Re: [dbound] [dmarc-ietf] Fwd: New Version Notification for draft-dcrocker-dns-perimeter-00.txt

"John R. Levine" <> Thu, 04 April 2019 01:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 86956120357 for <>; Wed, 3 Apr 2019 18:00:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1536-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mvf32TpLIhhE for <>; Wed, 3 Apr 2019 18:00:49 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2F4E612034F for <>; Wed, 3 Apr 2019 18:00:49 -0700 (PDT)
Received: (qmail 1539 invoked from network); 4 Apr 2019 01:00:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple;; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=5ff.5ca5573f.k1904; bh=gG0TH3j1rv64bO/9jkcDMnh3vkoJo5XJSgAfChW5ng8=; b=iPH39DOotyN11SZq91tybzAxfTdbQNSIR7XaWaXxITULHU0SK3UMDqwnGDdDcNw1X8IvIR8IhyBUmENkCo/4iTKVmy27UJOrzuN0SCTHaEpbhqL0EGr1BdinLi+i/CYxAJOXdE2W0y23jWi9vzfosmbPb/JGHptAqZ6/EE/W7lA4BJtaj0BztsZ7sM+D8Ki1Pjw0rD/hf3ExMyNbTyD8IsyeNcHlrt2A34Hj1H7PF7SQ1edWQ3scYC+GhP470ig+
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 04 Apr 2019 01:00:47 -0000
Date: 3 Apr 2019 21:00:46 -0400
Message-ID: <alpine.OSX.2.21.1904032056230.22661@ary.qy>
From: "John R. Levine" <>
Cc: "tjw ietf" <>,
In-Reply-To: <>
References: <20190403175820.8391420115F376@ary.qy> <> <alpine.OSX.2.21.1904031430270.21189@ary.qy> <> <alpine.OSX.2.21.1904031459480.21189@ary.qy> <> <>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1256902744-1554339647=:22661"
Archived-At: <>
Subject: Re: [dbound] [dmarc-ietf] Fwd: New Version Notification for draft-dcrocker-dns-perimeter-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS tree bounds <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Apr 2019 01:00:52 -0000

On Wed, 3 Apr 2019, Dave Crocker wrote:
> On 4/3/2019 12:19 PM, tjw ietf wrote:
>>  I was going to say CAA but that’s 6 years old.
> 5 was a random number.  I was merely meaning 'recent'.
> But suggesting CAA in response to my query means that you think RFC 6844 has 
> received widespread -- ie, at scale -- end to end adoption and use.

Every CA is supposed to check CAA records before issuing a cert to see if 
they're allowed to issue it.  I know Let's Encrypt does and I suppose I 
can ask them how many CAA records they see.

> Please forgive my skepticism.

Well, OK, here's a question for you: when's the last time an RFC added a 
feature to the DNS that puts records in the additional section triggered 
by a specific label in the query?  I'm reasonably sure the answer is 
"never" but you might ask dnsop to be sure.

John Levine,, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail.