<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoPlainText>The RFC Editor has deleted all three of the existing errata at my request. I would like for the next errata to be the very last.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Could people read, review and state if this works for them?<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Original Text<o:p></o:p></p><p class=MsoPlainText>-------------<o:p></o:p></p><p class=MsoPlainText> Let CAA(X) be the record set returned in response to performing a CAA<o:p></o:p></p><p class=MsoPlainText> record query on the label X, P(X) be the DNS label immediately above<o:p></o:p></p><p class=MsoPlainText> X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME<o:p></o:p></p><p class=MsoPlainText> alias record specified at the label X.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> o If CAA(X) is not empty, R(X) = CAA (X), otherwise<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> o If A(X) is not null, and R(A(X)) is not empty, then R(X) =<o:p></o:p></p><p class=MsoPlainText> R(A(X)), otherwise<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> o If X is not a top-level domain, then R(X) = R(P(X)), otherwise<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> o R(X) is empty.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoPlainText>Corrected Text<o:p></o:p></p><p class=MsoPlainText>--------------<o:p></o:p></p><p class=MsoPlainText> Let CAA(X) be the record set returned in response to performing a CAA<o:p></o:p></p><p class=MsoPlainText> record query on the label X, P(X) be the DNS label immediately above<o:p></o:p></p><p class=MsoPlainText> X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME<o:p></o:p></p><p class=MsoPlainText> alias record chain specified at the label X.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> o If CAA(X) is not empty, R(X) = CAA (X), otherwise<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> o If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =<o:p></o:p></p><p class=MsoPlainText> CAA(A(X)), otherwise<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> o If X is not a top-level domain, then R(X) = R(P(X)), otherwise<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> o R(X) is empty.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> Thus, when a search at node X returns a CNAME record, the CA will<o:p></o:p></p><p class=MsoPlainText> follow the CNAME record to its target. If the target label contains a<o:p></o:p></p><p class=MsoPlainText> CAA record, it is returned. otherwise, the CA continues the search at<o:p></o:p></p><p class=MsoPlainText> the parent of node X.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> Note that the search does not include the parent of a target of a<o:p></o:p></p><p class=MsoPlainText> CNAME record (except when the CNAME points back to its own path).<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> To prevent resource exhaustion attacks, CAs should limit the length of <o:p></o:p></p><p class=MsoPlainText> CNAME chains that are accepted. However CAs MUST process CNAME <o:p></o:p></p><p class=MsoPlainText> chains that contain ten or fewer CNAME records.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> Processing for DNAME is exactly the same as for CNAME. Note that since<o:p></o:p></p><p class=MsoPlainText> DNAME records are implemented by creating the corresponding CNAME<o:p></o:p></p><p class=MsoPlainText> records on the fly, it is only necessary for DNAME records to appear<o:p></o:p></p><p class=MsoPlainText> on the wire for purposes of DNSSEC.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>