[cabfpub] FW: [Technical Errata Reported] RFC6844 (5029)

Phillip philliph at comodo.com
Tue Jun 6 07:35:38 MST 2017


This is the update for the CAA errata as approved by Jacob. Please review in case there is another cut n' paste screw up and we can go to a ballot.

Do I have a seconder?

-----Original Message-----
From: RFC Errata System [mailto:rfc-editor at rfc-editor.org] 
Sent: Tuesday, June 6, 2017 10:03 AM
To: philliph at comodo.com; rob.stradling at comodo.com; Kathleen.Moriarty.ietf at gmail.com; ekr at rtfm.com; kent at bbn.com; stefan at aaa-sec.com
Cc: philliph at comodo.com; pkix at ietf.org; rfc-editor at rfc-editor.org
Subject: [Technical Errata Reported] RFC6844 (5029)

The following errata report has been submitted for RFC6844, "DNS Certification Authority Authorization (CAA) Resource Record".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5029

--------------------------------------
Type: Technical
Reported by: Phillip Hallam-Baker <philliph at comodo.com>

Section: 4

Original Text
-------------
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
      R(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

Corrected Text
--------------
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record chain specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
      CAA(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

  Thus, when a search at node X returns a CNAME record, the CA will
  follow the CNAME record to its target. If the target label contains a
  CAA record, it is returned. otherwise, the CA continues the search at
  the parent of node X.

  Note that the search does not include the parent of a target of a
  CNAME record (except when the CNAME points back to its own path).

  If the target of a CNAME record is itself a CNAME record, the CA MAY
  follow it or MAY ignore it. In either case, the search continues at
  the parent of the label containing the initial CNAME.

  Processing for DNAME is exactly the same as for CNAME. Note that since
  DNAME records are implemented by creating the corresponding CNAME
  records on the fly, it is only necessary for DNAME records to appear
  on the wire for purposes of DNSSEC.

Notes
-----
This is a correction of errata 4988 and 4992. It is a breaking change albeit one that is consistent with the text of the following example rather than the algorithm specification. The algorithm described in this errata is the algorithm currently implemented in running code.

A separate proposal is being made to change the discovery process. It is thus expected that a new RFC will be issued in due course but not necessarily describing the algorithm shown here.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC6844 (draft-ietf-pkix-caa-15)
--------------------------------------
Title               : DNS Certification Authority Authorization (CAA) Resource Record
Publication Date    : January 2013
Author(s)           : P. Hallam-Baker, R. Stradling
Category            : PROPOSED STANDARD
Source              : Public-Key Infrastructure (X.509)
Area                : Security
Stream              : IETF
Verifying Party     : IESG



More information about the Public mailing list