<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 25, 2017 at 1:19 PM, Doug Beattie <span dir="ltr"><<a href="mailto:doug.beattie@globalsign.com" target="_blank">doug.beattie@globalsign.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div class="m_8426246935680148436WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Ryan,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I believe that my recommendation and your implied functional agreement with it could be wrong. Let me ask the question another way<u></u><u></u></span></p><span class="">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="m_8426246935680148436MsoListParagraphCxSpFirst" style="margin-left:.75in">
<u></u><span>1.<span style="font:7.0pt "Times New Roman"">
</span></span><u></u>If CAA(X) is not empty, R(X) = CAA (X), otherwise<u></u><u></u></p>
</span><p class="m_8426246935680148436MsoListParagraphCxSpMiddle" style="margin-left:.75in">
<u></u><span>2.<span style="font:7.0pt "Times New Roman"">
</span></span><u></u>If A(X) is not null (i.e, there is a CNAME or DNAME record for X), and R(A(X)) is not empty, then R(X) = R(A(X)), otherwise<u></u><u></u></p><span class="">
<p class="m_8426246935680148436MsoListParagraphCxSpMiddle" style="margin-left:.75in">
<u></u><span>3.<span style="font:7.0pt "Times New Roman"">
</span></span><u></u>If X is not a Base Domain Name, then R(X) = R(P(X)) and perform check again starting at step 1, otherwise<u></u><u></u></p>
<p class="m_8426246935680148436MsoListParagraphCxSpLast" style="margin-left:.75in">
<u></u><span>4.<span style="font:7.0pt "Times New Roman"">
</span></span><u></u>R(X) is empty.<u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
</span><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">In step 2 if A(X) is null (not a defined state in the above), what happens? </span></p></div></div></blockquote><div><br></div><div>I'm surprised to hear you don't think it's a defined state. I'm not sure how you're reading that.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div class="m_8426246935680148436WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Does it proceed with 3 (implied by the definition above), or does it do a CAA check
on A(X) – basically start at step 1 with CAA(A(X)) and if empty, then return to step 3 and finish up with A(X) processing?</span></p></div></div></blockquote><div><br></div><div>2. If (Cond 1), and (Cond 2), then X, otherwise</div><div>3. If (Cond 3), then Y, otherwise</div><div>4. Z</div><div><br></div><div>"if A(X) is null" is a failure of Cond 1, so yes, it proceeds to 3.</div><div>"If A(X) is not null", but R(A(X)) is, it's a failure of Cond 2, so yes, it proceeds to 3.</div><div><br></div><div>If A(X) is null, you proceed to step 3.</div><div>If R(A(X)) is null, you proceed to step 3.</div><div>If A(X) is not null and R(A(X)) is not null, you use that value.</div><div><br></div><div>R(A(X)) is defined recursively - meaning for <a href="http://foo.example.com">foo.example.com</a> and <a href="http://bar.example.com">bar.example.com</a>, where <a href="http://foo.example.com">foo.example.com</a> is a CNAME to <a href="http://bar.example.net">bar.example.net</a>, and the CAA record is set on ".net", you'd do</div><div><br></div><div>CAA(<a href="http://foo.example.com">foo.example.com</a>) - nothing</div><div>CNAME(<a href="http://foo.example.com">foo.example.com</a>) - <a href="http://bar.example.net">bar.example.net</a></div><div>CAA(<a href="http://bar.example.net">bar.example.net</a>) - nothing</div><div>CNAME(<a href="http://bar.example.net">bar.example.net</a>) - nothing</div><div>CAA(<a href="http://example.net">example.net</a>) - nothing</div><div>CNAME(<a href="http://example.net">example.net</a>) - nothing</div><div>CAA(net) - value</div><div><br></div><div>And return CAA(net)</div><div><br></div><div>If the CAA record was on com, and <a href="http://example.net">example.net</a> was CNAMEd to <a href="http://example.org">example.org</a>, you'd do</div><div>CAA(<a href="http://foo.example.com">foo.example.com</a>) - nothing</div><div>CNAME(<a href="http://foo.example.com">foo.example.com</a>) - <a href="http://bar.example.net">bar.example.net</a></div><div>CAA(<a href="http://bar.example.net">bar.example.net</a>) - nothing</div><div>CNAME(<a href="http://bar.example.net">bar.example.net</a>) - nothing</div><div>CAA(<a href="http://example.net">example.net</a>) - nothing</div><div>CNAME(<a href="http://example.net">example.net</a>) - <a href="http://example.org">example.org</a></div><div>CAA(<a href="http://example.org">example.org</a>) - nothing</div><div>CNAME(<a href="http://example.org">example.org</a>) - nothing</div><div>CAA(org) - nothing</div><div>CNAME(org) - nothing</div><div>CAA(net) - nothing</div><div>CNAME(net) - nothing</div><div>CAA(<a href="http://example.com">example.com</a>) - nothing</div><div>CNAME(<a href="http://example.com">example.com</a>) - nothing</div><div>CAA(com) - value</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div class="m_8426246935680148436WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">On the other topic of when to stop recursive DNS lookup: It’s apparent that Registries can set CAA records which would take effect for all Top Level Domains without
CAA records. I’m assuming that was the intent because it’s in the RFC, but why do we want allow a Registry to set TLS issuance policies for all domains purchased from them? A malicious actor or registry admin could cause a denial of service for TLS issuance
for every domain under that TLD. I don’t see a value in traversing the DNS any further than the Top Level Domain. Does anyone understand why CAA checking goes all the way to the root?</span></p></div></div></blockquote><div><br></div><div>Because DNS is hierarchal and the root is authoritative. It's intentional and by design that it goes to the root. And registries can (and do) already set HPKP policies for entire TLDs.</div><div><br></div><div>This is especially relevant for so-called ".brand TLDs" that may very well want to see the CAA policy on the TLD, for all domains in that TLD.</div></div></div></div>