IETF Logo Mail Archive

Re: [lamps] Next steps on CAA

Patrick Donahue <pat@cloudflare.com> Thu, 05 October 2017 22:07 UTC

Return-Path: <pat@cloudflare.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E961330B1 for <spasm@ietfa.amsl.com>; Thu, 5 Oct 2017 15:07:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_izzOeLoa85 for <spasm@ietfa.amsl.com>; Thu, 5 Oct 2017 15:07:38 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E735126B7E for <spasm@ietf.org>; Thu, 5 Oct 2017 15:07:38 -0700 (PDT)
Received: by mail-qk0-x229.google.com with SMTP id k123so12724338qke.3 for <spasm@ietf.org>; Thu, 05 Oct 2017 15:07:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=EefYpVl6C28UCeVysuhmMKXjwA+IFrAGZQjJyrgHw20=; b=eSkljYiM+uw3h/MQcI3IKQtOfd48mMGLZ0l8QKCMahB9b3ZMAtdL2MyEhcMFrU/Gg6 RHomU0NmZSUZOr3xvXBRieqHu/GS+CBO6PLKvNgJRlzphyo5zz5qQTEAQJVmaQzM6YqE dqnGDEiztss2M0weU+cIXzfSGxejFkQbOPS0Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=EefYpVl6C28UCeVysuhmMKXjwA+IFrAGZQjJyrgHw20=; b=NkmHlEGpvfMVIKxmBOoJ63rYTpET2ebTPVt32IpQ+g7j7E3MLjvDgeHj/eVaXqVnQ8 IpMR8UXO0yzATtNta47G7oBBh7A1GeuchgqruXoLHnwSKJYgRl25CnrWasRNin1QD0lT B2ZY/L7w5p/kVQe7si7GLdPTpQwyjpjILfz5b0qzxHd5nYwUA4aF6Q4rcbpD9VFslu34 MWt37VCl9jE4QiqQ1hJkpO6lC18X5a7jfPW0lKF6MlMUetDzaHlDZVq5k7iuJBGKGvUq uhihIKk4DUHVV6v23tpNqzw58YViu9nlIaL6HyKR7Z1BuARV4Yvkv2Qv/4uqdUYLnutB +Jxg==
X-Gm-Message-State: AMCzsaULC2gphHJeuME5aPzzcM3q5DDgTBL4Bpj6uHQtupDurc3wuDxi xtQxLpcdKrbNzurPJ7HJTJvfDbSWYL4zI44biayXOaBi
X-Google-Smtp-Source: AOwi7QDeAwr73vFu9qj2BzcNl7wRd1hEBJB5sW3oiNEEM8V9RqphsgfXV3lDSIkM7RL2WZ94imdjStrhwenG6IjvqNw=
X-Received: by 10.55.102.215 with SMTP id a206mr20742073qkc.269.1507241257489; Thu, 05 Oct 2017 15:07:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.82.111 with HTTP; Thu, 5 Oct 2017 15:07:36 -0700 (PDT)
From: Patrick Donahue <pat@cloudflare.com>
Date: Thu, 05 Oct 2017 15:07:36 -0700
Message-ID: <CACh0qC+jRjPMsf7YmDqoKZ0X1zWE2p=fUAo5uN3bZwwzBRG9Kg@mail.gmail.com>
To: johnl@taugh.com
Cc: SPASM <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c05986ebe6fb6055ad3f3d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/25CDREso0MgtQ0_-3_ZZawGyMUI>
Subject: Re: [lamps] Next steps on CAA
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Oct 2017 22:07:40 -0000

I've provided a real-world counter example below that illustrates why
climbing the CNAME tree will cause significant real-world breakages for
companies like Cloudflare who provide free SSL certificate issuance and
termination.

While we believe that erratum 5065 fixes this, we are very much in support
of seeing straightforward RFC confirmed that will make it clear to CAs that
CNAME tree climbing is no longer required.

*Example:*
Cloudflare customers have, collectively, over 400,000 CNAMEs to
ghs.google.com. This CNAME value is what Google instructs[1] their Blogger
customers to use to serve their blog on their own custom domain.

Were a CA have to check for a CAA record at google.com (in addition to
ghs.google.com) they'd see this:

$ dig CAA +short ghs.google.com
$ dig CAA +short google.com
*0 issue "pki.goog"*

1 - https://support.google.com/blogger/answer/58317?hl=en

In article <4FDC1A25-9CC4-4E79-B46B-93BFD36E01DA@vigilsec.com>; you write:
> >> 1) The CNAME is there to make the names equivalent so the CAA record at
> example.net <http://example.net/> should aply
> >>
> >> 2) The CNAME is only there to make the CDN work and the CAA record at
> example.net <http://example.net/> should be ignored.
> >
> >If one looks in the DNS for www.ietf.org, one will see:
> >
> > www.ietf.org. 607 IN CNAME www.ietf.org.cdn.cloudflare.net.
> >
> >I'm not sure how you would expect to distinguish the two cases.
> If your CDN tries to lock you in with a rogue CAA record, that's a
> business issue, not a technical one.
> R's,
> John



-- 
Patrick R. Donahue
pat@cloudflare.com

PGP Fingerprint: 2E8D 5A38 682E EC00 C0F3  E7F2 D9BE 68D2 ABF3 6B24

v2.23.0 | Report a Bug | By Email