[Servercert-wg] CAA RFC8659 update

Tomas Gustavsson tomas.gustavsson at primekey.com
Thu Nov 21 01:40:48 MST 2019

I have one questions on the difference between Appendix A and RFC8659.

- Question 1:
Appendix A specifies:
"To prevent resource exhaustion attacks, CAs SHOULD limit the length of
CNAME chains that are accepted"

I don't see anything about this in RFC8659 (or RFC1034). Just that the
resolver is recursive. Will the suggested limit (8) remain in BRs?


On 2019-11-20 17:10, Tomas Gustavsson via Servercert-wg wrote:
> On 2019-11-20 16:21, Ryan Sleevi wrote:
>> On Wed, Nov 20, 2019 at 5:19 AM Tomas Gustavsson via Servercert-wg
>> <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
>>     Hi,
>>     I just saw that CAA has a new RFC, RFC8659, with updates in particular
>>     to the tree climbing. The CNAME and DNAME processing was if I remember
>>     correctly some of the biggest challenges when implementing RFC6844, and
>>     this is basically gone in RFC8659 (delegated to the CAs resolver to
>>     follow CNAMES etc).
>>     Current BRs specify RFC6844 with specifics around CNAMEs.
>>     I could not find any previous discussion on RFC6844 so wondered if there
>>     has been a discussion on adopting RFC8659?
>>     Adopting this would likely mean implementation changes (while, if CAB
>>     Forum is not adopting the new RFC I see little point in the RFC update
>>     at all).
>> Hi Tomas,
>> Currently, the BRs referenced RFC6844 along with Errata 5065 (see
>> Appendix A). Functionally, this is what became RFC 8659. RFC 8659 just
>> got published this morning ( https://tools.ietf.org/html/rfc8659 )
>> I'm not sure why you didn't find the discussion. This was CA/B Forum
>> Ballot 214 that adopted the Errata, and then went through the IETF
>> process to update and standardize it.
>> So we're good to update to reference RFC 8659, and there should be no
>> functional change for existing CAs complying with the BRs. Of course,
>> they are welcome and encouraged to review and highlight any concerns, if
>> there is to be a phase-in transition, but that should not be necessary
>> and it should just be administrivia. 
> Sorry, I did read Appendix A before posting. I tripped over the
> differences in language of the algorithm description. Good to know the
> intent is the same. I'll analyze it a bit more and get beck if I have
> concerns.
> Regards,
> Tomas
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

More information about the Servercert-wg mailing list