[cabfpub] Draft CAA motion (4)

Erwann Abalea Erwann.Abalea at docusign.com
Mon Jan 30 14:09:00 MST 2017


Some corrections in the description below.

Cordialement,
Erwann Abalea

Le 25 janv. 2017 à 22:31, Ryan Sleevi via Public <public at cabforum.org<mailto:public at cabforum.org>> a écrit :



On Wed, Jan 25, 2017 at 1:19 PM, Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>> wrote:
Ryan,

I believe that my recommendation and your implied functional agreement with it could be wrong.  Let me ask the question another way


1.       If CAA(X) is not empty, R(X) = CAA (X), otherwise

2.       If A(X) is not null (i.e, there is a CNAME or DNAME record for X), and R(A(X)) is not empty, then R(X) = R(A(X)), otherwise

3.       If X is not a Base Domain Name, then R(X) = R(P(X)) and perform check again starting at step 1, otherwise

4.       R(X) is empty.

In step 2 if A(X) is null (not a defined state in the above), what happens?

I'm surprised to hear you don't think it's a defined state. I'm not sure how you're reading that.

Does it proceed with 3 (implied by the definition above), or does it do a CAA check on A(X) – basically start at step 1 with CAA(A(X)) and if empty, then return to step 3 and finish up with A(X) processing?

2. If (Cond 1), and (Cond 2), then X, otherwise
3. If (Cond 3), then Y, otherwise
4. Z

"if A(X) is null" is a failure of Cond 1, so yes, it proceeds to 3.
"If A(X) is not null", but R(A(X)) is, it's a failure of Cond 2, so yes, it proceeds to 3.

If A(X) is null, you proceed to step 3.
If R(A(X)) is null, you proceed to step 3.
If A(X) is not null and R(A(X)) is not null, you use that value.

R(A(X)) is defined recursively - meaning for foo.example.com<http://foo.example.com/> and bar.example.com<http://bar.example.com/>, where foo.example.com<http://foo.example.com/> is a CNAME to bar.example.net<http://bar.example.net/>, and the CAA record is set on ".net", you'd do

CAA(foo.example.com<http://foo.example.com/>) - nothing
CNAME(foo.example.com<http://foo.example.com/>) - bar.example.net<http://bar.example.net>

More precisely, when you’re requesting the CAA record set (or any other record type) for foo.example.org<http://foo.example.org>, you get the CNAME record (bar.example.net<http://bar.example.net>) if it’s present. That is, send 1 query, get these 2 answers (presence/absence of a CAA, and presence/absence of a CNAME).
That’s true for DNAME also with a minor exception, but it’s sufficient to require an explicit query.

CAA(bar.example.net<http://bar.example.net/>) - nothing
CNAME(bar.example.net<http://bar.example.net/>) - nothing

Again, this is one query only, and the result is that there’s no CAA and no CNAME.

CAA(example.net<http://example.net/>) - nothing
CNAME(example.net<http://example.net/>) - nothing

Again.

CAA(net) - value

And return CAA(net)

If the CAA record was on com, and example.net<http://example.net/> was CNAMEd to example.org<http://example.org/>, you'd do
CAA(foo.example.com<http://foo.example.com/>) - nothing
CNAME(foo.example.com<http://foo.example.com/>) - bar.example.net<http://bar.example.net/>
CAA(bar.example.net<http://bar.example.net/>) - nothing
CNAME(bar.example.net<http://bar.example.net/>) - nothing
CAA(example.net<http://example.net/>) - nothing
CNAME(example.net<http://example.net/>) - example.org<http://example.org/>
CAA(example.org<http://example.org/>) - nothing
CNAME(example.org<http://example.org/>) - nothing
CAA(org) - nothing
CNAME(org) - nothing
CAA(net) - nothing
CNAME(net) - nothing
CAA(example.com<http://example.com/>) - nothing
CNAME(example.com<http://example.com/>) - nothing
CAA(com) - value



Extending the examples with a DNAME. A CAA record on « net. », « example.com<http://example.com> » is a DNAME to « example.net<http://example.net> », requesting the relevant CAA record for « foo.example.com<http://foo.example.com> »:

CAA(foo.example.com<http://foo.example.com>) -> foo.example.com<http://foo.example.com> CNAME foo.example.net<http://foo.example.net>, and example.com<http://example.com> DNAME example.net<http://example.net> (that is, you get both the DNAME and CNAME answers, but the DNAME can be ignored)
  CAA(foo.example.net<http://foo.example.net>) -> nothing
  DNAME(foo.example.net<http://foo.example.net>) -> nothing
  CAA(example.net<http://example.net>) -> nothing
  DNAME(example.net<http://example.net>) -> nothing
  CAA(net) -> value


There’s a degenerate case with DNAME, but since it’s rarely used I don’t think it’s something to take care of. Let’s imagine there’s no CAA record at all, « example.com<http://example.com> » is a DNAME to « example.net<http://example.net> », and you’re requesting the relevant CAA record for « foo.bar.example.com<http://foo.bar.example.com> » (with some indentation for the recursive part):

CAA(foo.bar.example.com<http://foo.bar.example.com>) -> foo.bar.example.com<http://foo.bar.example.com> CNAME foo.bar.example.net<http://foo.bar.example.net>, example.com<http://example.com> DNAME example.net<http://example.net>
  CAA(foo.bar.example.net<http://foo.bar.example.net>) -> nothing
  DNAME(foo.bar.example.net<http://foo.bar.example.net>) -> nothing
  CAA(bar.example.net<http://bar.example.net>)-> nothing
  DNAME(bar.example.net<http://bar.example.net>) -> nothing
  CAA(example.net<http://example.net>) -> nothing
  DNAME(example.net<http://example.net>) -> nothing
  CAA(net) -> nothing
CAA(bar.example.com<http://bar.example.com>) -> bar.example.com<http://bar.example.com> CNAME bar.example.net<http://bar.example.net>, example.com<http://example.com> DNAME example.net<http://example.net>
  CAA(bar.example.net<http://bar.example.net>) -> nothing
  DNAME(bar.example.net<http://bar.example.net>) -> nothing
  CAA(example.net<http://example.net>) -> nothing
  DNAME(example.net<http://example.net>) -> nothing
  CAA(net) -> nothing
CAA(example.com<http://example.com>) -> nothing [*]
DNAME(example.com<http://example.com>) -> example.com<http://example.com> DNAME example.net<http://example.net>
  CAA(example.net<http://example.net>) -> nothing
  DNAME(example.net<http://example.net>) -> nothing
  CAA(net) -> nothing
CAA(com) -> nothing


[*] On some resolvers, this query returns the CNAME+DNAME tuple. I’m not a DNS master, but I suspect the good answer to be the empty answer, justifying the explicit query for DNAMEs.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170130/537af2ac/attachment-0001.html>


More information about the Public mailing list