Re: [Spasm] CAA erratum 4515
Jacob Hoffman-Andrews <jsha@eff.org> Sun, 12 March 2017 18:06 UTC
Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCFB2129458 for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 11:06:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.004
X-Spam-Level:
X-Spam-Status: No, score=-7.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6Iy8K9SeWyU for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 11:06:11 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B242F129416 for <spasm@ietf.org>; Sun, 12 Mar 2017 11:06:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=GG4VTpgwA0+EoKZ3JJ1n+MQma2gSrm94giUt7d956qs=; b=sgAv6NRvtYBqRSILSsBE4cF0sXZq7TFHUX5Kydh7ceqoZgZI1ZzvG4jrcPcPZ52p/WkRUOHCacQbdckTSB12TGoBq8PyqzFWAtCN+L3Ct7ZXzwaygyLcDtDLqQwkfi4F1zWHjRX2q5AN3iGta0gzXPqoK1JhkpO9hPJfO+rE1DQ=;
Received: ; Sun, 12 Mar 2017 11:06:08 -0700
To: "Salz, Rich" <rsalz@akamai.com>, "spasm@ietf.org" <spasm@ietf.org>, Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <phill@hallambaker.com>, Peter Bowen <pzb@amzn.com>, Rob Stradling <rob.stradling@comodo.com>, Ryan Sleevi <ryan-ietf@sleevi.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <20170311201904.GQ7733@mournblade.imrryr.org> <fede5d8f9f2c43518d8a3c502c60558a@usma1ex-dag1mb1.msg.corp.akamai.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <389a248f-37e4-9ff7-b330-b840e7c47931@eff.org>
Date: Sun, 12 Mar 2017 11:06:05 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <fede5d8f9f2c43518d8a3c502c60558a@usma1ex-dag1mb1.msg.corp.akamai.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/-TZecHK9R_wEoe3pbL6BIoVJzLQ>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 18:06:14 -0000
(Adding back the CC'ed participants who may not be subscribed to SPASM). On 03/11/2017 12:19 PM, Viktor Dukhovni wrote: > On Fri, Mar 10, 2017 at 12:02:57PM -0500, Ryan Sleevi wrote: > >> We end up with the following configurations: >> >> - Self-Managed, Recursive, Trampoline'd >> www.example.com CNAME staffie.example.net >> www.example.com CAA 0 issue "good-ca.example.org" > This should not be possible, one surely can't have both CNAME and > CAA records for the same owner domain. > >> OR (and more problematically) >> >> www.example.com CNAME staffie.example.net >> www.example.com CAA 0 issue "evil-ca.example.org" > Ditto. Ah, good point. https://tools.ietf.org/html/rfc1912#section-2.4 > A CNAME record is not allowed to coexist with any other data. Looking at the types of policy I described earlier: > 1. Policy set by user-facing domain owner for their own hostnames. > 2. Blanket policy set by CDN for hostnames they operate on their customers' behalf. > 3. Policy set by CDN for their own hostnames, which share the same base domain as the CNAME targets used in (2). In the tree-climbing world, given the above restriction on CNAMEs coexisting, it would be impossible for a CDN to express "(3) without (2)". Worse, if some CDN did express (3), it would be impossible for their customers to opt out by setting CAA records on their own domains. This would effectively bar CDNs from expressing (3) in the tree-climbing world. I think this is sufficient to say that tree climbing is undesirable. What do other folks think?
- [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Patrick Donahue
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Viktor Dukhovni
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Rob Stradling
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews