IETF Logo Mail Archive

Re: [Spasm] CAA erratum 4515

Jacob Hoffman-Andrews <jsha@eff.org> Thu, 09 March 2017 21:57 UTC

Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59B42129443 for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 13:57:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.002
X-Spam-Level:
X-Spam-Status: No, score=-7.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxYVDT77x8NM for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 13:57:04 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9081129420 for <spasm@ietf.org>; Thu, 9 Mar 2017 13:57:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=6T0nINTw6hSOM8ZrbvaEpYT41e8BU8GHnO3YkjIRTj0=; b=Qm2RoYXn6v/FG9HFrFi/MvPgNBJLPA/o332638bKaRj6z36CGu7UuUQLPoIVzaH8/Iy2utTSrNT/T9ikIBuHYeqhbEv0QeV4xTeus3XHT3EF801iy7GBymqx1vR+U+xbzQK/hZRVLApOoRIDukowVP58/+yX8cExDuLcMeiZdP0=;
Received: ; Thu, 09 Mar 2017 13:57:05 -0800
To: Patrick Donahue <pat@cloudflare.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CACh0qCKPXvbmxJE=26xoRmc-h=YV8B3_dU5Y2jdLcznz4dA4hQ@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <1a31c80e-cabb-91ee-5768-683f98aa942d@eff.org>
Date: Thu, 09 Mar 2017 13:57:02 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CACh0qCKPXvbmxJE=26xoRmc-h=YV8B3_dU5Y2jdLcznz4dA4hQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------FAEEE18E6CDA12A0AFB9675A"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/HgGKmRas2fAPbGsNhp2JfzRw9go>
Cc: Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 21:57:06 -0000

On 03/09/2017 01:45 PM, Patrick Donahue wrote:
> www.staffie.dog.        CNAME staffie.terrier.dog.
> staffie.terrier.dog.    A 192.0.2.1
> terrier.dog.            CAA 0 issue "happy-hacker-fake-ca.net
> <http://happy-hacker-fake-ca.net>"
>
>
>     Should issuance for www.staffie.dog require a CAA query for
>     terrier.dog? Or should it only require CAA queries for
>     www.staffie.dog and staffie.terrier.dog?
>
>
> I'm a bit confused here as I would say "no" to the first question and
> I would say that staffie.terrier.dog is irrelevant in the second part
> of the question (but a CA may need to check staffie.dog if nothing set
> at www.staffie.dog).
Sorry, I was a little fuzzy in my language here. There are two
questions: What queries does the CA make to its recursive resolver, and
what queries does the recursive resolver make?

If the CA queries "CAA www.staffie.dog.", the recursive resolver will
query the authoritative resolver for "CAA www.staffie.dog." Failing to
find it, the recursive resolver will then query the authoritative
resolver for "CNAME www.staffie.dog." The recursive resolver will follow
a sequence of CNAMEs, querying CAA (but not tree-climbing) at each step.
In this case there's just one step, and the recursive resolver queries
the authoritative resolver for "CAA staffie.terrier.dog." The recursive
resolver includes the result in its response to the CA software. This is
defined in RFC 1034 about DNS in general:

https://tools.ietf.org/html/rfc1034#section-3.6.2
> CNAME RRs cause special action in DNS software.  When a name server
> fails to find a desired RR in the resource set associated with the
> domain name, it checks to see if the resource set consists of a CNAME
> record with a matching class.  If so, the name server includes the CNAME
> record in the response and restarts the query at the domain name
> specified in the data field of the CNAME record.  The one exception to
> this rule is that queries which match the CNAME type are not restarted.

In other words, one CAA query to a recursive resolver can trigger
multiple CAA queries from the recursive resolver to the authoritative
resolver.

v2.23.0 | Report a Bug | By Email