Re: CAA records on a CNAME

2019-03-18 Thread Hector Martin 'marcan' via dev-security-policy
On 18/03/2019 16:42, Corey Bonnell wrote: Perhaps not very elegant, but you can encode an “allow all issuers” CAA RRSet by specifying a single iodef CAA record without any issue/issuewild records in the RRSet, which will probably be treated as permission to issue for  CAs. I say “probably” beca

Re: CAA records on a CNAME

2019-03-18 Thread Corey Bonnell via dev-security-policy
be more restrictive and disallow issuance in this case). Thanks, Corey From: Corey Bonnell Sent: Monday, March 18, 2019 16:42 To: Hector Martin 'marcan'; Jan Schaumann Cc: dev-security-policy@lists.mozilla.org Subject: Re: CAA records on a CNAME Perhap

Re: CAA records on a CNAME

2019-03-17 Thread Hector Martin 'marcan' via dev-security-policy
On 16/03/2019 10:25, Jan Schaumann via dev-security-policy wrote: someapp.example.com, over which I have control is a CNAME, so I can't set a CAA record there. Let's say the CNAME points to ghs.googlehosted.com. Your suggestion is to contact Google and ask them to please add a CAA record to tha

Re: CAA records on a CNAME

2019-03-16 Thread Jan Schaumann via dev-security-policy
Corey Bonnell via dev-security-policy wrote: > If I recall correctly, there was some discussion in late 2017 in the > IETF LAMPS WG (the working group producing the successor to the > current CAA RFC 6844) Thanks for noting this. Sounds like that's the best group to continue the discussion in.

Re: CAA records on a CNAME

2019-03-15 Thread Corey Bonnell via dev-security-policy
On Friday, March 15, 2019 at 9:26:02 PM UTC-4, Jan Schaumann wrote: > Matt Palmer via dev-security-policy > wrote: > > > I've read through your posts on this topic several times, and I still don't > > understand the problem you're trying to solve. If you point a CNAME at > > someone else, then

Re: CAA records on a CNAME

2019-03-15 Thread Jan Schaumann via dev-security-policy
Matt Palmer via dev-security-policy wrote: > I've read through your posts on this topic several times, and I still don't > understand the problem you're trying to solve. If you point a CNAME at > someone else, then you're delegating to them control of that name. If they > set CAA records on t

Re: CAA records on a CNAME

2019-03-15 Thread Matt Palmer via dev-security-policy
On Fri, Mar 15, 2019 at 05:40:29PM -0400, Jan Schaumann via dev-security-policy wrote: > Ryan Sleevi wrote: > > That is, an issue/issuewild parameter tag with a CA-specific property > > defined by the CA/Browser Forum (or by IETF) that detailed specific > > provisions for certain CNAMEs children.

Re: CAA records on a CNAME

2019-03-15 Thread Jan Schaumann via dev-security-policy
Ryan Sleevi wrote: > That is, an issue/issuewild parameter tag with a CA-specific property > defined by the CA/Browser Forum (or by IETF) that detailed specific > provisions for certain CNAMEs children. Hmm, maybe something like example.com CAA 0 issue "digicert.com" example.com CAA 0 override

Re: CAA records on a CNAME

2019-03-15 Thread Ryan Sleevi via dev-security-policy
On Fri, Mar 15, 2019 at 4:40 PM Jan Schaumann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Ryan Sleevi via dev-security-policy > wrote: > > > I don't think we here will really be able to do anything for this; as you > > note, this is really a question about fundamenta

Re: CAA records on a CNAME

2019-03-15 Thread Jan Schaumann via dev-security-policy
Ryan Sleevi via dev-security-policy wrote: > I don't think we here will really be able to do anything for this; as you > note, this is really a question about fundamental DNS specification, and > whether or not other records can live along-side a CNAME. That seems like > it'd be IETF's DNS grou

Re: CAA records on a CNAME

2019-03-15 Thread Ryan Sleevi via dev-security-policy
On Fri, Mar 15, 2019 at 12:31 PM Jan Schaumann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I also think that's reasonable, since any number of services might host > their apps on the provider's platform, so they likely have a large > number of CNAME records pointing t

Re: CAA records on a CNAME

2019-03-15 Thread Jan Schaumann via dev-security-policy
Ryan Sleevi wrote: > I?m not sure I follow - when you go someapp.example.com to > someapp.thirdparty.example, and they point to somewhere.somecdn.example, > why is the assumption that somewhere.somecdn.example WOULDN?T place a CAA > record? It's been my observation that those systems do not set C

Re: CAA records on a CNAME

2019-03-15 Thread Ryan Sleevi via dev-security-policy
I’m not sure I follow - when you go someapp.example.com to someapp.thirdparty.example, and they point to somewhere.somecdn.example, why is the assumption that somewhere.somecdn.example WOULDN’T place a CAA record? Given that somewhere.somecdn.example has the business relationship with the CA to do

CAA records on a CNAME

2019-03-15 Thread Jan Schaumann via dev-security-policy
allow CAA RRs on CNAMEs, which (currently) violates RFC1912, Section 2.4. But per RFC2181, section 10.1, we already allow e.g. SIG, NXT, and KEY RRs on CNAMEs. Wouldn't it be prudent to also allow CAA records on a CNAME? -Jan ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy