Paul, Improving CAA by moving it to a protocol other than DNS is certainly worth considering, going forward.
With respect to people using proper DNS libraries and not inventing their own CNAME / DNAME handling, the problem was that RFC 6844 accidentally specified semantics for CNAME / DNAME that were not the standard semantics! Even the erratum discussed extensively last spring still isn't fully compliant with the relevant RFCs. About half of the CAA problems encountered could have been avoided if RFC 6844 had simply said "When doing CAA lookups, CNAME MUST be handled as specified in RFC 2181, and DNAME MUST be handled as specified in RFC 6672", without trying to explicitly include them in the lookup algorithm. -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy