Re: [lamps] CAA records on CNAMEs
Tim Wicinski <tjw.ietf@gmail.com> Sun, 17 March 2019 18:49 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DAC0131197 for <spasm@ietfa.amsl.com>; Sun, 17 Mar 2019 11:49:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pySYBSpBEzQ9 for <spasm@ietfa.amsl.com>; Sun, 17 Mar 2019 11:49:39 -0700 (PDT)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26D9A131196 for <spasm@ietf.org>; Sun, 17 Mar 2019 11:49:39 -0700 (PDT)
Received: by mail-ot1-x32b.google.com with SMTP id r19so12615077otn.1 for <spasm@ietf.org>; Sun, 17 Mar 2019 11:49:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6jCSXYs/5gUdToAof73d+lD0ZkOuHDWIvAEC4RKfEWU=; b=jsAl+bwnY3PtnoBPurbJ6patyhDJOrmytghr5QilguzwjLTqEfDArAj5yB8UU/aUBC M1t6qnGQ7WMOltC342JICucwUuNmJE3uhT7uzRNxlOXuKC9eVYyBQ/Z2VBVZ0+p9ACNl 5dDgZVY35CzgRqa5RDW2/579FKGMO91wX0pJFN1teWbZt229mjHyfzeqp7nTjdUUnr4V 759QAa3DvmPxgMC91iqtIrSWJUngWz0M/uI8Jh5b2UVk6ASqhSFE8wrV+RchsrEuvxXT Qkk5P+sFbBHDgoRkd83fPx1bBw/Q8aWa8Kx1fX2URYkzWV5HqJTKA9yRn1v/rzsE2ubY zrhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6jCSXYs/5gUdToAof73d+lD0ZkOuHDWIvAEC4RKfEWU=; b=K/il3KUwwmdyEekv9R/CQR4Z0al/zQso2zhHEuI03e+hoe3M5nBJOIQME0XscL/d9H VEPsGikb/IkpvhZvnD9PHTD48REc7C2JSkeFXxVs3p0owytk+htcrRAMaA830q4rOJvm XPiyfiMET4mtgNwXdFA3FSrz7LNfxofT98mBu1e5m9cXT7+VK3sRWIxswNQ1pQU+7sTF 2L/J+WEvBqJa6S4MFONLCusW/crZ7U8qBpOrBlyipaTmf5Dbyw4L4HUrcEpnTd8oOV1X VdsAQI5vDklrTgKVerPH34DIRETqX4LO0gow2nsuzY+9up85q/PSxBhst70GQ5ZEvCDp p4Xg==
X-Gm-Message-State: APjAAAWPXGv+6NnMOQu/T2qBqrO0Q5ARyynUpRGOMmB0Emip2cDP+BrT oakGqPtsU+ixAFtys5uhEaKUp3j/bJGpm35RyaA=
X-Google-Smtp-Source: APXvYqwcrZR2ywvDQzt0hk9IpGcC9YQtrCuMWuDvQcUnSGMygvuytfbLwfKrUwekNkIJiusDtWIwYahUrrDha1hE7X4=
X-Received: by 2002:a9d:63c9:: with SMTP id e9mr948226otl.76.1552848578264; Sun, 17 Mar 2019 11:49:38 -0700 (PDT)
MIME-Version: 1.0
References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII>
In-Reply-To: <20190317180256.GA4279@LK-Perkele-VII>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Sun, 17 Mar 2019 11:49:28 -0700
Message-ID: <CADyWQ+ERaPHyQbTadTAaLw19vbGcghHDhxTdD=KSO3e8nJmgNA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: SPASM <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e5c27805844ebbd6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/LAXTObt7qPO-qylOVIjGrIqaeOI>
Subject: Re: [lamps] CAA records on CNAMEs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2019 18:49:42 -0000
We did not like using something like _caa.example.com ? I mean we have an RFC and an IANA registry all set up to handle the underscore name (well almost https://tools.ietf.org/html/draft-ietf-dnsop-attrleaf-16) We've been burned on CAA records for specific FQDNs which are CNAMEs. Tim On Sun, Mar 17, 2019 at 11:03 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Sat, Mar 16, 2019 at 06:32:26PM -0400, Jan Schaumann wrote: > > > > The "easiest" solution would be to allow CAA records on CNAMEs. This > > (currently) violates RFC1912, Section 2.4. But per RFC2181, section > > 10.1, we already allow e.g. SIG, NXT, and KEY RRs on CNAMEs; would it > > make sense to allow CAA on CNAMEs as well? > > Unfortunately that would break DNS. There are few exceptions to > "nothing alongside CNAME" rule, but that is because the RRtypes > involved are magic DNSSEC ones. > > Trying to stick anything else alongside CNAME leads to horrible > failure rates. That is not some servers fail, but almost all servers > fail. E.g., see. CNAME@apex (SOA and NS). > > > An alternative solution was suggested in the slides noted above: change > > the CAA resolution algorithm to first attempt a _prefix on which I can > > set an override (i.e., '_prefix.someapp.example.com IN CAA issue > > "letsencrypt.org"'). This proposal was not reflected in > > https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, however, > > so I assume there was discussion that concluded this to be undesirable? > > That lookup happens just on the full name, right after lookup on the > name itself, right? I.e., not on any tree-climbed names. > > > A third possibility might be to add another 'override' tag to the CAA > > definition, e.g.: > > > > example.com CAA 0 issue "digicert.com" > > example.com CAA 0 override "someapp.example.com issue:letsencrypt.org" > > > > would mean that Digicert can issue certs for anything under example.com > > with the exception of 'someapp.example.com', for which only Let's > > Encrypt can issue a cert. > > One would presumably want to flag that as critical. > > And are overrides recursive or not? Based on description it looked that > they require exact match. > > And how is the name represented? DNS can present all sorts of really > wonky names, including ones containing spaces or dots. I do not think > public CAs are allowed to issue for such names tho. > > > I'm seeking input on whether the workgroup would consider any of these > > options or otherwise would revive the discussion around the need to find > > a way to set CAA records on a CNAME separate from the parent label. > > > -Ilari > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Wicinski
- Re: [lamps] CAA records on CNAMEs Russ Housley
- Re: [lamps] CAA records on CNAMEs Ilari Liusvaara
- Re: [lamps] CAA records on CNAMEs Ilari Liusvaara
- Re: [lamps] CAA records on CNAMEs Tim Wicinski
- Re: [lamps] CAA records on CNAMEs Salz, Rich
- Re: [lamps] CAA records on CNAMEs Phillip Hallam-Baker
- Re: [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Hollebeek
- Re: [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Hollebeek
- Re: [lamps] CAA records on CNAMEs Phillip Hallam-Baker