Re: [lamps] CAA records on CNAMEs
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 18 March 2019 15:46 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7398012D827 for <spasm@ietfa.amsl.com>; Mon, 18 Mar 2019 08:46:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cyF4nBpZzilS for <spasm@ietfa.amsl.com>; Mon, 18 Mar 2019 08:46:57 -0700 (PDT)
Received: from mail-oi1-f179.google.com (mail-oi1-f179.google.com [209.85.167.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ECD8128B36 for <spasm@ietf.org>; Mon, 18 Mar 2019 08:46:57 -0700 (PDT)
Received: by mail-oi1-f179.google.com with SMTP id y84so1048377oia.12 for <spasm@ietf.org>; Mon, 18 Mar 2019 08:46:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Vm2bdASZyS74gcJRzw0u6erPfNiIgUZ7DAZsMzE7eXs=; b=SrctNyRrQxYYvWx1AVOyfObCnW7HPQPetcgcwrkL6gdH7g0InHrr0AHlXFXWufK5RL aWS/I6iQLsiyZWYj6NCRt+aWPOTATwpKNa6B0kzPlSEKPd+vA590d0aDVEnKk6uKdSiW HA237VXfSQi7QpQGn1r7dAJcGiw/thQOeezLwfg7MHniuDQMlbuQUGLI6Zq6YcNgCAlj z6M5/Ylgczl26Tdu30zwn8YbvtIUk81Ku5c7aCn07JOmgVM/Ha98VFAUKDeFsnmi1OpN KW/UzsTEHpR+ImxELvEckvcuogGp5Ia4/bRG1KEoTBQBJ8WR4tw2BhXuoDgKc0mgtyE4 ndiA==
X-Gm-Message-State: APjAAAUvYpSWSekQQB/vQCwLxneouG4uMmy/8MFhr9NRUeEuMWvV4Qqw 0bM8pqSX2ecSk0IUemPAhxKpY3CSH1Fw7wbGMYU=
X-Google-Smtp-Source: APXvYqyd3mCQScl4/WCTbOS/5wYbBoT8XzO+LpAO4OY7sOCNhI/c7rRtO+/3CSmLr7FQOCSZwB+8dB2hQo1ohjtr1qk=
X-Received: by 2002:aca:c68b:: with SMTP id w133mr4717751oif.58.1552924016542; Mon, 18 Mar 2019 08:46:56 -0700 (PDT)
MIME-Version: 1.0
References: <20190316223225.GC11586@netmeister.org> <3D292A90-B3DF-46E7-9014-8E36AA214A90@akamai.com>
In-Reply-To: <3D292A90-B3DF-46E7-9014-8E36AA214A90@akamai.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 18 Mar 2019 11:46:47 -0400
Message-ID: <CAMm+LwgMWg0TVw0rf_1PDTWQwVCU4FLcUUGun1TjG8yz-QHWXA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Jan Schaumann <jschauma@netmeister.org>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e89a20584604c27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/MaCFnc0QnoSMXJLF96NSvm6C3TI>
Subject: Re: [lamps] CAA records on CNAMEs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 15:47:00 -0000
This is exactly back where we started. There are three technical options. Each time I comment on this I understand that we have decided to go for the prefix records solution and every time it turns out we didn't and a few months later the same problem comes up. The problem here is that CNAME delegation is used to implement two entirely different types of delegation and does not specify which one is intended. When 6844 was written, the Web was in a different place, CDNs were not so ubiquitous and so the needs then were different and when we discussed it then we decided to make one particular choice. But it was a fully considered choice. Also at the time CAA was proposed, the DNS folk insisted that prefix records represent some sort of heresy and must be avoided at all costs. It has since been realized that they are necessary to fix the fact that the DNS architecture does not meet DNS use. And why would something designed 35 years ago to meet the needs of the Internet scaling from 100 hosts to 1000 anticipate everything that came since? The two uses of delegation are: 1) Asserting name equality. i.e. *.example.net = *.example.com 2) Delegating isolated domains www.example.com -> example.mycdn.com On top of this there is the fact that DNAME isn't really a DNS RR only it is because it has to be because of DNSSEC only it doesn't have the semantics you would expect and certainly not the semantics that you want. Long and the short of it is that if you want to do the right thing for both the use cases, you need to distinguish one of the cases using a prefix to the CAA record. I am not going to be in Prague as I am still finishing the Mesh specs and getting my company registered as an LLC. Right now it is VentureCryptography.com On Mon, Mar 18, 2019 at 11:29 AM Salz, Rich <rsalz@akamai.com> wrote: > > As noted in e.g., > > https://datatracker.ietf.org/meeting/100/materials/slides-100-lamps-rfc-6844-bis-00.pdf > , > there are cases where it's desirable for an organization to set a CAA > record on a CNAME. For example: > > Start by changing RFC RFC 1912, which does not allow any other data to > appear with a CNAME. ;) > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Wicinski
- Re: [lamps] CAA records on CNAMEs Russ Housley
- Re: [lamps] CAA records on CNAMEs Ilari Liusvaara
- Re: [lamps] CAA records on CNAMEs Ilari Liusvaara
- Re: [lamps] CAA records on CNAMEs Tim Wicinski
- Re: [lamps] CAA records on CNAMEs Salz, Rich
- Re: [lamps] CAA records on CNAMEs Phillip Hallam-Baker
- Re: [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Hollebeek
- Re: [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Hollebeek
- Re: [lamps] CAA records on CNAMEs Phillip Hallam-Baker