[cabfpub] Pre-Ballot 125 - CAA Records

Rick Andrews Rick_Andrews at symantec.com
Tue Jul 15 12:04:50 MST 2014 

I agree with Geoff. CAs will typically issue a DNS query for just CAA records, not ANY. And if you're worried about the impact to the client that's looking up the address for www.example.com<http://www.example.com> in DNS, they also will not be affected by the addition of CAA records because they'll be asking for A or AAAA records, not ANY.

I believe there's no technical size concern here. I think the original comment came from Sigbjørn at Opera. If you're still on the list, Siggy, would you please comment? Or perhaps someone else from Opera can comment?

I know of no other issues, so perhaps we can proceed with balloting this?

-Rick

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Geoff Keating
Sent: Monday, June 30, 2014 10:18 AM
To: Stephen Davidson
Cc: cabfpub
Subject: Re: [cabfpub] Pre-Ballot 125 - CAA Records


On 30 Jun 2014, at 8:17 am, Stephen Davidson <S.Davidson at quovadisglobal.com<mailto:S.Davidson at quovadisglobal.com>> wrote:


During the CABF discussion about CAA in June 2013, a browser representative pointed out that companies may hit against size constraints when using CAA:

Adding the records increased our authoritative nameserver's DNS response from an already juicy 458 bytes to supreme juicyness of 506 bytes (512 bytes is still somewhat of the limit, at the very least resource usage will increase when topping that).
And besides, we've seen that before of course, and our TXT SPF record is the main offender here, but 506 byte responses is probably on the "winning" side when it comes to selecting authoritative DNS servers for DNS amplification attacks. Or spoken more generally: Maybe the CABForum should discuss how eager the community is to add a potential massive load of additional records to the root element of a zone/"domain".
If you use more than one CA for signing "https" certs, this can quickly explode in size all on itself, without the help of SPF entries in the zone. I'd guess this needs to be discussed.

The technical discussion dropped off at this point.  I believe it bears further analysis.

I presume here we're talking about an ANY query, since a CAA response itself is usually small by itself.  In that case it should be considered that an ANY query for icann.org<http://icann.org> is 5278 bytes, and even TLDs like com. or us. are 1555 bytes and 538 bytes respectively.

In actual use there should be no problem since real queries (as opposed to those intended for DoS) will not ask for the CAA record and so won't get it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140715/45549be8/attachment.html

More information about the Public mailing list