I think that at this stage the only review relevant would be if what was submitted did not match what was agreed in the LAMPS thread.
I did make one very minor correction which was to change should to SHOULD and that has no semantic change it merely flags that there is a normative consideration. > On Jul 10, 2017, at 9:57 PM, Jacob Hoffman-Andrews <[email protected]> wrote: > > Phillip has posted the latest version of the CAA erratum, which has been > looked at and generally appears good. The next step will be to get it > into "Held for Document Update." Meanwhile, please take a look and speak > up if you see any blocking problems, so we can ballot it shortly after > the move to "Held for Document Update." > > https://www.rfc-editor.org/errata/eid5065 > > Errata ID: 5065 > > Status: Reported > Type: Technical > > Reported By: Phillip Hallam-Baker > Date Reported: 2017-07-10 > Section 4 says: > > Let CAA(X) be the record set returned in response to performing a CAA > record query on the label X, P(X) be the DNS label immediately above > X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME > alias record specified at the label X. > > o If CAA(X) is not empty, R(X) = CAA (X), otherwise > > o If A(X) is not null, and R(A(X)) is not empty, then R(X) = > R(A(X)), otherwise > > o If X is not a top-level domain, then R(X) = R(P(X)), otherwise > > o R(X) is empty. > It should say: > > Let CAA(X) be the record set returned in response to performing a CAA > record query on the label X, P(X) be the DNS label immediately above > X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME > alias record chain specified at the label X. > > o If CAA(X) is not empty, R(X) = CAA (X), otherwise > > o If A(X) is not null, and CAA(A(X)) is not empty, then R(X) = > CAA(A(X)), otherwise > > o If X is not a top-level domain, then R(X) = R(P(X)), otherwise > > o R(X) is empty. > > Thus, when a search at node X returns a CNAME record, the CA will > follow the CNAME record chain to its target. If the target label > contains a CAA record, it is returned. > > ?O?therwise, the CA continues the search at > the parent of node X. > > Note that the search does not include the parent of a target of a > CNAME record (except when the CNAME points back to its own path). > > To prevent resource exhaustion attacks, CAs SHOULD limit the length of > CNAME chains that are accepted. However CAs MUST process CNAME > chains that contain 8 or fewer CNAME records. > Notes: > > This is the updated errata to replace the ones previously deleted. It > has been reviewed by all the parties concerned. Since this is a breaking > change, this will have to go to hold for document update. The LAMPS > working group is currently considering a more radical re-working of the > CAA discovery scheme as a work item for its new charter. > > I will be in Prague to discuss... > _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
