draft-nygren-service-bindings-00)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 14:42:13 -0000

Following some discussion in both the TLS and HTTPBIS working groups at
past meetings (including in the TLS interim), it became clear that there
was a need for a mechanism more flexible and powerful than SRV records for
communicating parameters for establishing a connection to clients.  In the
TLS 1.3 world, one specific use-case is to bootstrap any handshake
encryption via the DNS.

One of the major browser concerns is limiting the number of DNS lookups
that need to be performed before establishing a connection, especially when
multiple records that may only exist a small fraction of the time need to
be hunted for.  This proposal attempts to limit that while also enabling
future flexibility.  In particular, I believe this proposal also makes
DANE/TLSA much more operationally viable for HTTPS use-cases.  Regarding
the concern that the adoption rate for new record types is slow, this is
explicitly an additional mechanism for now (such that clients should fall
back to A/AAAA address records and such when unavailable), especially as
the security functionality enabled in the first version is primarily

Feedback is most welcome and I'm happy to discuss more in Toronto.  This
does not yet have a working group home yet, especially as it spans the
interests of a number of WGs.  There are also plenty of open issues, and
I'd like to land on the concepts before getting into final details of


---------- Forwarded message ----------
From: <internet-drafts@ietf.org>
Date: Fri, Jul 4, 2014 at 12:39 AM
Subject: I-D Action: draft-nygren-service-bindings-00.txt
To: i-d-announce@ietf.org

A New Internet-Draft is available from the on-line Internet-Drafts

        Title           : Service Binding DNS Records (DNS B)
        Author          : Erik Nygren
        Filename        : draft-nygren-service-bindings-00.txt
        Pages           : 16
        Date            : 2014-07-03

   This document describes a DNS "B" RR which binds together information
   needed to establish connection to a service across multiple protocol
   layers, including the location of the server, the application-level
   protocol, and security bootstrap information.

The IETF datatracker status page for this draft is:

There's also a htmlized version available at:

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:

I-D-Announce mailing list
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt