[cabfpub] Ballot 187 - Make CAA Checking Mandatory
philliph at comodo.com
philliph at comodo.com
Sat Feb 25 09:16:32 MST 2017
> On Feb 24, 2017, at 9:17 PM, Peter Bowen <pzbowen at gmail.com> wrote:
>
> On Fri, Feb 24, 2017 at 5:49 PM, philliph--- via Public
> <public at cabforum.org> wrote:
>> On the CAA recursive part, I am trying to track down why there is an
>> existing errata that makes a normative change with held for update status.
>>
>> The issue here is not in the PKIX part, it is what a CNAME/DNAME record
>> means. Different people in the DNS community took different positions. We
>> ended up concluding that the recursive interpretation was the appropriate
>> one, i.e. least likely to cause mistakes.
>
> I'm still confused. Consider the following records (I'm leaving out
> class and TTL for simplicity:
>
> beta.shop.example.com. A 198.51.100.54
> shop.example.com. CNAME xmpl.cdn.bighost.com.
> example.com. A 198.51.100.4
> example.com. MX 10 mail1.mailhost.fast.
> example.com. NS ns1.cheapdns.biz.
> example.com. NS ns2.cheapdns.org.
>
> cdn.bighost.com. DNAME cdnhost.xyz.
> bighost.com. NS ns1.dnshost.com.
> bighost.com. NS ns2.dnshost.com.
>
> xmpl.cdnhost.xyz. A 203.0.113.231
> cdnhost.xyz. NS ns1.dnshost.com.
> cdnhost.xyz. NS ns2.dnshost.com.
>
> If a CA gets a certificate request that includes
> dNSName:beta.shop.example.com, what DNS queries must it make to check
> for CAA records?
>
> Thanks,
> Peter
The sequence is:
beta.shop.example.com
shop.example.com
xmpl.cdn.bighost.com
cdn.bighost.com *
xmpl.cdnhost.xyz *
cdnhost.xyz *
xyz *
shop.example.com
example.com
com
Now if people were to say they think the lookups with the asterisks are a problem then we can propose an update to the RFC.
More information about the Public
mailing list