[cabfpub] CAA final errata proposed text

Phillip philliph at comodo.com
Wed Jun 14 10:52:06 MST 2017


The RFC Editor has deleted all three of the existing errata at my request. I
would like for the next errata to be the very last.

 

Could people read, review and state if this works for them?

 

 

 

Original Text

-------------

   Let CAA(X) be the record set returned in response to performing a CAA

   record query on the label X, P(X) be the DNS label immediately above

   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME

   alias record specified at the label X.

 

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

 

   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =

      R(A(X)), otherwise

 

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

 

   o  R(X) is empty.

 

 

Corrected Text

--------------

   Let CAA(X) be the record set returned in response to performing a CAA

   record query on the label X, P(X) be the DNS label immediately above

   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME

   alias record chain specified at the label X.

 

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

 

   o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =

      CAA(A(X)), otherwise

 

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

 

   o  R(X) is empty.

 

  Thus, when a search at node X returns a CNAME record, the CA will

  follow the CNAME record to its target. If the target label contains a

  CAA record, it is returned. otherwise, the CA continues the search at

  the parent of node X.

 

  Note that the search does not include the parent of a target of a

  CNAME record (except when the CNAME points back to its own path).

 

 To prevent resource exhaustion attacks, CAs should limit the length of 

  CNAME chains that are accepted. However CAs MUST process CNAME 

  chains that contain ten or fewer CNAME records.

 

  Processing for DNAME is exactly the same as for CNAME. Note that since

  DNAME records are implemented by creating the corresponding CNAME

  records on the fly, it is only necessary for DNAME records to appear

  on the wire for purposes of DNSSEC.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170614/a8a059b0/attachment-0001.html>


More information about the Public mailing list