[cabfpub] CNAME-based validation

Ryan Sleevi sleevi at google.com
Wed Sep 7 18:32:49 UTC 2016


On Tue, Sep 6, 2016 at 5:07 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> Hi Ryan,
>
>
>
> Pardon my DNS ignorance, but how does the server know which CNAME record
> to use in this case? If shop.domain.com CNAMEs to digicert.com and *.
> domain.com CNAMEs to google.com, then how do you know which will resolve?
> There isn’t a weight/ordering preference for CNAME like there is TXT
> records.
>

Hi Jeremy,

The DNS server knows how to match the specific record resolved. That is,
shop.example.com has an associated CNAME record, and thus one CNAME is
returned. However, if a client attempts to resolve <rnd>.example.com, it
would see there's no specific match, and thus fall back to the wildcard
match.

The exact details of how wildcard DNS rules unfortunately vary by DNS
server, but the above description is meant to highlight that you shouldn't
assume *two* CNAMEs will be returned. In general, if you want to guarantee
that two CNAME records would be returned, you'd do

*.example.com CNAME digicert.com
shop.example.com CNAME google.com
shop.example.com CNAME digicert.com

(Which, of course, would be bonkers)


> As for how to resolve this, what if the CA generated two random numbers,
> holding one of the numbers in reserve. Immediately after verifying that
> <rnd1>.domain.com CNAME points to a validated domain, the CA can then
> check <rnd2>.domain.com to see if it resolves. If it resolves
> successfully, a wildcard DNS is in place and the domain is not validated.
> If the domain does not resolve, a wildcard DNS is not present and the
> domain is considered validated. Does this resolve your concern?
>

That could, but I'm curious to understand why Peter's proposed
interpretation (which seems different from your proposal) wouldn't address
the same need, but without the same concerns. Perhaps you could elaborate
further on the use case, to better understand why a simpler approach
wouldn't suffice?

For example, with your proposal, I'd be concerned for the same matter
raised during the CAA discussion, and highlighted by Robin Alden during the
F2F discussion, of intermittent DNS issues on the CA's side. If such an
event happened, it might lead to inappropriately ruling "no wildcard DNS",
when wildcard DNS is in fact in place.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160907/20f75f51/attachment-0003.html>


More information about the Public mailing list