Security/DNSSEC-TLS

This set of pages documents the TLS domain validation through DNSSEC project. These documents are currently a work in progress. There are likely many errors.

Summary

This project aims to implement domain validation in TLS sessions through use of DNSSEC chains.

Team

Who's working on this?

• Feature Manager:
• Lead Developer: David Keeler
• Product Manager:
• QA:
• Security:
• Privacy:

Release Requirements

The release requirements include a fully working and well tested implementation of this feature. This includes a server implementation. Currently nginx is being targeted as the server of choice.

Next Steps & Open Issues

• [DONE] Complete external implementation
• [ON TRACK] Complete in-browser demo implementation
• [NEW] Complete in-browser implementation

Related Bugs & Dependencies

This feature depends on servers with the ability to send DNSSEC chains. Nginx has been modified to support this, as described in a document to come.

Risks

Risks are discussed in the security considerations section of the detailed design page.

Use Cases

The use case is anyone running an HTTPS server and anyone wishing to connect to that server using Firefox.

Designs

Design specifications are detailed here.

Test Plans

Test plans are here.

Goals

Implement domain validation for TLS connections using DNSSEC in Firefox. That is, in addition to sending a certificate in the TLS handshake, a server would send sufficient DNSSEC records to convince the client of its identity and establish public key material.

Non-Goals

To be updated as issues arise.

Other Stuff

There is currently no other stuff.

Legend (remove if you like)

Please remove this line and any non-relevant categories below. Add whatever other categories you feel are appropriate.