3

When I'm using a SRV DNS record, what name(s) do I put in the TLS certificate? For example, if I'm setting up slapd on two servers (klas1 and klas2), and I define these DNS records (using bind zone file style notation):

_ldap._tcp.example.com. IN  SRV 10 0 389 klas1.example.com.
_ldap._tcp.example.com. IN  SRV 20 0 389 klas2.example.com.
klas1.example.com.  A 192.168.0.1
klas2.example.com.  A 192.168.0.2

I'd expect my clients would be configured to connect to ldap://example.com/. However when I'm generating TLS certificates on the servers, do I generate them with the name "example.com", or do I generate them with the name "klas1.example.com", or do I need both?

Geoff Crompton
  • 151
  • 7

3 Answers3

3

The certificate must match the hostname, i.e. corresponding A record for the server. You could have individual klas1.example.com & klas2.example.com certificates or shared wildcard *.example.com certificate, but example.com won't match.

The SRV records don't need certificates as they are used only on DNS level for service discovery.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thanks for the answer, but I wonder if @smorlat response sounds reasonable to you as well? – Geoff Crompton Aug 20 '19 at 22:52
  • I'd say that @smorlat's answer mixes up DNS integrity and hostname verification. I've added some details in a comment on their response: https://serverfault.com/questions/862898/what-names-for-tls-certificates-when-using-srv-records#comment1361453_974093 – biolauri Dec 11 '20 at 02:34
  • what happens if you have a containers, changing their names? Perhaps you need to use wildcard certificates – maxadamo Jul 07 '22 at 21:07
1

you only need your host entries (A records), services records are used for discovery not the connection itself.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
1

The certificate common name or SubjectAltName.DNS should match the name that was originally given in the LDAP uri. RFC6125 in appendix B.3 (https://www.rfc-editor.org/rfc/rfc6125#appendix-B.3) says:

3.6. Server Identity Check

The client MUST check its understanding of the server's hostname
against the server's identity as presented in the server's
Certificate message, in order to prevent man-in-the-middle attacks.

Matching is performed according to these rules:

o The client MUST use the server hostname it used to open the LDAP connection as the value to compare against the server name as expressed in the server's certificate. The client MUST NOT use the server's canonical DNS name or any other derived form of name.

Note that the same logic applies for other protocols that use SRV records, like SIP. This is somewhat logic from a security standpoint. If only the host was checked, it would be easy to perform a man in middle attack by diverting the connection to nodes whose hostnames are unrelated to the domain name originally queried.

Community
  • 1
smorlat
  • 11
  • 2
  • Is it really part of the LDAP Server Identity Check to verify DNS integrity? I would say that the LDAP server hostname to be checked is the DNS SRV RR target and not its name. AFAIK, it's the same for MX records: The records itself should be verified by something like DNSSEC and the hostname verification should be against the target, not the domain which has the MX record. – biolauri Dec 11 '20 at 02:29