<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 25, 2017, at 11:14 AM, Phillip Hallam-Baker <<a href="mailto:phill@hallambaker.com" class="">phill@hallambaker.com</a>> wrote:</div><div class=""><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote">On Sat, Feb 25, 2017 at 12:45 PM, Peter Bowen via Public <span dir="ltr" class=""><<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail-HOEnZb"><div class="gmail-h5">
> On Feb 25, 2017, at 8:16 AM, philliph--- wrote:<br class="">
>> On Feb 24, 2017, at 9:17 PM, Peter Bowen <<a href="mailto:pzbowen@gmail.com" class="">pzbowen@gmail.com</a>> wrote:<br class="">
>> On Fri, Feb 24, 2017 at 5:49 PM, philliph---wrote:<br class="">
>>> On the CAA recursive part, I am trying to track down why there is an<br class="">
>>> existing errata that makes a normative change with held for update status.<br class="">
>>><br class="">
>>> The issue here is not in the PKIX part, it is what a CNAME/DNAME record<br class="">
>>> means. Different people in the DNS community took different positions. We<br class="">
>>> ended up concluding that the recursive interpretation was the appropriate<br class="">
>>> one, i.e. least likely to cause mistakes.<br class="">
>><br class="">
>> I'm still confused.  Consider the following records (I'm leaving out<br class="">
>> class and TTL for simplicity:<br class="">
>><br class="">
>> <a href="http://beta.shop.example.com/" rel="noreferrer" target="_blank" class="">beta.shop.example.com</a>. A 198.51.100.54<br class="">
>> <a href="http://shop.example.com/" rel="noreferrer" target="_blank" class="">shop.example.com</a>. CNAME <a href="http://xmpl.cdn.bighost.com/" rel="noreferrer" target="_blank" class="">xmpl.cdn.bighost.com</a>.<br class="">
>> <a href="http://example.com/" rel="noreferrer" target="_blank" class="">example.com</a>. A 198.51.100.4<br class="">
>> <a href="http://example.com/" rel="noreferrer" target="_blank" class="">example.com</a>. MX 10 mail1.mailhost.fast.<br class="">
>> <a href="http://example.com/" rel="noreferrer" target="_blank" class="">example.com</a>. NS <a href="http://ns1.cheapdns.biz/" rel="noreferrer" target="_blank" class="">ns1.cheapdns.biz</a>.<br class="">
>> <a href="http://example.com/" rel="noreferrer" target="_blank" class="">example.com</a>. NS <a href="http://ns2.cheapdns.org/" rel="noreferrer" target="_blank" class="">ns2.cheapdns.org</a>.<br class="">
>><br class="">
>> <a href="http://cdn.bighost.com/" rel="noreferrer" target="_blank" class="">cdn.bighost.com</a>. DNAME <a href="http://cdnhost.xyz/" rel="noreferrer" target="_blank" class="">cdnhost.xyz</a>.<br class="">
>> <a href="http://bighost.com/" rel="noreferrer" target="_blank" class="">bighost.com</a>. NS <a href="http://ns1.dnshost.com/" rel="noreferrer" target="_blank" class="">ns1.dnshost.com</a>.<br class="">
>> <a href="http://bighost.com/" rel="noreferrer" target="_blank" class="">bighost.com</a>. NS <a href="http://ns2.dnshost.com/" rel="noreferrer" target="_blank" class="">ns2.dnshost.com</a>.<br class="">
>><br class="">
>> <a href="http://xmpl.cdnhost.xyz/" rel="noreferrer" target="_blank" class="">xmpl.cdnhost.xyz</a>. A 203.0.113.231<br class="">
>> <a href="http://cdnhost.xyz/" rel="noreferrer" target="_blank" class="">cdnhost.xyz</a>. NS <a href="http://ns1.dnshost.com/" rel="noreferrer" target="_blank" class="">ns1.dnshost.com</a>.<br class="">
>> <a href="http://cdnhost.xyz/" rel="noreferrer" target="_blank" class="">cdnhost.xyz</a>. NS <a href="http://ns2.dnshost.com/" rel="noreferrer" target="_blank" class="">ns2.dnshost.com</a>.<br class="">
>><br class="">
>> If a CA gets a certificate request that includes<br class="">
>> dNSName:<a href="http://beta.shop.example.com/" rel="noreferrer" target="_blank" class="">beta.shop.example.com</a>, what DNS queries must it make to check<br class="">
>> for CAA records?<br class=""></div></div></blockquote><div class=""> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Assume Q(name, type) = type, data means a lookup for name with a given type.<br class=""><br class="">
If any of the requests for Q(…, CAA) had returned a CAA answer, then this process would have stopped immediately and that data would be returned.<br class="">
<br class="">
Does this match your expectation?<br class="">
<br class=""></blockquote><div class=""><div class="gmail_default" style="font-size:small">​When we first started discussing CAA, the DNS world was disputing the legitimacy of DNAME altogether. ​Which led to this being published:</div></div><div class="gmail_default" style="font-size:small"><br class=""></div><div class="gmail_default"><a href="http://www.zytrax.com/books/dns/apd/rfc6672.txt" class="">http://www.zytrax.com/books/dns/apd/rfc6672.txt</a><br class=""></div><div class="gmail_default"><br class=""></div><div class="gmail_default">The CAA draft was written rather earlier.</div><div class="gmail_default"><br class=""></div><div class="gmail_default">If people think we should change to remove the recursion, that is fine with me. The examples people gave at the time suggested recursion was the right approach.</div></div></div></div>
</div></blockquote></div><br class=""><div class="">I think that the DNAME checks are unnecessary, as 6672 (and other earlier RFCs) say that the name server synthesizes CNAME records based on the DNAME record.  That would leave:</div><div class=""><br class=""><blockquote type="cite" class=""><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;">Q(<a href="http://beta.shop.example.com/" rel="noreferrer" target="_blank" class="">beta.shop.example.com</a>, CAA) = <no answers><br class="">Q(<a href="http://shop.example.com/" rel="noreferrer" target="_blank" class="">shop.example.com</a>, CAA) = CNAME, <a href="http://xmpl.cdn.bighost.com/" rel="noreferrer" target="_blank" class="">xmpl.cdn.bighost.com</a>.<br class="">Q(<a href="http://xmpl.cdn.bighost.com/" rel="noreferrer" target="_blank" class="">xmpl.cdn.bighost.com</a>, CAA) = CNAME, <a href="http://xmpl.cdnhost.xyz/" rel="noreferrer" target="_blank" class="">xmpl.cdnhost.xyz</a>.<br class="">Q(<a href="http://xmpl.cdnhost.xyz/" rel="noreferrer" target="_blank" class="">xmpl.cdnhost.xyz</a>, CAA) = <no answers><br class="">Q(<a href="http://cdnhost.xyz/" rel="noreferrer" target="_blank" class="">cdnhost.xyz</a>, CAA) = <no answers><br class="">Q(xyz, CAA) = <no answers><br class="">Q(<a href="http://cdn.bighost.com/" rel="noreferrer" target="_blank" class="">cdn.bighost.com</a>, CAA) = <no answers><br class="">Q(<a href="http://bighost.com/" rel="noreferrer" target="_blank" class="">bighost.com</a>, CAA) = <no answers><br class="">Q(com, CAA) = <no answers><br class="">Q(<a href="http://example.com/" rel="noreferrer" target="_blank" class="">example.com</a>, CAA) = <no answers><br class=""># Not doing Q(com, CAA) as we already did it; if it was <a href="http://example.net/" rel="noreferrer" target="_blank" class="">example.net</a>, we would do Q(net, CAA) here<br class="">Result: no CAA record found<br class=""></blockquote></div></div></div></blockquote><br class=""></div><div class="">I think this still will have unexpected results.</div><div class=""><br class=""></div><div class="">See this real world example:</div><div class=""><br class=""></div><div class=""><div class="">;; QUESTION SECTION:</div><div class="">;; <a href="http://www.paypal.com" class="">www.paypal.com</a>.<span class="Apple-tab-span" style="white-space:pre">      </span>IN<span class="Apple-tab-span" style="white-space:pre">  </span>A</div><div class=""><br class=""></div><div class="">;; ANSWER SECTION:</div><div class=""><a href="http://www.paypal.com" class="">www.paypal.com</a>.<span class="Apple-tab-span" style="white-space:pre">  </span>453<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre">  </span>CNAME<span class="Apple-tab-span" style="white-space:pre">       </span><a href="http://www.paypal.com.akadns.net" class="">www.paypal.com.akadns.net</a>.</div><div class=""><a href="http://www.paypal.com.akadns.net" class="">www.paypal.com.akadns.net</a>.<span class="Apple-tab-span" style="white-space:pre">      </span>30<span class="Apple-tab-span" style="white-space:pre">  </span>IN<span class="Apple-tab-span" style="white-space:pre">  </span>CNAME<span class="Apple-tab-span" style="white-space:pre">       </span><a href="http://ppdirect.paypal.com.akadns.net" class="">ppdirect.paypal.com.akadns.net</a>.</div><div class=""><a href="http://ppdirect.paypal.com.akadns.net" class="">ppdirect.paypal.com.akadns.net</a>.<span class="Apple-tab-span" style="white-space:pre">  </span>180<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre">  </span>CNAME<span class="Apple-tab-span" style="white-space:pre">       </span><a href="http://wlb.paypal.com.akadns.net" class="">wlb.paypal.com.akadns.net</a>.</div><div class=""><a href="http://wlb.paypal.com.akadns.net" class="">wlb.paypal.com.akadns.net</a>.<span class="Apple-tab-span" style="white-space:pre">      </span>30<span class="Apple-tab-span" style="white-space:pre">  </span>IN<span class="Apple-tab-span" style="white-space:pre">  </span>CNAME<span class="Apple-tab-span" style="white-space:pre">       </span><a href="http://www.paypal.com.edgekey.net" class="">www.paypal.com.edgekey.net</a>.</div><div class=""><a href="http://www.paypal.com.edgekey.net" class="">www.paypal.com.edgekey.net</a>.<span class="Apple-tab-span" style="white-space:pre">  </span>0<span class="Apple-tab-span" style="white-space:pre">   </span>IN<span class="Apple-tab-span" style="white-space:pre">  </span>CNAME<span class="Apple-tab-span" style="white-space:pre">       </span><a href="http://e3694.a.akamaiedge.net" class="">e3694.a.akamaiedge.net</a>.</div><div class=""><a href="http://e3694.a.akamaiedge.net" class="">e3694.a.akamaiedge.net</a>.<span class="Apple-tab-span" style="white-space:pre">  </span>20<span class="Apple-tab-span" style="white-space:pre">  </span>IN<span class="Apple-tab-span" style="white-space:pre">  </span>A<span class="Apple-tab-span" style="white-space:pre">   </span>23.13.156.181</div></div><div class=""><br class=""></div><div class="">If <a href="http://paypal.com" class="">paypal.com</a> sets a CAA record to <a href="http://symantec.com" class="">symantec.com</a>, but <a href="http://edgekey.net" class="">edgekey.net</a> has a CAA record to megaca.xyz, then the result is that Symantec cannot issue for <a href="http://www.paypal.com" class="">www.paypal.com</a> but MegaCA can (and only MegaCA can).  I don’t think that this is the logical result.</div><div class=""><br class=""></div><div class="">While I do support CAA, I think we need to fix/clarify the handling of CNAMEs before mandating CAs follow CAA directives.</div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">Peter</div><div class=""><br class=""></div><div class=""><br class=""></div></body></html>