Security/DNSSEC-TLS
Status
| DNSSEC-TLS | |
| Stage | Development |
| Status | In progress |
| Release target | ` |
| Health | OK |
| Status note | ` |
{{#set:Feature name=DNSSEC-TLS
|Feature stage=Development |Feature status=In progress |Feature version=` |Feature health=OK |Feature status note=` }}
Team
| Product manager | ` |
| Directly Responsible Individual | ` |
| Lead engineer | David Keeler |
| Security lead | ` |
| Privacy lead | ` |
| Localization lead | ` |
| Accessibility lead | ` |
| QA lead | ` |
| UX lead | ` |
| Product marketing lead | ` |
| Operations lead | ` |
| Additional members | ` |
{{#set:Feature product manager=`
|Feature feature manager=` |Feature lead engineer=David Keeler |Feature security lead=` |Feature privacy lead=` |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=` |Feature ux lead=` |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=` }}
Open issues/risks
`
Stage 1: Definition
1. Feature overview
This feature performs domain validation in TLS sessions by using DNSSEC chains.
2. Users & use cases
Server administrators can put key/certificate information in DNS records they control (e.g. TLSA records). This information is verifiable through DNSSEC. The browser can then use this in place of or alongside certificate chain validation.
3. Dependencies
`
4. Requirements
`
Non-goals
`
Stage 2: Design
5. Functional specification
https://wiki.mozilla.org/Security/DNSSEC-TLS-details
6. User experience design
`
Stage 3: Planning
7. Implementation plan
`
8. Reviews
Security review
`
Privacy review
`
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
`
Stage 4: Development
9. Implementation
`
Stage 5: Release
10. Landing criteria
` {{#set:Feature open issues and risks=` |Feature overview=This feature performs domain validation in TLS sessions by using DNSSEC chains. |Feature users and use cases=Server administrators can put key/certificate information in DNS records they control (e.g. TLSA records). This information is verifiable through DNSSEC. The browser can then use this in place of or alongside certificate chain validation. |Feature dependencies=` |Feature requirements=` |Feature non-goals=` |Feature functional spec=https://wiki.mozilla.org/Security/DNSSEC-TLS-details |Feature ux design=` |Feature implementation plan=` |Feature security review=` |Feature privacy review=` |Feature localization review=` |Feature accessibility review=` |Feature qa review=` |Feature operations review=` |Feature implementation notes=` |Feature landing criteria=` }}
Feature details
| Priority | Unprioritized |
| Rank | 999 |
| Theme / Goal | ` |
| Roadmap | ` |
| Secondary roadmap | ` |
| Feature list | ` |
| Project | ` |
| Engineering team | ` |
{{#set:Feature priority=Unprioritized
|Feature rank=999 |Feature theme=` |Feature roadmap=` |Feature secondary roadmap=` |Feature list=` |Feature project=` |Feature engineering team=` }}
Team status notes
| status | notes | |
| Products | ` | ` |
| Engineering | ` | ` |
| Security | ` | ` |
| Privacy | ` | ` |
| Localization | ` | ` |
| Accessibility | ` | ` |
| Quality assurance | ` | ` |
| User experience | ` | ` |
| Product marketing | ` | ` |
| Operations | ` | ` |
{{#set:Feature products status=`
|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=` |Feature security health=` |Feature security notes=` |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}
| Feature | Status | ETA | Owner |
| DNSSEC-TLS | Internal demonstration implementation | 2011-09-01 | David Keeler
|
This set of pages documents the TLS domain validation through DNSSEC project. These documents are currently a work in progress. There are likely many errors.
Summary
This project aims to implement domain validation in TLS sessions through use of DNSSEC chains.
Team
Who's working on this?
- Feature Manager:
- Lead Developer: David Keeler
- Product Manager:
- QA:
- Security:
- Privacy:
Release Requirements
The release requirements include a fully working and well tested implementation of this feature. This includes a server implementation. Currently nginx is being targeted as the server of choice.
Next Steps & Open Issues
- [DONE] Complete external implementation
- [DONE] Complete in-browser demo implementation
- [NEW] Get someone to look at what I've written to make sure it's not totally off the mark
- [NEW] Complete in-browser implementation
Related Bugs & Dependencies
This feature depends on servers with the ability to send DNSSEC chains. Nginx has been modified to support this, as described in a document to come.
Risks
Risks are discussed in the security considerations section of the detailed design page.
Use Cases
The use case is anyone running an HTTPS server and anyone wishing to connect to that server using Firefox.
Designs
Design specifications are detailed here.
Test Plans
Test plans are here.
Goals
Implement domain validation for TLS connections using DNSSEC in Firefox. That is, in addition to sending a certificate in the TLS handshake, a server would send sufficient DNSSEC records to convince the client of its identity and establish public key material.
Non-Goals
To be updated as issues arise.
Other Stuff
There is currently no other stuff.
Legend (remove if you like)
| Healthy: feature is progressing as expected. | |
| Blocked: feature is currently blocked. | |
| At Risk: feature is at risk of missing its targeted release. | |
| ETA | Estimated date for completion of the current feature task. Overall ETA for the feature is the product release date. |
Please remove this line and any non-relevant categories below. Add whatever other categories you feel are appropriate.