[cabfpub] Draft CAA motion (4)

Ryan Sleevi sleevi at google.com
Wed Jan 25 09:06:26 MST 2017


On Wed, Jan 25, 2017 at 7:12 AM, Doug Beattie <doug.beattie at globalsign.com>
wrote:

>
>
>
>
> > For example, the addition of "If a CNAME or DNAME record is found, then
> the CAA check will start
>
> > over using the returned value as the new input to the CAA check." is
> introducing ambiguity, because
>
> > it's incompatible with the algorithm described - namely, the CAA check
> does not start over, because
>
> > the CAA check would have already accounted for the CNAME/DNAME traversal.
>
>
>
> There are a couple of things that are not clear to me:
>
>
>
> 1) This is the specified processing logic for handling CNAME and DNAME
> records says:
>
> If A(X) is not null (i.e, there is a CNAME or DNAME record for X), and
> R(A(X)) is not empty, then R(X) = R(A(X)), otherwise <continue…>
>
>
>
> If a CA is looking up foo.example.com and there was a CNAME to
> bar.domain.com what do they check?  As written, the RFC says to check
> bar.domain.com for a CAA record and if there is one use it, otherwise
> continue with processing (look for CAA record for example.com then alias
> for example.com).  I was *assuming* that we’d want to dig a little deeper
> into bar.domain.com by checking CAA record for domain.com and alias for
> domain.com.
>


R(X) is defined recursively, so R(A(X)) would recurse into R(P(A(X))) if
CAA(A(X)) was empty. So it would examine bar.domain.com, domain.com, and
.com before continuing to examine example.com and .com.



> Perhaps my wording of “starting over again” is not accurate, and I should
> have added step 2.1 that says:
>
> 2.1 If A(X) is null, then spawn a new CAA check with CAA(A(X)).  If this
> check ends with R(X) being empty, then continue processing with step 3
>

That's already specified in the RFC.

If A(X) is not null, and R(A(X)) is not empty, then R(X) = R(A(X)),
otherwise


> 2) The definition of when to stop CAA checking is not clear.  The RFC
> says: the processing scenario says to stop when X is a top-level domain
>
>
>
> The BRs define “Base Domain Name”, which is where we should stop for
> processing BR compliant TLS certificates.  Do we want to proceed up to the
> “top-level domain” (undefined term) looking for CAA records for TLS
> certificates, or do we want to stop at Base Domain Name?  I think for our
> purposes we need to stop searching for CAA records when we hit the Base
> Domain Name.
>
>
>
No, Top Level domain is just that - the top-level domain. So you would
search for a CAA record for .com, for example.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170125/af2f7cfb/attachment.html>


More information about the Public mailing list