Re: CAA records on a CNAME

2019-03-16 Thread Jan Schaumann via dev-security-policy
Corey Bonnell via dev-security-policy wrote: > If I recall correctly, there was some discussion in late 2017 in the > IETF LAMPS WG (the working group producing the successor to the > current CAA RFC 6844) Thanks for noting this. Sounds like that's the best group to continue the discussion in.

Re: CAA records on a CNAME

2019-03-15 Thread Jan Schaumann via dev-security-policy
Matt Palmer via dev-security-policy wrote: > I've read through your posts on this topic several times, and I still don't > understand the problem you're trying to solve. If you point a CNAME at > someone else, then you're delegating to them control of that name. If they > set CAA records on t

Re: CAA records on a CNAME

2019-03-15 Thread Jan Schaumann via dev-security-policy
Ryan Sleevi wrote: > That is, an issue/issuewild parameter tag with a CA-specific property > defined by the CA/Browser Forum (or by IETF) that detailed specific > provisions for certain CNAMEs children. Hmm, maybe something like example.com CAA 0 issue "digicert.com" example.com CAA 0 override

Re: CAA records on a CNAME

2019-03-15 Thread Jan Schaumann via dev-security-policy
Ryan Sleevi via dev-security-policy wrote: > I don't think we here will really be able to do anything for this; as you > note, this is really a question about fundamental DNS specification, and > whether or not other records can live along-side a CNAME. That seems like > it'd be IETF's DNS grou

Re: CAA records on a CNAME

2019-03-15 Thread Jan Schaumann via dev-security-policy
Ryan Sleevi wrote: > I?m not sure I follow - when you go someapp.example.com to > someapp.thirdparty.example, and they point to somewhere.somecdn.example, > why is the assumption that somewhere.somecdn.example WOULDN?T place a CAA > record? It's been my observation that those systems do not set C

CAA records on a CNAME

2019-03-15 Thread Jan Schaumann via dev-security-policy
Hello, While this is at its core a DNS question, since it's about CAA records and cert issuance, I thought to post it here as well. If this is viewed as off-topic, my apologies. It seems to me that the behavior in combination with CNAMEs is suboptimal at best. I believe we need to allow CAAs to

CAA records checked against immediate issuer or root?

2017-12-15 Thread Jan Schaumann via dev-security-policy
Hello, I'm seeking clarification on the meaning of the CAA records: RFC6844 notes that the 'issue' property entry "authorizes the holder of the domain name *or a party acting under the explicit authority of the holder of that domain name* to issue certificates for the domain in which the propert