[cabfpub] Ballot 187 - Make CAA Checking Mandatory

Sat Feb 25 10:45:17 MST 2017

> On Feb 25, 2017, at 8:16 AM, philliph--- via Public <public at cabforum.org> wrote:
> 
> 
>> On Feb 24, 2017, at 9:17 PM, Peter Bowen <pzbowen at gmail.com> wrote:
>> 
>> On Fri, Feb 24, 2017 at 5:49 PM, philliph--- via Public
>> <public at cabforum.org> wrote:
>>> On the CAA recursive part, I am trying to track down why there is an
>>> existing errata that makes a normative change with held for update status.
>>> 
>>> The issue here is not in the PKIX part, it is what a CNAME/DNAME record
>>> means. Different people in the DNS community took different positions. We
>>> ended up concluding that the recursive interpretation was the appropriate
>>> one, i.e. least likely to cause mistakes.
>> 
>> I'm still confused.  Consider the following records (I'm leaving out
>> class and TTL for simplicity:
>> 
>> beta.shop.example.com. A 198.51.100.54
>> shop.example.com. CNAME xmpl.cdn.bighost.com.
>> example.com. A 198.51.100.4
>> example.com. MX 10 mail1.mailhost.fast.
>> example.com. NS ns1.cheapdns.biz.
>> example.com. NS ns2.cheapdns.org.
>> 
>> cdn.bighost.com. DNAME cdnhost.xyz.
>> bighost.com. NS ns1.dnshost.com.
>> bighost.com. NS ns2.dnshost.com.
>> 
>> xmpl.cdnhost.xyz. A 203.0.113.231
>> cdnhost.xyz. NS ns1.dnshost.com.
>> cdnhost.xyz. NS ns2.dnshost.com.
>> 
>> If a CA gets a certificate request that includes
>> dNSName:beta.shop.example.com, what DNS queries must it make to check
>> for CAA records?
>> 
>> Thanks,
>> Peter
> 
> The sequence is:
> beta.shop.example.com
> shop.example.com
> xmpl.cdn.bighost.com
> cdn.bighost.com  *
> xmpl.cdnhost.xyz  *
> cdnhost.xyz  *
> xyz  *
> shop.example.com
> example.com
> com

I’m a little confused how you got this list.  Assume Q(name, type) = type, data means a lookup for name with a given type.

Q(beta.shop.example.com, CAA) = <no answers>
Q(beta.shop.example.com, DNAME) = <no answers>
Q(shop.example.com, CAA) = CNAME, xmpl.cdn.bighost.com.
Q(xmpl.cdn.bighost.com, CAA) = CNAME, xmpl.cdnhost.xyz.
Q(xmpl.cdnhost.xyz, CAA) = <no answers>
Q(xmpl.cdnhost.xyz, DNAME) = <no answers>
Q(cdnhost.xyz, CAA) = <no answers>
Q(cdnhost.xyz, DNAME) = <no answers>
Q(xyz, CAA) = <no answers>
Q(xyz, DNAME) = <no answers>
Q(cdn.bighost.com, CAA) = <no answers>
Q(cdn.bighost.com, DNAME) = DNAME, cdnhost.xyz
# Not doing Q(cdnhost.xyz, CAA) to Q(xyz, DNAME) as we already did it
Q(bighost.com, CAA) = <no answers>
Q(bighost.com, DNAME) = <no answers>
Q(com, CAA) = <no answers>
Q(com, DNAME) = <no answers>
Q(example.com, CAA) = <no answers>
Q(example.com, DNAME) = <no answers>
# Not doing Q(com, CAA) and Q(com, DNAME) as we already did it; if it was example.net, we would do Q(net, …) here
Result: no CAA record found

If any of the requests for Q(…, CAA) had returned a CAA answer, then this process would have stopped immediately and that data would be returned.

Does this match your expectation?

Thanks,
Peter

P.S. Here is a real world DNAME example, for those who have never run across one before:

Nameserver: ns2.brookes.ac.uk.
;; QUESTION SECTION:
;; foobar.oxfordbrookes.ac.uk.	IN	CAA

;; ANSWER SECTION:
oxfordbrookes.ac.uk.	28800	IN	DNAME	brookes.ac.uk.
foobar.oxfordbrookes.ac.uk.	28800	IN	CNAME	foobar.brookes.ac.uk.

;; AUTHORITY SECTION:
brookes.ac.uk.	900	IN	SOA	ns1.brookes.ac.uk. dns-contact.brookes.ac.uk. 44762 10800 3600 2592000 900

Nameserver: ns2.brookes.ac.uk.
;; QUESTION SECTION:
;; oxfordbrookes.ac.uk.	IN	CAA

;; ANSWER SECTION:

;; AUTHORITY SECTION:
oxfordbrookes.ac.uk.	900	IN	SOA	ns1.brookes.ac.uk. dns-contact.brookes.ac.uk. 43 10800 3600 2592000 900

Nameserver: ns2.brookes.ac.uk.
;; QUESTION SECTION:
;; oxfordbrookes.ac.uk.	IN	DNAME

;; ANSWER SECTION:
oxfordbrookes.ac.uk.	28800	IN	DNAME	brookes.ac.uk.

;; AUTHORITY SECTION: