IETF Logo Mail Archive

Re: [Spasm] CAA erratum 4515

Jacob Hoffman-Andrews <jsha@eff.org> Sun, 12 March 2017 18:06 UTC

Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCFB2129458 for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 11:06:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.004
X-Spam-Level:
X-Spam-Status: No, score=-7.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6Iy8K9SeWyU for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 11:06:11 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B242F129416 for <spasm@ietf.org>; Sun, 12 Mar 2017 11:06:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=GG4VTpgwA0+EoKZ3JJ1n+MQma2gSrm94giUt7d956qs=; b=sgAv6NRvtYBqRSILSsBE4cF0sXZq7TFHUX5Kydh7ceqoZgZI1ZzvG4jrcPcPZ52p/WkRUOHCacQbdckTSB12TGoBq8PyqzFWAtCN+L3Ct7ZXzwaygyLcDtDLqQwkfi4F1zWHjRX2q5AN3iGta0gzXPqoK1JhkpO9hPJfO+rE1DQ=;
Received: ; Sun, 12 Mar 2017 11:06:08 -0700
To: "Salz, Rich" <rsalz@akamai.com>, "spasm@ietf.org" <spasm@ietf.org>, Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <phill@hallambaker.com>, Peter Bowen <pzb@amzn.com>, Rob Stradling <rob.stradling@comodo.com>, Ryan Sleevi <ryan-ietf@sleevi.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <20170311201904.GQ7733@mournblade.imrryr.org> <fede5d8f9f2c43518d8a3c502c60558a@usma1ex-dag1mb1.msg.corp.akamai.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <389a248f-37e4-9ff7-b330-b840e7c47931@eff.org>
Date: Sun, 12 Mar 2017 11:06:05 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <fede5d8f9f2c43518d8a3c502c60558a@usma1ex-dag1mb1.msg.corp.akamai.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/-TZecHK9R_wEoe3pbL6BIoVJzLQ>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 18:06:14 -0000

(Adding back the CC'ed participants who may not be subscribed to SPASM).

On 03/11/2017 12:19 PM, Viktor Dukhovni wrote:
> On Fri, Mar 10, 2017 at 12:02:57PM -0500, Ryan Sleevi wrote:
>
>> We end up with the following configurations:
>>
>> - Self-Managed, Recursive, Trampoline'd
>> www.example.com  CNAME staffie.example.net
>> www.example.com  CAA 0 issue "good-ca.example.org"
> This should not be possible, one surely can't have both CNAME and
> CAA records for the same owner domain.
>
>> OR (and more problematically)
>>
>> www.example.com  CNAME staffie.example.net
>> www.example.com  CAA 0 issue "evil-ca.example.org"
> Ditto.

Ah, good point.

https://tools.ietf.org/html/rfc1912#section-2.4
> A CNAME record is not allowed to coexist with any other data.

Looking at the types of policy I described earlier:

> 1. Policy set by user-facing domain owner for their own hostnames.
> 2. Blanket policy set by CDN for hostnames they operate on their
customers' behalf.
> 3. Policy set by CDN for their own hostnames, which share the same
base domain as the CNAME targets used in (2).

In the tree-climbing world, given the above restriction on CNAMEs
coexisting, it would be impossible for a CDN to express "(3) without
(2)". Worse, if some CDN did express (3), it would be impossible for
their customers to opt out by setting CAA records on their own domains.
This would effectively bar CDNs from expressing (3) in the tree-climbing
world.

I think this is sufficient to say that tree climbing is undesirable.
What do other folks think?

v2.23.0 | Report a Bug | By Email