[cabfpub] FW: [Errata Held for Document Update] RFC6844 (5065)
Mads Egil Henriksveen
Mads.Henriksveen at buypass.no
Wed Aug 23 02:31:28 MST 2017
Hi
What does this mean for us who are in the process of implementing support for CAA?
Do we implement the CAA processing rules according to this errata or do we need to comply with the current version of RFC6844?
Regards
Mads
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Phillip via Public
Sent: tirsdag 22. august 2017 22:15
To: 'CA/Browser Forum Public Discussion List' <public at cabforum.org>
Subject: [cabfpub] FW: [Errata Held for Document Update] RFC6844 (5065)
We have held for document update!
-----Original Message-----
From: RFC Errata System [mailto:rfc-editor at rfc-editor.org]
Sent: Tuesday, August 22, 2017 12:58 PM
To: philliph at comodo.com; philliph at comodo.com; rob.stradling at comodo.com
Cc: ekr at rtfm.com; iesg at ietf.org; pkix at ietf.org; rfc-editor at rfc-editor.org
Subject: [Errata Held for Document Update] RFC6844 (5065)
The following errata report has been held for document update for RFC6844, "DNS Certification Authority Authorization (CAA) Resource Record".
--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5065
--------------------------------------
Status: Held for Document Update
Type: Technical
Reported by: Phillip Hallam-Baker <philliph at comodo.com> Date Reported: 2017-07-10 Held by: EKR (IESG)
Section: 4
Original Text
-------------
Let CAA(X) be the record set returned in response to performing a CAA
record query on the label X, P(X) be the DNS label immediately above
X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
alias record specified at the label X.
o If CAA(X) is not empty, R(X) = CAA (X), otherwise
o If A(X) is not null, and R(A(X)) is not empty, then R(X) =
R(A(X)), otherwise
o If X is not a top-level domain, then R(X) = R(P(X)), otherwise
o R(X) is empty.
Corrected Text
--------------
Let CAA(X) be the record set returned in response to performing a CAA
record query on the label X, P(X) be the DNS label immediately above
X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
alias record chain specified at the label X.
o If CAA(X) is not empty, R(X) = CAA (X), otherwise
o If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
CAA(A(X)), otherwise
o If X is not a top-level domain, then R(X) = R(P(X)), otherwise
o R(X) is empty.
Thus, when a search at node X returns a CNAME record, the CA will
follow the CNAME record chain to its target. If the target label
contains a CAA record, it is returned.
?O?therwise, the CA continues the search at
the parent of node X.
Note that the search does not include the parent of a target of a
CNAME record (except when the CNAME points back to its own path).
To prevent resource exhaustion attacks, CAs SHOULD limit the length of
CNAME chains that are accepted. However CAs MUST process CNAME
chains that contain 8 or fewer CNAME records.
Notes
-----
This is the updated errata to replace the ones previously deleted. It has been reviewed by all the parties concerned. Since this is a breaking change, this will have to go to hold for document update. The LAMPS working group is currently considering a more radical re-working of the CAA discovery scheme as a work item for its new charter.
I will be in Prague to discuss...
--------------------------------------
RFC6844 (draft-ietf-pkix-caa-15)
--------------------------------------
Title : DNS Certification Authority Authorization (CAA) Resource Record
Publication Date : January 2013
Author(s) : P. Hallam-Baker, R. Stradling
Category : PROPOSED STANDARD
Source : Public-Key Infrastructure (X.509)
Area : Security
Stream : IETF
Verifying Party : IESG
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list