[cabfpub] Draft CAA motion (4)

Ryan Sleevi sleevi at google.com
Wed Jan 25 14:31:23 MST 2017


On Wed, Jan 25, 2017 at 1:19 PM, Doug Beattie <doug.beattie at globalsign.com>
wrote:

> Ryan,
>
>
>
> I believe that my recommendation and your implied functional agreement
> with it could be wrong.  Let me ask the question another way
>
>
>
> 1.       If CAA(X) is not empty, R(X) = CAA (X), otherwise
>
> 2.       If A(X) is not null (i.e, there is a CNAME or DNAME record for
> X), and R(A(X)) is not empty, then R(X) = R(A(X)), otherwise
>
> 3.       If X is not a Base Domain Name, then R(X) = R(P(X)) and perform
> check again starting at step 1, otherwise
>
> 4.       R(X) is empty.
>
>
>
> In step 2 if A(X) is null (not a defined state in the above), what
> happens?
>

I'm surprised to hear you don't think it's a defined state. I'm not sure
how you're reading that.


> Does it proceed with 3 (implied by the definition above), or does it do a
> CAA check on A(X) – basically start at step 1 with CAA(A(X)) and if empty,
> then return to step 3 and finish up with A(X) processing?
>

2. If (Cond 1), and (Cond 2), then X, otherwise
3. If (Cond 3), then Y, otherwise
4. Z

"if A(X) is null" is a failure of Cond 1, so yes, it proceeds to 3.
"If A(X) is not null", but R(A(X)) is, it's a failure of Cond 2, so yes, it
proceeds to 3.

If A(X) is null, you proceed to step 3.
If R(A(X)) is null, you proceed to step 3.
If A(X) is not null and R(A(X)) is not null, you use that value.

R(A(X)) is defined recursively - meaning for foo.example.com and
bar.example.com, where foo.example.com is a CNAME to bar.example.net, and
the CAA record is set on ".net", you'd do

CAA(foo.example.com) - nothing
CNAME(foo.example.com) - bar.example.net
CAA(bar.example.net) - nothing
CNAME(bar.example.net) - nothing
CAA(example.net) - nothing
CNAME(example.net) - nothing
CAA(net) - value

And return CAA(net)

If the CAA record was on com, and example.net was CNAMEd to example.org,
you'd do
CAA(foo.example.com) - nothing
CNAME(foo.example.com) - bar.example.net
CAA(bar.example.net) - nothing
CNAME(bar.example.net) - nothing
CAA(example.net) - nothing
CNAME(example.net) - example.org
CAA(example.org) - nothing
CNAME(example.org) - nothing
CAA(org) - nothing
CNAME(org) - nothing
CAA(net) - nothing
CNAME(net) - nothing
CAA(example.com) - nothing
CNAME(example.com) - nothing
CAA(com) - value



> On the other topic of when to stop recursive DNS lookup: It’s apparent
> that Registries can set CAA records which would take effect for all Top
> Level Domains without CAA records.  I’m assuming that was the intent
> because it’s in the RFC, but why do we want allow a Registry to set TLS
> issuance policies for all domains purchased from them?  A malicious actor
> or registry admin could cause a denial of service for TLS issuance for
> every domain under that TLD.  I don’t see a value in traversing the DNS any
> further than the Top Level Domain.  Does anyone understand why CAA checking
> goes all the way to the root?
>

Because DNS is hierarchal and the root is authoritative. It's intentional
and by design that it goes to the root. And registries can (and do) already
set HPKP policies for entire TLDs.

This is especially relevant for so-called ".brand TLDs" that may very well
want to see the CAA policy on the TLD, for all domains in that TLD.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170125/85405f42/attachment.html>


More information about the Public mailing list