[pkix] [Technical Errata Reported] RFC6844 (5065)

RFC Errata System <rfc-editor@rfc-editor.org> Mon, 10 July 2017 15:03 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0253E1201F8 for <pkix@ietfa.amsl.com>; Mon, 10 Jul 2017 08:03:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.203
X-Spam-Level:
X-Spam-Status: No, score=-4.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3oGCBoo1ykg for <pkix@ietfa.amsl.com>; Mon, 10 Jul 2017 08:03:31 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA9E4124D85 for <pkix@ietf.org>; Mon, 10 Jul 2017 08:03:31 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 6FFC0B80DD1; Mon, 10 Jul 2017 08:03:30 -0700 (PDT)
To: philliph@comodo.com, rob.stradling@comodo.com, Kathleen.Moriarty.ietf@gmail.com, ekr@rtfm.com, kent@bbn.com, stefan@aaa-sec.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: philliph@comodo.com, pkix@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20170710150330.6FFC0B80DD1@rfc-editor.org>
Date: Mon, 10 Jul 2017 08:03:30 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/lqXkpf1oFCnh0lmxFWVf03Yn0QM>
Subject: [pkix] [Technical Errata Reported] RFC6844 (5065)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 15:03:33 -0000

The following errata report has been submitted for RFC6844,
"DNS Certification Authority Authorization (CAA) Resource Record".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5065

--------------------------------------
Type: Technical
Reported by: Phillip Hallam-Baker <philliph@comodo.com>

Section: 4

Original Text
-------------
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
      R(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

Corrected Text
--------------
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record chain specified at the label X.
 
   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise
 
   o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
      CAA(A(X)), otherwise
 
   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise
 
   o  R(X) is empty.
 
  Thus, when a search at node X returns a CNAME record, the CA will
  follow the CNAME record chain to its target. If the target label 
  contains a CAA record, it is returned.

  ​O​therwise, the CA continues the search at
  the parent of node X.
 
  Note that the search does not include the parent of a target of a
  CNAME record (except when the CNAME points back to its own path).
 
  To prevent resource exhaustion attacks, CAs SHOULD limit the length of
  CNAME chains that are accepted. However CAs MUST process CNAME
  chains that contain 8 or fewer CNAME records.

Notes
-----
This is the updated errata to replace the ones previously deleted. It has been reviewed by all the parties concerned. Since this is a breaking change, this will have to go to hold for document update. The LAMPS working group is currently considering a more radical re-working of the CAA discovery scheme as a work item for its new charter.

I will be in Prague to discuss...

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC6844 (draft-ietf-pkix-caa-15)
--------------------------------------
Title               : DNS Certification Authority Authorization (CAA) Resource Record
Publication Date    : January 2013
Author(s)           : P. Hallam-Baker, R. Stradling
Category            : PROPOSED STANDARD
Source              : Public-Key Infrastructure (X.509)
Area                : Security
Stream              : IETF
Verifying Party     : IESG