Re: [Spasm] CAA erratum 4515
Jacob Hoffman-Andrews <jsha@eff.org> Thu, 09 March 2017 21:57 UTC
Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59B42129443 for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 13:57:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.002
X-Spam-Level:
X-Spam-Status: No, score=-7.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxYVDT77x8NM for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 13:57:04 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9081129420 for <spasm@ietf.org>; Thu, 9 Mar 2017 13:57:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=6T0nINTw6hSOM8ZrbvaEpYT41e8BU8GHnO3YkjIRTj0=; b=Qm2RoYXn6v/FG9HFrFi/MvPgNBJLPA/o332638bKaRj6z36CGu7UuUQLPoIVzaH8/Iy2utTSrNT/T9ikIBuHYeqhbEv0QeV4xTeus3XHT3EF801iy7GBymqx1vR+U+xbzQK/hZRVLApOoRIDukowVP58/+yX8cExDuLcMeiZdP0=;
Received: ; Thu, 09 Mar 2017 13:57:05 -0800
To: Patrick Donahue <pat@cloudflare.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CACh0qCKPXvbmxJE=26xoRmc-h=YV8B3_dU5Y2jdLcznz4dA4hQ@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <1a31c80e-cabb-91ee-5768-683f98aa942d@eff.org>
Date: Thu, 09 Mar 2017 13:57:02 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CACh0qCKPXvbmxJE=26xoRmc-h=YV8B3_dU5Y2jdLcznz4dA4hQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------FAEEE18E6CDA12A0AFB9675A"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/HgGKmRas2fAPbGsNhp2JfzRw9go>
Cc: Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 21:57:06 -0000
On 03/09/2017 01:45 PM, Patrick Donahue wrote: > www.staffie.dog. CNAME staffie.terrier.dog. > staffie.terrier.dog. A 192.0.2.1 > terrier.dog. CAA 0 issue "happy-hacker-fake-ca.net > <http://happy-hacker-fake-ca.net>" > > > Should issuance for www.staffie.dog require a CAA query for > terrier.dog? Or should it only require CAA queries for > www.staffie.dog and staffie.terrier.dog? > > > I'm a bit confused here as I would say "no" to the first question and > I would say that staffie.terrier.dog is irrelevant in the second part > of the question (but a CA may need to check staffie.dog if nothing set > at www.staffie.dog). Sorry, I was a little fuzzy in my language here. There are two questions: What queries does the CA make to its recursive resolver, and what queries does the recursive resolver make? If the CA queries "CAA www.staffie.dog.", the recursive resolver will query the authoritative resolver for "CAA www.staffie.dog." Failing to find it, the recursive resolver will then query the authoritative resolver for "CNAME www.staffie.dog." The recursive resolver will follow a sequence of CNAMEs, querying CAA (but not tree-climbing) at each step. In this case there's just one step, and the recursive resolver queries the authoritative resolver for "CAA staffie.terrier.dog." The recursive resolver includes the result in its response to the CA software. This is defined in RFC 1034 about DNS in general: https://tools.ietf.org/html/rfc1034#section-3.6.2 > CNAME RRs cause special action in DNS software. When a name server > fails to find a desired RR in the resource set associated with the > domain name, it checks to see if the resource set consists of a CNAME > record with a matching class. If so, the name server includes the CNAME > record in the response and restarts the query at the domain name > specified in the data field of the CNAME record. The one exception to > this rule is that queries which match the CNAME type are not restarted. In other words, one CAA query to a recursive resolver can trigger multiple CAA queries from the recursive resolver to the authoritative resolver.
- [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Patrick Donahue
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Viktor Dukhovni
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Rob Stradling
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews