[cabfpub] CAA final errata proposed text

Jacob Hoffman-Andrews jsha at letsencrypt.org
Sat Jun 24 00:29:13 UTC 2017


I posted separately on the IETF LAMPS / SPASM mailing list saying I think
this version is good:
https://mailarchive.ietf.org/arch/msg/spasm/SzxQoAOVluz5B_QfJ34U16epq_A.

I'd encourage folks here who are interested in CAA and agree that this is a
good revision to join that mailing list and post in approval:
https://www.ietf.org/mailman/listinfo/spasm

On Wed, Jun 14, 2017 at 1:29 PM, Rob Stradling via Public <
public at cabforum.org> wrote:

> LGTM.
>
> Minor nit: "otherwise" needs a capital O.
>
>
> On 14/06/17 18:52, Phillip via Public wrote:
>
>> The RFC Editor has deleted all three of the existing errata at my
>> request. I would like for the next errata to be the very last.
>>
>> Could people read, review and state if this works for them?
>>
>> Original Text
>>
>> -------------
>>
>>     Let CAA(X) be the record set returned in response to performing a CAA
>>
>>     record query on the label X, P(X) be the DNS label immediately above
>>
>>     X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
>>
>>     alias record specified at the label X.
>>
>>     o  If CAA(X) is not empty, R(X) = CAA (X), otherwise
>>
>>     o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
>>
>>        R(A(X)), otherwise
>>
>>     o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise
>>
>>     o  R(X) is empty.
>>
>> Corrected Text
>>
>> --------------
>>
>>     Let CAA(X) be the record set returned in response to performing a CAA
>>
>>     record query on the label X, P(X) be the DNS label immediately above
>>
>>     X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
>>
>>     alias record chain specified at the label X.
>>
>>     o  If CAA(X) is not empty, R(X) = CAA (X), otherwise
>>
>>     o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
>>
>>        CAA(A(X)), otherwise
>>
>>     o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise
>>
>>     o  R(X) is empty.
>>
>>    Thus, when a search at node X returns a CNAME record, the CA will
>>
>>    follow the CNAME record to its target. If the target label contains a
>>
>>    CAA record, it is returned. otherwise, the CA continues the search at
>>
>>    the parent of node X.
>>
>>    Note that the search does not include the parent of a target of a
>>
>>    CNAME record (except when the CNAME points back to its own path).
>>
>>   To prevent resource exhaustion attacks, CAs should limit the length of
>>
>>    CNAME chains that are accepted. However CAs MUST process CNAME
>>
>>    chains that contain ten or fewer CNAME records.
>>
>>    Processing for DNAME is exactly the same as for CNAME. Note that since
>>
>>    DNAME records are implemented by creating the corresponding CNAME
>>
>>    records on the fly, it is only necessary for DNAME records to appear
>>
>>    on the wire for purposes of DNSSEC.
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> Office Tel: +44.(0)1274.730505
> Office Fax: +44.(0)1274.730909
> www.comodo.com
>
> COMODO CA Limited, Registered in England No. 04058690
> Registered Office:
>   3rd Floor, 26 Office Village, Exchange Quay,
>   Trafford Road, Salford, Manchester M5 3EQ
>
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are
> addressed.  If you have received this email in error please notify the
> sender by replying to the e-mail containing this attachment. Replies to
> this email may be monitored by COMODO for operational or business reasons.
> Whilst every endeavour is taken to ensure that e-mails are free from
> viruses, no liability can be accepted and the recipient is requested to use
> their own virus checking software.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170623/434c3541/attachment-0003.html>


More information about the Public mailing list