[cabfpub] CNAME-based validation

[Jeremy Rowley]

It wouldn’t resolve the issue because shop.example.com would have to point a new domain, taking down the website for a period of time. This proposal wouldn’t prohibit wildcard DNS names. Instead, a wildcard DNS would use a different method. (Although it’s probably a correlation with the type of customers that use this method, but we haven’t seen a wildcard DNS yet.)

 

Are there any risks associated with using two random values and simply not using this method for wildcard DNS names? If not, I’d like to ballot this. 

 

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, September 7, 2016 12:33 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: Peter Bowen <pzb at amzn.com>; public at cabforum.org
Subject: Re: [cabfpub] CNAME-based validation

 

 

 

On Tue, Sep 6, 2016 at 5:07 PM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

Hi Ryan, 

 

Pardon my DNS ignorance, but how does the server know which CNAME record to use in this case? If shop.domain.com <http://shop.domain.com>  CNAMEs to digicert.com <http://digicert.com>  and *.domain.com <http://domain.com>  CNAMEs to google.com <http://google.com> , then how do you know which will resolve? There isn’t a weight/ordering preference for CNAME like there is TXT records. 

 

Hi Jeremy,

 

The DNS server knows how to match the specific record resolved. That is, shop.example.com <http://shop.example.com>  has an associated CNAME record, and thus one CNAME is returned. However, if a client attempts to resolve <rnd>.example.com <http://example.com> , it would see there's no specific match, and thus fall back to the wildcard match.

 

The exact details of how wildcard DNS rules unfortunately vary by DNS server, but the above description is meant to highlight that you shouldn't assume *two* CNAMEs will be returned. In general, if you want to guarantee that two CNAME records would be returned, you'd do

 

*.example.com <http://example.com>  CNAME digicert.com <http://digicert.com> 

shop.example.com <http://shop.example.com>  CNAME google.com <http://google.com> 

shop.example.com <http://shop.example.com>  CNAME digicert.com <http://digicert.com> 

 

(Which, of course, would be bonkers)

  

As for how to resolve this, what if the CA generated two random numbers, holding one of the numbers in reserve. Immediately after verifying that <rnd1>.domain.com <http://domain.com>  CNAME points to a validated domain, the CA can then check <rnd2>.domain.com <http://domain.com>  to see if it resolves. If it resolves successfully, a wildcard DNS is in place and the domain is not validated. If the domain does not resolve, a wildcard DNS is not present and the domain is considered validated. Does this resolve your concern?

 

That could, but I'm curious to understand why Peter's proposed interpretation (which seems different from your proposal) wouldn't address the same need, but without the same concerns. Perhaps you could elaborate further on the use case, to better understand why a simpler approach wouldn't suffice?

 

For example, with your proposal, I'd be concerned for the same matter raised during the CAA discussion, and highlighted by Robin Alden during the F2F discussion, of intermittent DNS issues on the CA's side. If such an event happened, it might lead to inappropriately ruling "no wildcard DNS", when wildcard DNS is in fact in place.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160908/d1b4ce97/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160908/d1b4ce97/attachment-0001.p7s>