[cabfpub] "[UNVERIFIED SENDER]Re: no CAA authorizations -- RFC 6844

y-iida at secom.co.jp y-iida at secom.co.jp
Tue Jun 27 04:40:38 UTC 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, public.  Thank you for pointing out.

>Empty RRSet: issuance allowed
>Empty issuer domain within a non-empty RRSet: no issuance allowed

Now I'm noticed that I was mixing up empty RRSet and
empty issuer domain within a non-empty RRSet.

I'm also noticed that "issue" and "issuewild" are not mutually
exclusive.
* On non-wildcard domains, becase issuewild has almost no effects,
I will
   1. look for "issue" and respect them if any,
   2. if no "issue" CAA, look for other CAA (including issuewild),
   3. if some CAA found, then I cannot issue, otherwise I can issue.
* On wildcard domains, I will
   1. look for issuewild and respect them if any,
   2. if no "issuewild" CAA, then look for "issue" CAA and
   respect them if any,
   3. if neither "issue" not "issuewild" found, look for other CAA,
   4. if some CAA found, then I cannot issue, otherwise I can issue.

>   $ORIGIN example.com
>   .       CAA 0 issue "alice.com"

As it is not root zone, I take above as follows:
    $ORIGIN example.com.
    @       CAA 0 issue "alice.com"

Please let me know if there are still any misunderstandings.
- --
  iida
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAllR4XIACgkQYYPdCnCyRyqMzQCfe0yKpy6NTqUoVmBlm7nlHyzb
pQwAn3E0Qzfmc9iCya7k9TGL9GFq5zcD
=0oDw
-----END PGP SIGNATURE-----



More information about the Public mailing list