[cabfpub] Ballot 187 - Make CAA Checking Mandatory

Peter Bowen pzb at amzn.com
Sat Feb 25 02:28:29 UTC 2017

> On Feb 24, 2017, at 5:49 PM, philliph--- via Public <public at cabforum.org> wrote:
> On the CAA recursive part, I am trying to track down why there is an existing errata that makes a normative change with held for update status.
> The issue here is not in the PKIX part, it is what a CNAME/DNAME record means. Different people in the DNS community took different positions. We ended up concluding that the recursive interpretation was the appropriate one, i.e. least likely to cause mistakes.
> The reasoning behind this was that in most cases a CNAME from ‘example.net <http://example.net/>’ to ‘example.com <http://example.com/>’ is typically used for internal redirects mapping one service name onto another. An outsourcing relationship, would typically be realized using MX or SRV.

I'm still confused.  Consider the following records (I'm leaving out
class and TTL for simplicity, along with the root and com delegations):

beta.shop.example.com <http://beta.shop.example.com/>. A
shop.example.com <http://shop.example.com/>. CNAME xmpl.cdn.bighost.com <http://xmpl.cdn.bighost.com/>.
example.com <http://example.com/>. A
example.com <http://example.com/>. MX 10 mail1.mailhost.fast.
example.com <http://example.com/>. NS ns1.cheapdns.biz <http://ns1.cheapdns.biz/>.
example.com <http://example.com/>. NS ns2.cheapdns.org <http://ns2.cheapdns.org/>.

cdn.bighost.com <http://cdn.bighost.com/>. DNAME cdnhost.xyz <http://cdnhost.xyz/>.
bighost.com <http://bighost.com/>. NS ns1.dnshost.com <http://ns1.dnshost.com/>.
bighost.com <http://bighost.com/>. NS ns2.dnshost.com <http://ns2.dnshost.com/>.

xmpl.cdnhost.xyz <http://xmpl.cdnhost.xyz/>. A
cdnhost.xyz <http://cdnhost.xyz/>. NS ns1.dnshost.com <http://ns1.dnshost.com/>.
cdnhost.xyz <http://cdnhost.xyz/>. NS ns2.dnshost.com <http://ns2.dnshost.com/>.

If a CA gets a certificate request that includes
dNSName:beta.shop.example.com <http://beta.shop.example.com/>, what DNS queries must it make to check
for CAA records?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170224/dd82a3d9/attachment-0002.html>

More information about the Public mailing list