TLSA records - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.3.0

Conceptual overview of TLSA records.

DANE introduces a new DNS resource record — TLSA — to be authenticated by DNSSEC to augment or replace the use of public certificates from the Certificate Authority. TLSA records are stored as prefixed DNS domain names using the syntax _<portnumber>._<protocol>.<FQDN>. For example:
_443._tcp.example.com

TLSA records consist of four fields: a one octet Certificate Usage field, a one octet Selector field, a one octet Matching Type field, and Certificate Association Data.

TLSA Certificate Usage field

Indicates which is the certificate; identifies what the TLSA record is pointing at in the chain of trust. The Certificate Usage Field contains a value of 3, 2, 1, or 0.
Note: Values 4-254 are unassigned; value 255 is private use.
Table 1. TLSA Certificate Usages
Value Description
0 PKIX-TA: Certificate Authority Constraint; public CA certificate or public key of such a certificate from the X.509 tree that must be validated by a trust anchor in the chain of trust. The TLSA record specifies the CA that will provide TLS certificates for the domain.
1 PKIX-EE: Service Certificate Constraint; points to a specific TLS certificate but needs validation from another trust anchor. The TLSA record specifies the exact TLS certificate that should be used for the domain. The certificate must be issued by a valid CA.
2 DANE-TA: Trust Anchor Assertion; private key from the X.509 tree that must be validated by a trust anchor in the chain of trust. The TLSA record specifies the trust anchor to be used for validating the TLS certificates for the domain.
3 DANE-EE: Domain-issued Certificate; no X.509 tree, trust anchors, or chain of trust needed for validation. The TLS record specifies the exact TLS certificate that should be used for the domain, but the TLS certificate doesn't need to be signed by a valid CA, thereby allowing for the use of self-signed certificates.

TLSA Selector field

Indicates if the TLSA record matching against the full or partial key. The Selector Field contains a value of 1 or 0.
Note: Values 2-254 are unassigned; value 255 is private use.
Table 2. TLSA Selectors
Value Description
0 Full certificate
1 Partial key (SubjectPublicKeyInfo)

TLSA Matching Type field

Indicates the kind of match: SHA256, SHA512, or full. The Matching Type Field contains a value of 2, 1, or 0.
Note: Values 3-254 are unassigned; value 255 is private use.
Table 3. TLSA Matching Types
Value Description
0 Full: no hash; data is the certificate or the public key
1 SHA256: data is the SHA256 hash of the certificate or public key
2 SHA512: data is the SHA512 hash of the certificate or public key

TLSA Record example

Example of a domain-issued end-entity certificate:
_443._tcp.www.example.com. IN TLSA (
      3 1 1 ecc104c4fbb06b249d3c7a
            68f19cf28a60a9c6814874
            ad7efde451688039fe01 )