Ssl – what names for TLS certificates when using SRV records

slapdsrv-recordssl

When I'm using a SRV DNS record, what name(s) do I put in the TLS certificate? For example, if I'm setting up slapd on two servers (klas1 and klas2), and I define these DNS records (using bind zone file style notation):

_ldap._tcp.example.com. IN  SRV 10 0 389 klas1.example.com.
_ldap._tcp.example.com. IN  SRV 20 0 389 klas2.example.com.
klas1.example.com.  A 192.168.0.1
klas2.example.com.  A 192.168.0.2

I'd expect my clients would be configured to connect to ldap://example.com/. However when I'm generating TLS certificates on the servers, do I generate them with the name "example.com", or do I generate them with the name "klas1.example.com", or do I need both?

Best Answer

The certificate must match the hostname, i.e. corresponding A record for the server. You could have individual klas1.example.com & klas2.example.com certificates or shared wildcard *.example.com certificate, but example.com won't match.

The SRV records don't need certificates as they are used only on DNS level for service discovery.

Related Solutions

Ssl – Why can’t we use DNS for distributing SSL certificates

It's already perfectly possible to encode an X.509 certificate inside a DNS Record - look at the CERT record type from RFC 4398.

The main reason it's not being done in anger much is because the transport mechanism isn't yet secure. This will change dramatically later this year when the root zone gets DNSSEC signed and as more and more TLDs support DNSSEC.

DNS query size (as mentioned elsewhere) is also a concern, although it's worth noting that the CERT RR also allows you to simply store the URL from which the real X.509 certificate can be downloaded. At this point there's something of a chicken and egg problem, though...

What are the main differences between SRV records and TXT records

TXT records are free-form text records and can be used for things like describing hosts. Can also be used for application specific goals, like DNSBL and SPF. Nowadays, they're widely used to accomplish both these goals.

SRV records are service records and are a kind of extension of MX records and are a little more complex than TXT records. While MX records are used to define which servers will handle the e-mail for a specific domain, giving different weights to different records, SRV records are used to provide things such as the protocol and the port. A SRV record has the following form:

_Service._Proto.Name TTL Class SRV Priority Weight Port Target

Service: the symbolic name of the desired service.

Proto: the transport protocol of the desired service; this is usually either TCP or UDP.

Name: the domain name for which this record is valid.

TTL: standard DNS time to live field.

Class: standard DNS class field (this is always IN).

Priority: the priority of the target host, lower value means more preferred.

Weight: A relative weight for records with the same priority.

Port: the TCP or UDP port on which the service is to be found.

Target: the canonical hostname of the machine providing the service.

One typical example of usage of SRV records is when using the XMPP protocol. For instance, if you have a foobar.com domain, the A record would be used to define the servers where your web contents are and the SRV records would be used to define where your XMPP server is. Typically, they will be located in different addresses.

More info about SRV records here.

Best Answer

Related Solutions

Ssl – Why can’t we use DNS for distributing SSL certificates

What are the main differences between SRV records and TXT records

Related Topic