[cabfpub] Draft CAA motion (4)

Doug Beattie doug.beattie at globalsign.com
Wed Jan 25 14:19:04 MST 2017


I believe that my recommendation and your implied functional agreement with it could be wrong.  Let me ask the question another way

1.       If CAA(X) is not empty, R(X) = CAA (X), otherwise

2.       If A(X) is not null (i.e, there is a CNAME or DNAME record for X), and R(A(X)) is not empty, then R(X) = R(A(X)), otherwise

3.       If X is not a Base Domain Name, then R(X) = R(P(X)) and perform check again starting at step 1, otherwise

4.       R(X) is empty.

In step 2 if A(X) is null (not a defined state in the above), what happens?  Does it proceed with 3 (implied by the definition above), or does it do a CAA check on A(X) – basically start at step 1 with CAA(A(X)) and if empty, then return to step 3 and finish up with A(X) processing?

On the other topic of when to stop recursive DNS lookup: It’s apparent that Registries can set CAA records which would take effect for all Top Level Domains without CAA records.  I’m assuming that was the intent because it’s in the RFC, but why do we want allow a Registry to set TLS issuance policies for all domains purchased from them?  A malicious actor or registry admin could cause a denial of service for TLS issuance for every domain under that TLD.  I don’t see a value in traversing the DNS any further than the Top Level Domain.  Does anyone understand why CAA checking goes all the way to the root?

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Wednesday, January 25, 2017 11:06 AM
To: Doug Beattie <doug.beattie at globalsign.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Draft CAA motion (4)

On Wed, Jan 25, 2017 at 7:12 AM, Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>> wrote:

> For example, the addition of "If a CNAME or DNAME record is found, then the CAA check will start
> over using the returned value as the new input to the CAA check." is introducing ambiguity, because
> it's incompatible with the algorithm described - namely, the CAA check does not start over, because
> the CAA check would have already accounted for the CNAME/DNAME traversal.

There are a couple of things that are not clear to me:

1) This is the specified processing logic for handling CNAME and DNAME records says:
If A(X) is not null (i.e, there is a CNAME or DNAME record for X), and R(A(X)) is not empty, then R(X) = R(A(X)), otherwise <continue…>

If a CA is looking up foo.example.com<http://foo.example.com> and there was a CNAME to bar.domain.com<http://bar.domain.com> what do they check?  As written, the RFC says to check bar.domain.com<http://bar.domain.com> for a CAA record and if there is one use it, otherwise continue with processing (look for CAA record for example.com<http://example.com> then alias for example.com<http://example.com>).  I was assuming that we’d want to dig a little deeper into bar.domain.com<http://bar.domain.com> by checking CAA record for domain.com<http://domain.com> and alias for domain.com<http://domain.com>.

R(X) is defined recursively, so R(A(X)) would recurse into R(P(A(X))) if CAA(A(X)) was empty. So it would examine bar.domain.com<http://bar.domain.com>, domain.com<http://domain.com>, and .com before continuing to examine example.com<http://example.com> and .com.

Perhaps my wording of “starting over again” is not accurate, and I should have added step 2.1 that says:
2.1 If A(X) is null, then spawn a new CAA check with CAA(A(X)).  If this check ends with R(X) being empty, then continue processing with step 3

That's already specified in the RFC.

If A(X) is not null, and R(A(X)) is not empty, then R(X) = R(A(X)), otherwise

2) The definition of when to stop CAA checking is not clear.  The RFC says: the processing scenario says to stop when X is a top-level domain

The BRs define “Base Domain Name”, which is where we should stop for processing BR compliant TLS certificates.  Do we want to proceed up to the “top-level domain” (undefined term) looking for CAA records for TLS certificates, or do we want to stop at Base Domain Name?  I think for our purposes we need to stop searching for CAA records when we hit the Base Domain Name.

No, Top Level domain is just that - the top-level domain. So you would search for a CAA record for .com, for example.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170125/c0ea7e50/attachment-0001.html>

More information about the Public mailing list