Re: [DNSOP] meaning of tag "match" for CAA RDATA
Mark Andrews <marka@isc.org> Wed, 07 February 2018 21:25 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DC1B127698 for <dnsop@ietfa.amsl.com>; Wed, 7 Feb 2018 13:25:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Ra_a5UpLcbr for <dnsop@ietfa.amsl.com>; Wed, 7 Feb 2018 13:25:42 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A99612711D for <dnsop@ietf.org>; Wed, 7 Feb 2018 13:25:42 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id D14283AB072; Wed, 7 Feb 2018 21:25:38 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id B1FEC16005C; Wed, 7 Feb 2018 21:25:38 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A3B5F160080; Wed, 7 Feb 2018 21:25:38 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JjVMA4PEcCAy; Wed, 7 Feb 2018 21:25:38 +0000 (UTC)
Received: from [172.30.42.91] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id B264C16005C; Wed, 7 Feb 2018 21:25:37 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAJE_bqfEvy6-YovKCrtXxm81ieGPTBxpLk2NDuq115eHk3xmEg@mail.gmail.com>
Date: Thu, 08 Feb 2018 08:25:35 +1100
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1965473E-CDB6-44F9-89E0-33B12DF8D34E@isc.org>
References: <CAJE_bqfEvy6-YovKCrtXxm81ieGPTBxpLk2NDuq115eHk3xmEg@mail.gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QmCMeE3r1H51n2KzozF4onbMFo0>
Subject: Re: [DNSOP] meaning of tag "match" for CAA RDATA
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 21:25:44 -0000
> On 8 Feb 2018, at 3:26 am, 神明達哉 <jinmei@wide.ad.jp> wrote: > > I happen to have this question while reading RFC6844: what does the > "matching" mean in the following description of Section 5.1? > > Tag: The property identifier, a sequence of US-ASCII characters. > > Tag values MAY contain US-ASCII characters 'a' through 'z', 'A' > through 'Z', and the numbers 0 through 9. Tag values SHOULD NOT > contain any other characters. Matching of tag values is case > insensitive. > > Although the boundary is not very clear, Section 5.1 generally seems > to talk about the DNS-level syntax (e.g. what should/should not appear > in wire as a DNS message or in a zone file), while Section 5.2 and > later mainly talk about the semantics at the application layer > (something that validates certificates). Since the above text is in > Section 5.1, I first thought "matching of tag values" was a DNS level > concept. But then it's not clear to me what it actually means. > > Does this mean, for example, we should perform case-insensitive > comparison of this field when we compare CAA RDATAs? (If so, at least > ISC BIND 9 isn't compliant to the spec; it doesn't care about the case > of the tag field when loading or serving or updating or signing a CAA > RR). Why should it care about the case? ABC is different to abc as far as DNSSEC and handling of unknown record types is concerned. A signer that is CAA aware could remove “duplicates” that differ in the case of this field but nothing else can. When you load from disk you can’t know if the signer was CAA aware or not. UPDATE has to behave as is the records are opaque as the UPDATE client has no idea whether the server is CAA aware or not. You need to send perfect matches to delete a individual record. > It may also be related to Section 5.1.1, which states: > > The canonical presentation format of the CAA record is: > > CAA <flags> <tag> <value> > [...] > Tag: Is a non-zero sequence of US-ASCII letters and numbers in lower > case. > > which might read, for example, as 'dig' should present the tag field > with lower-case letters. But 'dig' currently doesn't work that way. Dig presents data such that it can re-entered into a master file. Others can transform it if they wish. > Could someone more familiar with the background of CAA clarify these > points? The CA's can deduplicate if they need to after performing DNSSEC validation. > Thanks, > > -- > JINMEI, Tatuya > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org