Re: [lamps] CAA Simplification draft
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 19 September 2017 12:04 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B796B132939 for <spasm@ietfa.amsl.com>; Tue, 19 Sep 2017 05:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Level:
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c2YWPcjXufJJ for <spasm@ietfa.amsl.com>; Tue, 19 Sep 2017 05:04:57 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E1E4134212 for <spasm@ietf.org>; Tue, 19 Sep 2017 05:04:55 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id l15so9377861iol.8 for <spasm@ietf.org>; Tue, 19 Sep 2017 05:04:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jSW74RluwQo6yHtufXxoGkclifzu2PiIAl3aNC3Xjm0=; b=IyP7uKDJzDUH2onXuCE4J2vmr5APkiA3tPVM/9VFLMH4Y82yFqWX2QedETU+KTtiBd FPwWE2cJHqECFH5JwjUOhtCxyAbhmekKXp5P6ZC56lCrcEE1HN9KToWDTNtD6KjRjIgF fxs9FYpJNNjpzW2mxeIvX8fGuFE/pFVwmuMWnrTrFndAMYJRj7fztPEy3kfzZTUfypWr DxoaGg4HS+BWAXX3kK4v7nEpGXX09hwZRwf0Gxmll1o904+qY1ZewIgCk9RAcJkMiE5V C8I4yYQwR+01mMyUH9++3WQj1JCrRchQ2r2R4cmNr6I24M5nwYPYS5RheGMrFcvnd7Kg b3aA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jSW74RluwQo6yHtufXxoGkclifzu2PiIAl3aNC3Xjm0=; b=XMVfX4ID2H/8cM9PW7Z2Ep1NdL8RhDKfrd3kAvI1PYM8rKlDHWVOBWMZ0ReVvex8kz L58rJu1EhO06q5MYU5fDp1gbydgFsXiZejWuCij5NH/AiBLkHcshh7SqUgjedHc5+71x 66JMi/hcCponfZ6+03RC4WSFFTt642MYfZV/qHcSVDxzZ3ab4QnHgbYI4pASYnisLQAg 6zDjsFN1WyZH+J5X+vPT026UONzoxR8xmjk/qXXZ/nIldz7YQhExkp3EMpC8dX8YIXs8 HOU53Vw0mjT3k0YrF7ORK6UtoFJDNBEBmOHv0tuHLF868V6AAyUCRRTjdm5iKECfdJJB gKcQ==
X-Gm-Message-State: AHPjjUicL4As15Pzz0xYUX6PBr4NTVYsSIkLwQS81sPQ3qy5V5t4J4O3 IET566eitI/7Fo2GVi3yXK00g6i6S1ugCEvLXzA=
X-Google-Smtp-Source: AOwi7QD6uOJ55pQQ+tETzXLW7VpAoX2p+xN7PfVmT5WUO6Joj/SpBm5rE9+G4mAHlTwGSwHNGN2LWUKiyleBk2xvxoo=
X-Received: by 10.202.44.80 with SMTP id s77mr1176363ois.262.1505822694336; Tue, 19 Sep 2017 05:04:54 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.46.177 with HTTP; Tue, 19 Sep 2017 05:04:53 -0700 (PDT)
In-Reply-To: <20170919.192008.787143344501911357.fujiwara@jprs.co.jp>
References: <02d4e149-b777-5b5c-1cd0-a2c2aae49311@eff.org> <20170919.192008.787143344501911357.fujiwara@jprs.co.jp>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 19 Sep 2017 08:04:53 -0400
X-Google-Sender-Auth: BLKKqLd0gyYIwNzGVVPyVa3goJ8
Message-ID: <CAMm+LwiZ6dybRvj7Aaj_ftZ0DQASAnD+m0k4p-R-DcgKFHn+TQ@mail.gmail.com>
To: fujiwara@jprs.co.jp
Cc: Jacob Hoffman-Andrews <jsha@eff.org>, SPASM <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="001a1137d83eca6e0e055989aaed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/6quyCTBzA0YigGW8Gga-8UBGFb8>
Subject: Re: [lamps] CAA Simplification draft
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2017 12:04:59 -0000
Administrative boundaries are not visible in the DNS. Attempting to attach semantics to the zone cut creates more problems than it solves. Given the length of the document and the need to cite it in other documents, I don't think an update is appropriate. Obsoleting the old text and replacing is the way to go. The reason the tree climbing is necessary is that MANY DNS host and service names are not visible on the public DNS. So most of the time, a CA has no way to validate the records for secrethost.example.com, the CAA record has to be at example.com. The reason aliases are necessary is two fold. One is to support delegation of the domain to a different administration as is typical in a CDN, the other is to simplify management of large portfolios of domains. The DNS only provides one alias record (DNAME is not an alias, see below) so it is not clear what the purpose of the alias is. When RFC6844 was written, CDNs were the exception, now they are much more common. Further, the DNS spec is broken in that it requires that a CNAME be the only entry at a node if present. On the DNAME issue, it is not really an alias as a DNAME is a wildcard record that would have never appeared on the wire until DNSSEC made it necessary. An application does not process a DNAME directly, it uses the DNAME record to either validate a CNAME or infer that one should have been presented but was not. On Tue, Sep 19, 2017 at 6:20 AM, <fujiwara@jprs.co.jp> wrote: > I did not know about RFC 6844 and was surprised about "tree climing" > and "CNAME". > > > From: Jacob Hoffman-Andrews <jsha@eff.org> > > https://www.ietf.org/id/draft-hoffman-andrews-caa-simplification-00.txt > > I checked differences between RFC 6844 and the draft. > https://tools.ietf.org/rfcdiff?url1=https://tools. > ietf.org/rfc/rfc6844.txt&url2=https://www.ietf.org/id/draft- > hoffman-andrews-caa-simplification-01.txt > > I have some comments. > > - Current draft has some formatting mistakes. > > current text: $ORIGIN example.com . CAA 0 issue "ca.example.net" > > should be (from RFC 6844) > > rfc6844: $ORIGIN example.com > rfc6844: . CAA 0 issue "ca.example.net" > > However, I would like to suggest to remove "$ORIGIN" and add tailing > dot in domain names. > > proposed: example.com. CAA 0 issue "ca.example.net" > > - Current document still contain "tree climing" and checks CAA RR in TLDs. > > The tree climing should stop at administrative domain boundaries. > > "example.com." domain name owner does not want to be checked "com. CAA". > > See (concluded) dbound WG and Public Suffix list discussions. > https://tools.ietf.org/wg/dbound/ > https://publicsuffix.org/ > > - I like prefixed record solution proposed at IETF 99 lamps WG. > https://datatracker.ietf.org/meeting/99/materials/slides- > 99-lamps-caabis/ > > However, it is not compatible with RFC 6844. > > Regards, > > -- > Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp> > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] CAA Simplification draft Jacob Hoffman-Andrews
- Re: [lamps] CAA Simplification draft Roland Bracewell Shoemaker
- Re: [lamps] CAA Simplification draft Jacob Hoffman-Andrews
- Re: [lamps] CAA Simplification draft Roland Bracewell Shoemaker
- Re: [lamps] CAA Simplification draft fujiwara
- Re: [lamps] CAA Simplification draft Phillip Hallam-Baker
- Re: [lamps] CAA Simplification draft Jacob Hoffman-Andrews