> On Feb 24, 2017, at 9:17 PM, Peter Bowen <[email protected]> wrote: > > On Fri, Feb 24, 2017 at 5:49 PM, philliph--- via Public > <[email protected]> wrote: >> On the CAA recursive part, I am trying to track down why there is an >> existing errata that makes a normative change with held for update status. >> >> The issue here is not in the PKIX part, it is what a CNAME/DNAME record >> means. Different people in the DNS community took different positions. We >> ended up concluding that the recursive interpretation was the appropriate >> one, i.e. least likely to cause mistakes. > > I'm still confused. Consider the following records (I'm leaving out > class and TTL for simplicity: > > beta.shop.example.com. A 198.51.100.54 > shop.example.com. CNAME xmpl.cdn.bighost.com. > example.com. A 198.51.100.4 > example.com. MX 10 mail1.mailhost.fast. > example.com. NS ns1.cheapdns.biz. > example.com. NS ns2.cheapdns.org. > > cdn.bighost.com. DNAME cdnhost.xyz. > bighost.com. NS ns1.dnshost.com. > bighost.com. NS ns2.dnshost.com. > > xmpl.cdnhost.xyz. A 203.0.113.231 > cdnhost.xyz. NS ns1.dnshost.com. > cdnhost.xyz. NS ns2.dnshost.com. > > If a CA gets a certificate request that includes > dNSName:beta.shop.example.com, what DNS queries must it make to check > for CAA records? > > Thanks, > Peter
The sequence is: beta.shop.example.com shop.example.com xmpl.cdn.bighost.com cdn.bighost.com * xmpl.cdnhost.xyz * cdnhost.xyz * xyz * shop.example.com example.com com Now if people were to say they think the lookups with the asterisks are a problem then we can propose an update to the RFC. _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
