Re: [cabfpub] Ballot 187 - Make CAA Checking Mandatory

Fri, 24 Feb 2017 18:29:14 -0800 

> On Feb 24, 2017, at 5:49 PM, philliph--- via Public <[email protected]> 
> wrote:
> 
> On the CAA recursive part, I am trying to track down why there is an existing 
> errata that makes a normative change with held for update status.
> 
> The issue here is not in the PKIX part, it is what a CNAME/DNAME record 
> means. Different people in the DNS community took different positions. We 
> ended up concluding that the recursive interpretation was the appropriate 
> one, i.e. least likely to cause mistakes.
> 
> 
> The reasoning behind this was that in most cases a CNAME from ‘example.net 
> <http://example.net/>’ to ‘example.com <http://example.com/>’ is typically 
> used for internal redirects mapping one service name onto another. An 
> outsourcing relationship, would typically be realized using MX or SRV.

I'm still confused.  Consider the following records (I'm leaving out
class and TTL for simplicity, along with the root and com delegations):

beta.shop.example.com <http://beta.shop.example.com/>. A 198.51.100.54
shop.example.com <http://shop.example.com/>. CNAME xmpl.cdn.bighost.com 
<http://xmpl.cdn.bighost.com/>.
example.com <http://example.com/>. A 198.51.100.4
example.com <http://example.com/>. MX 10 mail1.mailhost.fast.
example.com <http://example.com/>. NS ns1.cheapdns.biz 
<http://ns1.cheapdns.biz/>.
example.com <http://example.com/>. NS ns2.cheapdns.org 
<http://ns2.cheapdns.org/>.

cdn.bighost.com <http://cdn.bighost.com/>. DNAME cdnhost.xyz 
<http://cdnhost.xyz/>.
bighost.com <http://bighost.com/>. NS ns1.dnshost.com <http://ns1.dnshost.com/>.
bighost.com <http://bighost.com/>. NS ns2.dnshost.com <http://ns2.dnshost.com/>.

xmpl.cdnhost.xyz <http://xmpl.cdnhost.xyz/>. A 203.0.113.231
cdnhost.xyz <http://cdnhost.xyz/>. NS ns1.dnshost.com <http://ns1.dnshost.com/>.
cdnhost.xyz <http://cdnhost.xyz/>. NS ns2.dnshost.com <http://ns2.dnshost.com/>.

If a CA gets a certificate request that includes
dNSName:beta.shop.example.com <http://beta.shop.example.com/>, what DNS queries 
must it make to check
for CAA records?

Thanks,
Peter
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public

Reply via email to