[cabfpub] Draft CAA motion (4)

Doug Beattie doug.beattie at globalsign.com
Wed Jan 25 08:12:44 MST 2017



> For example, the addition of "If a CNAME or DNAME record is found, then the CAA check will start
> over using the returned value as the new input to the CAA check." is introducing ambiguity, because
> it's incompatible with the algorithm described - namely, the CAA check does not start over, because
> the CAA check would have already accounted for the CNAME/DNAME traversal.

There are a couple of things that are not clear to me:

1) This is the specified processing logic for handling CNAME and DNAME records says:
If A(X) is not null (i.e, there is a CNAME or DNAME record for X), and R(A(X)) is not empty, then R(X) = R(A(X)), otherwise <continue…>

If a CA is looking up foo.example.com and there was a CNAME to bar.domain.com what do they check?  As written, the RFC says to check bar.domain.com for a CAA record and if there is one use it, otherwise continue with processing (look for CAA record for example.com then alias for example.com).  I was assuming that we’d want to dig a little deeper into bar.domain.com by checking CAA record for domain.com and alias for domain.com.

Perhaps my wording of “starting over again” is not accurate, and I should have added step 2.1 that says:
2.1 If A(X) is null, then spawn a new CAA check with CAA(A(X)).  If this check ends with R(X) being empty, then continue processing with step 3

What is the correct interpretation of the RFC, are the alias’s chased down or just checked at that one level?  Does anyone care?


2) The definition of when to stop CAA checking is not clear.  The RFC says: the processing scenario says to stop when X is a top-level domain

The BRs define “Base Domain Name”, which is where we should stop for processing BR compliant TLS certificates.  Do we want to proceed up to the “top-level domain” (undefined term) looking for CAA records for TLS certificates, or do we want to stop at Base Domain Name?  I think for our purposes we need to stop searching for CAA records when we hit the Base Domain Name.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170125/4fded85f/attachment.html>


More information about the Public mailing list