<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 25, 2017 at 4:24 PM, Peter Bowen via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div>I think that the DNAME checks are unnecessary, as 6672 (and other earlier RFCs) say that the name server synthesizes CNAME records based on the DNAME record.  That would leave:</div><div><br><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class="">Q(<a href="http://beta.shop.example.com/" rel="noreferrer" target="_blank">beta.shop.example.com</a>, CAA) = <no answers><br></span><span class="">Q(<a href="http://shop.example.com/" rel="noreferrer" target="_blank">shop.example.com</a>, CAA) = CNAME, <a href="http://xmpl.cdn.bighost.com/" rel="noreferrer" target="_blank">xmpl.cdn.bighost.com</a>.<br>Q(<a href="http://xmpl.cdn.bighost.com/" rel="noreferrer" target="_blank">xmpl.cdn.bighost.com</a>, CAA) = CNAME, <a href="http://xmpl.cdnhost.xyz/" rel="noreferrer" target="_blank">xmpl.cdnhost.xyz</a>.<br>Q(<a href="http://xmpl.cdnhost.xyz/" rel="noreferrer" target="_blank">xmpl.cdnhost.xyz</a>, CAA) = <no answers><br></span><span class="">Q(<a href="http://cdnhost.xyz/" rel="noreferrer" target="_blank">cdnhost.xyz</a>, CAA) = <no answers><br></span><span class="">Q(xyz, CAA) = <no answers><br></span><span class="">Q(<a href="http://cdn.bighost.com/" rel="noreferrer" target="_blank">cdn.bighost.com</a>, CAA) = <no answers><br></span><span class="">Q(<a href="http://bighost.com/" rel="noreferrer" target="_blank">bighost.com</a>, CAA) = <no answers><br></span><span class="">Q(com, CAA) = <no answers><br></span><span class="">Q(<a href="http://example.com/" rel="noreferrer" target="_blank">example.com</a>, CAA) = <no answers><br></span># Not doing Q(com, CAA) as we already did it; if it was <a href="http://example.net/" rel="noreferrer" target="_blank">example.net</a>, we would do Q(net, CAA) here<span class=""><br>Result: no CAA record found<br></span></blockquote></div></div></div></blockquote><br></div><div>I think this still will have unexpected results.</div><div><br></div><div>See this real world example:</div><div><br></div><div><div>;; QUESTION SECTION:</div><div>;; <a href="http://www.paypal.com" target="_blank">www.paypal.com</a>.<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">        </span>IN<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">        </span>A</div><div><br></div><div>;; ANSWER SECTION:</div><div><a href="http://www.paypal.com" target="_blank">www.paypal.com</a>.<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">     </span>453<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">       </span>IN<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">        </span>CNAME<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">     </span><a href="http://www.paypal.com.akadns.net" target="_blank">www.paypal.com.akadns.net</a>.</div><div><a href="http://www.paypal.com.akadns.net" target="_blank">www.paypal.com.akadns.net</a>.<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap"> </span>30<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">        </span>IN<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">        </span>CNAME<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">     </span><a href="http://ppdirect.paypal.com.akadns.net" target="_blank">ppdirect.paypal.com.akadns.net</a><wbr>.</div><div><a href="http://ppdirect.paypal.com.akadns.net" target="_blank">ppdirect.paypal.com.akadns.net</a><wbr>.<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">       </span>180<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">       </span>IN<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">        </span>CNAME<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">     </span><a href="http://wlb.paypal.com.akadns.net" target="_blank">wlb.paypal.com.akadns.net</a>.</div><div><a href="http://wlb.paypal.com.akadns.net" target="_blank">wlb.paypal.com.akadns.net</a>.<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap"> </span>30<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">        </span>IN<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">        </span>CNAME<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">     </span><a href="http://www.paypal.com.edgekey.net" target="_blank">www.paypal.com.edgekey.net</a>.</div><div><a href="http://www.paypal.com.edgekey.net" target="_blank">www.paypal.com.edgekey.net</a>.<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">     </span>0<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">        </span>CNAME<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">     </span><a href="http://e3694.a.akamaiedge.net" target="_blank">e3694.a.akamaiedge.net</a>.</div><div><a href="http://e3694.a.akamaiedge.net" target="_blank">e3694.a.akamaiedge.net</a>.<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">     </span>20<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">        </span>IN<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap">        </span>A<span class="m_-115641559788771776Apple-tab-span" style="white-space:pre-wrap"> </span>23.13.156.181</div></div><div><br></div><div>If <a href="http://paypal.com" target="_blank">paypal.com</a> sets a CAA record to <a href="http://symantec.com" target="_blank">symantec.com</a>, but <a href="http://edgekey.net" target="_blank">edgekey.net</a> has a CAA record to <a href="http://megaca.xyz" target="_blank">megaca.xyz</a>, then the result is that Symantec cannot issue for <a href="http://www.paypal.com" target="_blank">www.paypal.com</a> but MegaCA can (and only MegaCA can).  I don’t think that this is the logical result.</div><div><br></div><div>While I do support CAA, I think we need to fix/clarify the handling of CNAMEs before mandating CAs follow CAA directives.</div></div></blockquote><div><br></div><div>Hi Peter,</div><div><br></div><div>Can you explain why you don't believe this is the logical result? I think there's a perfectly logical argument that it is the desired result.</div><div><br></div><div>Considering <a href="http://example.com">example.com</a>, which might set a CAA record to <a href="http://symantec.com">symantec.com</a>. This is because the <a href="http://example.com">example.com</a> operator knows that all of the certificates they will obtain/purchase/etc will be from Symantec. Now imagine there's a subdomain - <a href="http://shop.example.com">shop.example.com</a> . This domain is part of the <a href="http://example.com">example.com</a> hierarchy, certainly, but it's in fact operated by "Shop Corp", a turnkey shopping portal that provides custom shopping portals for tens of thousands of sites. Shop Corp takes care of everything - hosting to payment processing to shipping - all with <a href="http://example.com">example.com</a>'s branding.</div><div><br></div><div>A key point of this being that <a href="http://shop.example.com">shop.example.com</a> is not operated by the <a href="http://example.com">example.com</a> operator, but instead CNAMEs over to shop.example.com.shopcorp.example, perhaps with as many hops as you've pointed out.</div><div><br></div><div>shopcorp.example buys all of their certificates from MegaCA; in fact, they might exclusively use OV or EV certs so that "Example Corp" prominently shows when shopping <a href="http://shop.example.com">shop.example.com</a>. So shopcorp.example has a CAA record of saying MegaCA.</div><div><br></div><div>The logical consequence of this means that Symantec cannot issue for <a href="http://shop.example.com">shop.example.com</a>, only MegaCA can. But that's exactly what is intended and logical.</div></div></div></div>