> On Feb 25, 2017, at 8:16 AM, philliph--- via Public <[email protected]> > wrote: > > >> On Feb 24, 2017, at 9:17 PM, Peter Bowen <[email protected]> wrote: >> >> On Fri, Feb 24, 2017 at 5:49 PM, philliph--- via Public >> <[email protected]> wrote: >>> On the CAA recursive part, I am trying to track down why there is an >>> existing errata that makes a normative change with held for update status. >>> >>> The issue here is not in the PKIX part, it is what a CNAME/DNAME record >>> means. Different people in the DNS community took different positions. We >>> ended up concluding that the recursive interpretation was the appropriate >>> one, i.e. least likely to cause mistakes. >> >> I'm still confused. Consider the following records (I'm leaving out >> class and TTL for simplicity: >> >> beta.shop.example.com. A 198.51.100.54 >> shop.example.com. CNAME xmpl.cdn.bighost.com. >> example.com. A 198.51.100.4 >> example.com. MX 10 mail1.mailhost.fast. >> example.com. NS ns1.cheapdns.biz. >> example.com. NS ns2.cheapdns.org. >> >> cdn.bighost.com. DNAME cdnhost.xyz. >> bighost.com. NS ns1.dnshost.com. >> bighost.com. NS ns2.dnshost.com. >> >> xmpl.cdnhost.xyz. A 203.0.113.231 >> cdnhost.xyz. NS ns1.dnshost.com. >> cdnhost.xyz. NS ns2.dnshost.com. >> >> If a CA gets a certificate request that includes >> dNSName:beta.shop.example.com, what DNS queries must it make to check >> for CAA records? >> >> Thanks, >> Peter > > The sequence is: > beta.shop.example.com > shop.example.com > xmpl.cdn.bighost.com > cdn.bighost.com * > xmpl.cdnhost.xyz * > cdnhost.xyz * > xyz * > shop.example.com > example.com > com
I’m a little confused how you got this list. Assume Q(name, type) = type, data means a lookup for name with a given type. Q(beta.shop.example.com, CAA) = <no answers> Q(beta.shop.example.com, DNAME) = <no answers> Q(shop.example.com, CAA) = CNAME, xmpl.cdn.bighost.com. Q(xmpl.cdn.bighost.com, CAA) = CNAME, xmpl.cdnhost.xyz. Q(xmpl.cdnhost.xyz, CAA) = <no answers> Q(xmpl.cdnhost.xyz, DNAME) = <no answers> Q(cdnhost.xyz, CAA) = <no answers> Q(cdnhost.xyz, DNAME) = <no answers> Q(xyz, CAA) = <no answers> Q(xyz, DNAME) = <no answers> Q(cdn.bighost.com, CAA) = <no answers> Q(cdn.bighost.com, DNAME) = DNAME, cdnhost.xyz # Not doing Q(cdnhost.xyz, CAA) to Q(xyz, DNAME) as we already did it Q(bighost.com, CAA) = <no answers> Q(bighost.com, DNAME) = <no answers> Q(com, CAA) = <no answers> Q(com, DNAME) = <no answers> Q(example.com, CAA) = <no answers> Q(example.com, DNAME) = <no answers> # Not doing Q(com, CAA) and Q(com, DNAME) as we already did it; if it was example.net, we would do Q(net, …) here Result: no CAA record found If any of the requests for Q(…, CAA) had returned a CAA answer, then this process would have stopped immediately and that data would be returned. Does this match your expectation? Thanks, Peter P.S. Here is a real world DNAME example, for those who have never run across one before: Nameserver: ns2.brookes.ac.uk. ;; QUESTION SECTION: ;; foobar.oxfordbrookes.ac.uk. IN CAA ;; ANSWER SECTION: oxfordbrookes.ac.uk. 28800 IN DNAME brookes.ac.uk. foobar.oxfordbrookes.ac.uk. 28800 IN CNAME foobar.brookes.ac.uk. ;; AUTHORITY SECTION: brookes.ac.uk. 900 IN SOA ns1.brookes.ac.uk. dns-contact.brookes.ac.uk. 44762 10800 3600 2592000 900 Nameserver: ns2.brookes.ac.uk. ;; QUESTION SECTION: ;; oxfordbrookes.ac.uk. IN CAA ;; ANSWER SECTION: ;; AUTHORITY SECTION: oxfordbrookes.ac.uk. 900 IN SOA ns1.brookes.ac.uk. dns-contact.brookes.ac.uk. 43 10800 3600 2592000 900 Nameserver: ns2.brookes.ac.uk. ;; QUESTION SECTION: ;; oxfordbrookes.ac.uk. IN DNAME ;; ANSWER SECTION: oxfordbrookes.ac.uk. 28800 IN DNAME brookes.ac.uk. ;; AUTHORITY SECTION: _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
