<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 24, 2017, at 5:49 PM, philliph--- via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">On the CAA recursive part, I am trying to track down why there is an existing errata that makes a normative change with held for update status.</div><div class=""><br class=""></div><div class="">The issue here is not in the PKIX part, it is what a CNAME/DNAME record means. Different people in the DNS community took different positions. We ended up concluding that the recursive interpretation was the appropriate one, i.e. least likely to cause mistakes.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">The reasoning behind this was that in most cases a CNAME from ‘<a href="http://example.net/" class="">example.net</a>’ to ‘<a href="http://example.com/" class="">example.com</a>’ is typically used for internal redirects mapping one service name onto another. An outsourcing relationship, would typically be realized using MX or SRV.</div></div></div></blockquote><br class=""></div><div><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">I'm still confused.  Consider the following records (I'm leaving out</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">class and TTL for simplicity, along with the root and com delegations):</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><a href="http://beta.shop.example.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://beta.shop.example.com&source=gmail&ust=1488075464529000&usg=AFQjCNHxNDY5SzQ2ubTrW8r0BxZ4OPgbuw" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">beta.shop.example.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">. A 198.51.100.54</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><a href="http://shop.example.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://shop.example.com&source=gmail&ust=1488075464529000&usg=AFQjCNEn3K4thoYDTkEN09m2HX1sMCt6hw" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">shop.example.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">. CNAME </span><a href="http://xmpl.cdn.bighost.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://xmpl.cdn.bighost.com&source=gmail&ust=1488075464530000&usg=AFQjCNFtupg60L4Fd7ffmxVUa7Dwo6bXRA" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">xmpl.cdn.bighost.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">.</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><a href="http://example.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://example.com&source=gmail&ust=1488075464530000&usg=AFQjCNGMxHosTA_tIk8YJkJKJ-D0oLbkxQ" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">example.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">. A 198.51.100.4</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><a href="http://example.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://example.com&source=gmail&ust=1488075464530000&usg=AFQjCNGMxHosTA_tIk8YJkJKJ-D0oLbkxQ" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">example.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">. MX 10 mail1.mailhost.fast.</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><a href="http://example.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://example.com&source=gmail&ust=1488075464530000&usg=AFQjCNGMxHosTA_tIk8YJkJKJ-D0oLbkxQ" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">example.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">. NS </span><a href="http://ns1.cheapdns.biz/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://ns1.cheapdns.biz&source=gmail&ust=1488075464530000&usg=AFQjCNGG7ilI6vsEARuLfvbdIIMipStHRA" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">ns1.cheapdns.biz</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">.</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><a href="http://example.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://example.com&source=gmail&ust=1488075464530000&usg=AFQjCNGMxHosTA_tIk8YJkJKJ-D0oLbkxQ" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">example.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">. NS </span><a href="http://ns2.cheapdns.org/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://ns2.cheapdns.org&source=gmail&ust=1488075464530000&usg=AFQjCNG9QeRttVmfm0Sn4cJ4K1QS-MY4Dw" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">ns2.cheapdns.org</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">.</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><a href="http://cdn.bighost.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://cdn.bighost.com&source=gmail&ust=1488075464530000&usg=AFQjCNEcNHHutgUPVbQH5oJGRsofCZZfGg" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">cdn.bighost.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">. DNAME </span><a href="http://cdnhost.xyz/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://cdnhost.xyz&source=gmail&ust=1488075464530000&usg=AFQjCNGaVBz3BlZcxKvnY5VyuqeUuq3TqQ" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">cdnhost.xyz</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">.</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><a href="http://bighost.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://bighost.com&source=gmail&ust=1488075464530000&usg=AFQjCNFJQb-m4_FWfoDu5aJJGuSCCdfEyA" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">bighost.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">. NS </span><a href="http://ns1.dnshost.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://ns1.dnshost.com&source=gmail&ust=1488075464530000&usg=AFQjCNGTNgc-MyGBFqdFfuYaLmt0iCx4qA" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">ns1.dnshost.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">.</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><a href="http://bighost.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://bighost.com&source=gmail&ust=1488075464530000&usg=AFQjCNFJQb-m4_FWfoDu5aJJGuSCCdfEyA" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">bighost.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">. NS </span><a href="http://ns2.dnshost.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://ns2.dnshost.com&source=gmail&ust=1488075464530000&usg=AFQjCNFLRSf_zq6ijg6gkmlFxxWnm4_aYA" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">ns2.dnshost.com</a><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">.</span></div><div><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><br style="font-size: 12.8px; font-variant-ligatures: normal;" class=""><a href="http://xmpl.cdnhost.xyz/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://xmpl.cdnhost.xyz&source=gmail&ust=1488075464530000&usg=AFQjCNE5ebMKBKHzbzIVSTIR-c87yjLUPA" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-size: 12.8px; font-variant-ligatures: normal;" class="">xmpl.cdnhost.xyz</a><span style="font-size: 12.8px; font-variant-ligatures: normal;" class="">. A 203.0.113.231</span><br style="font-size: 12.8px; font-variant-ligatures: normal;" class=""><a href="http://cdnhost.xyz/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://cdnhost.xyz&source=gmail&ust=1488075464530000&usg=AFQjCNGaVBz3BlZcxKvnY5VyuqeUuq3TqQ" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-size: 12.8px; font-variant-ligatures: normal;" class="">cdnhost.xyz</a><span style="font-size: 12.8px; font-variant-ligatures: normal;" class="">. NS </span><a href="http://ns1.dnshost.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://ns1.dnshost.com&source=gmail&ust=1488075464530000&usg=AFQjCNGTNgc-MyGBFqdFfuYaLmt0iCx4qA" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-size: 12.8px; font-variant-ligatures: normal;" class="">ns1.dnshost.com</a><span style="font-size: 12.8px; font-variant-ligatures: normal;" class="">.</span><br style="font-size: 12.8px; font-variant-ligatures: normal;" class=""><a href="http://cdnhost.xyz/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://cdnhost.xyz&source=gmail&ust=1488075464530000&usg=AFQjCNGaVBz3BlZcxKvnY5VyuqeUuq3TqQ" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-size: 12.8px; font-variant-ligatures: normal;" class="">cdnhost.xyz</a><span style="font-size: 12.8px; font-variant-ligatures: normal;" class="">. NS </span><a href="http://ns2.dnshost.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://ns2.dnshost.com&source=gmail&ust=1488075464530000&usg=AFQjCNFLRSf_zq6ijg6gkmlFxxWnm4_aYA" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-size: 12.8px; font-variant-ligatures: normal;" class="">ns2.dnshost.com</a><span style="font-size: 12.8px; font-variant-ligatures: normal;" class="">.</span><br style="font-size: 12.8px; font-variant-ligatures: normal;" class=""><br style="font-size: 12.8px; font-variant-ligatures: normal;" class=""><span style="font-size: 12.8px; font-variant-ligatures: normal;" class="">If a CA gets a certificate request that includes</span><br style="font-size: 12.8px; font-variant-ligatures: normal;" class=""><span style="font-size: 12.8px; font-variant-ligatures: normal;" class="">dNSName:</span><a href="http://beta.shop.example.com/" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://beta.shop.example.com&source=gmail&ust=1488075464530000&usg=AFQjCNGRc_Zr7fdTHR-ByKjLsT45BlNJ3g" rel="noreferrer" target="_blank" style="color: rgb(17, 85, 204); font-size: 12.8px; font-variant-ligatures: normal;" class="">beta.shop.example.com</a><span style="font-size: 12.8px; font-variant-ligatures: normal;" class="">, what DNS queries must it make to check</span><br style="font-size: 12.8px; font-variant-ligatures: normal;" class=""><span style="font-size: 12.8px; font-variant-ligatures: normal;" class="">for CAA records?</span><br style="font-size: 12.8px; font-variant-ligatures: normal;" class=""><br style="font-size: 12.8px; font-variant-ligatures: normal;" class=""><span style="font-size: 12.8px; font-variant-ligatures: normal;" class="">Thanks,</span><br style="font-size: 12.8px; font-variant-ligatures: normal;" class=""><span style="font-size: 12.8px; font-variant-ligatures: normal;" class="">Peter</span></span></div></body></html>