TLS DNSSEC Chain Extension
RFC 9102, “TLS DNSSEC Chain Extension”, is an Experimental document published in August 2021 by V. Dukhovni, S. Huque, W. Toorop, P. Wouters, M. Shore. The canonical text is published by the RFC Editor.
Abstract
This document describes an experimental TLS extension for the in-band transport of the complete set of records that can be validated by DNSSEC and that are needed to perform DNS-Based Authentication of Named Entities (DANE) of a TLS server. This extension obviates the need to perform separate, out-of-band DNS lookups. When the requisite DNS records do not exist, the extension conveys a denial-of-existence proof that can be validated.
This experimental extension is developed outside the IETF and is published here to guide implementation of the extension and to ensure interoperability among implementations.
What “Experimental” means
Describes a specification that is part of a research or development effort, published so the community can gain experience with it.
The canonical text of RFC 9102 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request
- RFC 9103 DNS Zone Transfer over TLS
- RFC 9100 Sensor Measurement Lists Features and Versions
- RFC 9104 Distribution of Traffic Engineering Extended Administrative Groups Using the Border Gateway Protocol - Link State
- RFC 9099 Operational Security Considerations for IPv6 Networks
- RFC 9105 A YANG Data Model for Terminal Access Controller Access-Control System Plus
- RFC 9098 Operational Implications of IPv6 Packets with Extension Headers
- RFC 9106 Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications