IETF Logo Mail Archive

Re: [lamps] CAA records on CNAMEs

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 18 March 2019 15:46 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7398012D827 for <spasm@ietfa.amsl.com>; Mon, 18 Mar 2019 08:46:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cyF4nBpZzilS for <spasm@ietfa.amsl.com>; Mon, 18 Mar 2019 08:46:57 -0700 (PDT)
Received: from mail-oi1-f179.google.com (mail-oi1-f179.google.com [209.85.167.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ECD8128B36 for <spasm@ietf.org>; Mon, 18 Mar 2019 08:46:57 -0700 (PDT)
Received: by mail-oi1-f179.google.com with SMTP id y84so1048377oia.12 for <spasm@ietf.org>; Mon, 18 Mar 2019 08:46:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Vm2bdASZyS74gcJRzw0u6erPfNiIgUZ7DAZsMzE7eXs=; b=SrctNyRrQxYYvWx1AVOyfObCnW7HPQPetcgcwrkL6gdH7g0InHrr0AHlXFXWufK5RL aWS/I6iQLsiyZWYj6NCRt+aWPOTATwpKNa6B0kzPlSEKPd+vA590d0aDVEnKk6uKdSiW HA237VXfSQi7QpQGn1r7dAJcGiw/thQOeezLwfg7MHniuDQMlbuQUGLI6Zq6YcNgCAlj z6M5/Ylgczl26Tdu30zwn8YbvtIUk81Ku5c7aCn07JOmgVM/Ha98VFAUKDeFsnmi1OpN KW/UzsTEHpR+ImxELvEckvcuogGp5Ia4/bRG1KEoTBQBJ8WR4tw2BhXuoDgKc0mgtyE4 ndiA==
X-Gm-Message-State: APjAAAUvYpSWSekQQB/vQCwLxneouG4uMmy/8MFhr9NRUeEuMWvV4Qqw 0bM8pqSX2ecSk0IUemPAhxKpY3CSH1Fw7wbGMYU=
X-Google-Smtp-Source: APXvYqyd3mCQScl4/WCTbOS/5wYbBoT8XzO+LpAO4OY7sOCNhI/c7rRtO+/3CSmLr7FQOCSZwB+8dB2hQo1ohjtr1qk=
X-Received: by 2002:aca:c68b:: with SMTP id w133mr4717751oif.58.1552924016542; Mon, 18 Mar 2019 08:46:56 -0700 (PDT)
MIME-Version: 1.0
References: <20190316223225.GC11586@netmeister.org> <3D292A90-B3DF-46E7-9014-8E36AA214A90@akamai.com>
In-Reply-To: <3D292A90-B3DF-46E7-9014-8E36AA214A90@akamai.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 18 Mar 2019 11:46:47 -0400
Message-ID: <CAMm+LwgMWg0TVw0rf_1PDTWQwVCU4FLcUUGun1TjG8yz-QHWXA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Jan Schaumann <jschauma@netmeister.org>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e89a20584604c27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/MaCFnc0QnoSMXJLF96NSvm6C3TI>
Subject: Re: [lamps] CAA records on CNAMEs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 15:47:00 -0000

This is exactly back where we started.

There are three technical options. Each time I comment on this I understand
that we have decided to go for the prefix records solution and every time
it turns out we didn't and a few months later the same problem comes up.

The problem here is that CNAME delegation is used to implement two entirely
different types of delegation and does not specify which one is intended.
When 6844 was written, the Web was in a different place, CDNs were not so
ubiquitous and so the needs then were different and when we discussed it
then we decided to make one particular choice. But it was a fully
considered choice.

Also at the time CAA was proposed, the DNS folk insisted that prefix
records represent some sort of heresy and must be avoided at all costs. It
has since been realized that they are necessary to fix the fact that the
DNS architecture does not meet DNS use. And why would something designed 35
years ago to meet the needs of the Internet scaling from 100 hosts to 1000
anticipate everything that came since?


The two uses of delegation are:

1) Asserting name equality. i.e. *.example.net = *.example.com

2) Delegating isolated domains www.example.com -> example.mycdn.com

On top of this there is the fact that DNAME isn't really a DNS RR only it
is because it has to be because of DNSSEC only it doesn't have the
semantics you would expect and certainly not the semantics that you want.

Long and the short of it is that if you want to do the right thing for both
the use cases, you need to distinguish one of the cases using a prefix to
the CAA record.


I am not going to be in Prague as I am still finishing the Mesh specs and
getting my company registered as an LLC. Right now it is
VentureCryptography.com


On Mon, Mar 18, 2019 at 11:29 AM Salz, Rich <rsalz@akamai.com> wrote:

> >    As noted in e.g.,
>
> https://datatracker.ietf.org/meeting/100/materials/slides-100-lamps-rfc-6844-bis-00.pdf
> ,
>     there are cases where it's desirable for an organization to set a CAA
>     record on a CNAME.  For example:
>
> Start by changing RFC RFC 1912, which does not allow any other data to
> appear with a CNAME. ;)
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email