<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>It wouldn’t resolve the issue because shop.example.com would have to point a new domain, taking down the website for a period of time. This proposal wouldn’t prohibit wildcard DNS names. Instead, a wildcard DNS would use a different method. (Although it’s probably a correlation with the type of customers that use this method, but we haven’t seen a wildcard DNS yet.)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Are there any risks associated with using two random values and simply not using this method for wildcard DNS names? If not, I’d like to ballot this. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></a></p><span style='mso-bookmark:_MailEndCompose'></span><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Wednesday, September 7, 2016 12:33 PM<br><b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Cc:</b> Peter Bowen <pzb@amzn.com>; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] CNAME-based validation<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Sep 6, 2016 at 5:07 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Hi Ryan, </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Pardon my DNS ignorance, but how does the server know which CNAME record to use in this case? If <a href="http://shop.domain.com" target="_blank">shop.domain.com</a> CNAMEs to <a href="http://digicert.com" target="_blank">digicert.com</a> and *.<a href="http://domain.com" target="_blank">domain.com</a> CNAMEs to <a href="http://google.com" target="_blank">google.com</a>, then how do you know which will resolve? There isn’t a weight/ordering preference for CNAME like there is TXT records. </span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Hi Jeremy,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The DNS server knows how to match the specific record resolved. That is, <a href="http://shop.example.com">shop.example.com</a> has an associated CNAME record, and thus one CNAME is returned. However, if a client attempts to resolve <rnd>.<a href="http://example.com">example.com</a>, it would see there's no specific match, and thus fall back to the wildcard match.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The exact details of how wildcard DNS rules unfortunately vary by DNS server, but the above description is meant to highlight that you shouldn't assume *two* CNAMEs will be returned. In general, if you want to guarantee that two CNAME records would be returned, you'd do<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>*.<a href="http://example.com">example.com</a> CNAME <a href="http://digicert.com">digicert.com</a><o:p></o:p></p></div><div><p class=MsoNormal><a href="http://shop.example.com">shop.example.com</a> CNAME <a href="http://google.com">google.com</a><o:p></o:p></p></div><div><p class=MsoNormal><a href="http://shop.example.com">shop.example.com</a> CNAME <a href="http://digicert.com">digicert.com</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>(Which, of course, would be bonkers)<o:p></o:p></p></div><div><p class=MsoNormal> <span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>As for how to resolve this, what if the CA generated two random numbers, holding one of the numbers in reserve. Immediately after verifying that <rnd1>.<a href="http://domain.com" target="_blank">domain.com</a> CNAME points to a validated domain, the CA can then check <rnd2>.<a href="http://domain.com" target="_blank">domain.com</a> to see if it resolves. If it resolves successfully, a wildcard DNS is in place and the domain is not validated. If the domain does not resolve, a wildcard DNS is not present and the domain is considered validated. Does this resolve your concern?</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>That could, but I'm curious to understand why Peter's proposed interpretation (which seems different from your proposal) wouldn't address the same need, but without the same concerns. Perhaps you could elaborate further on the use case, to better understand why a simpler approach wouldn't suffice?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>For example, with your proposal, I'd be concerned for the same matter raised during the CAA discussion, and highlighted by Robin Alden during the F2F discussion, of intermittent DNS issues on the CA's side. If such an event happened, it might lead to inappropriately ruling "no wildcard DNS", when wildcard DNS is in fact in place.<o:p></o:p></p></div></div></div></div></div></body></html>