<div dir="ltr"><div class="gmail_extra">I agree that we want CDNs and hosting providers to be able to easily set default CAA policies for hostnames that are CNAMEd to them. They know which CAs they actually use, and usually terminate TLS, so they can accurately set policy for a large number of domains at once with very little disruption. It's also useful for domain owners to be able to punch out exceptions to a CAA record specified by their CDN for many reasons[1]. CAA's left-to-right evaluation order gives both of these properties.</div><div class="gmail_extra"><br></div><div class="gmail_extra">However, I think the <span style="font-size:12.8px">recurse-into-alias-before-</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">resuming ("authorial intent") version of CAA is not needed to accomplish those goals. For instance, in Peter's example:</span></div><div class="gmail_extra"><br></div><div class="gmail_extra"><div style="font-size:12.8px"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ANSWER SECTION:<br><a href="http://www.paypal.com/" target="_blank">www.paypal.com</a>.<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">   </span>453<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">  </span>CNAME<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">       </span><a href="http://www.paypal.com.akadns.net/" target="_blank">www.paypal.com.akadns.net</a>.<br><a href="http://www.paypal.com.akadns.net/" target="_blank">www.paypal.com.akadns.net</a>.<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">      </span>30<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">  </span>IN<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">  </span>CNAME<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">       </span><a href="http://ppdirect.paypal.com.akadns.net/" target="_blank">ppdirect.paypal.com.akadns.net</a><wbr>.<br><a href="http://ppdirect.paypal.com.akadns.net/" target="_blank">ppdirect.paypal.com.akadns.net</a><wbr>.<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">    </span>180<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">  </span>CNAME<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">       </span><a href="http://wlb.paypal.com.akadns.net/" target="_blank">wlb.paypal.com.akadns.net</a>.<br><a href="http://wlb.paypal.com.akadns.net/" target="_blank">wlb.paypal.com.akadns.net</a>.<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">      </span>30<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">  </span>IN<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">  </span>CNAME<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">       </span><a href="http://www.paypal.com.edgekey.net/" target="_blank">www.paypal.com.edgekey.net</a>.<br><a href="http://www.paypal.com.edgekey.net/" target="_blank">www.paypal.com.edgekey.net</a>.<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">  </span>0<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">   </span>IN<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">  </span>CNAME<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">       </span><a href="http://e3694.a.akamaiedge.net/" target="_blank">e3694.a.akamaiedge.net</a>.<br><a href="http://e3694.a.akamaiedge.net/" target="_blank">e3694.a.akamaiedge.net</a>.<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">  </span>20<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">  </span>IN<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">  </span>A<span class="gmail-m_8942493008604600511Apple-tab-span" style="white-space:pre-wrap">   </span>23.13.156.181</blockquote></div></div><div class="gmail_extra"><br></div><div class="gmail_extra">Akamai could add this record to set a CAA policy:</div><div class="gmail_extra"><br></div><div class="gmail_extra"><a href="http://e3694.a.akamaiedge.net">e3694.a.akamaiedge.net</a> CAA 0 issue "<a href="http://symantec.com">symantec.com</a>"</div><div class="gmail_extra"><br></div><div class="gmail_extra">I don't see an additional need to let Akamai set this policy at the <a href="http://akamaiedge.net">akamaiedge.net</a> level instead.</div><div class="gmail_extra"><br></div><div class="gmail_extra">I also see "authorial intent" CAA as a little trickier to implement correctly than "<a href="https://www.rfc-editor.org/errata_search.php?rfc=6844&eid=4515">erratum 4515</a>" CAA. Normally, a recursive resolver is responsible for chasing CNAMEs and detecting loops. Application code doesn't need to care about CNAMEs, only the final resource record. Implementing "authorial intent" CAA requires application code to specially handle CNAMEs and break loops. I think this is likely to introduce more bugs and inconsistent implementations.</div><div class="gmail_extra"><br></div><div class="gmail_extra">So, my inclination is to follow Phillip's option (2): Turn erratum 4515 into a new RFC, and follow that. But I'm willing to be convinced otherwise. Relatedly: Phillip, is there an appropriate IETF mailing list to which we could take the conversation? It would be good to get broader technical input, but this is a restricted-posting mailing list.</div><div><br></div><div class="gmail_extra">[1] domain owners may need certificates for non-HTTPS purposes; they may CNAME their base domain to a CDN, but have a wide variety of subdomains that are not hosted by that CDN; they may use a TCP-only CDN that doesn't terminate TLS.</div></div>