IETF Logo Mail Archive

Re: [lamps] CAA records on CNAMEs

Tim Hollebeek <tim.hollebeek@digicert.com> Mon, 18 March 2019 16:53 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FDF7131215 for <spasm@ietfa.amsl.com>; Mon, 18 Mar 2019 09:53:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com header.b=LeOcL0al; dkim=pass (1024-bit key) header.d=digicert.com header.b=IWBAPl3N
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KA4kCaZqTMSI for <spasm@ietfa.amsl.com>; Mon, 18 Mar 2019 09:53:33 -0700 (PDT)
Received: from us-smtp-delivery-173.mimecast.com (us-smtp-delivery-173.mimecast.com [63.128.21.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F10EF131231 for <spasm@ietf.org>; Mon, 18 Mar 2019 09:53:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=mimecast20190124; t=1552928011; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aEL245B9Ead7emtKwT/TqM2zvIuK1NxrYNWpbJ4IdTU=; b=LeOcL0al5Hmt8KUGwKoA4XZC31vw2OfZPW2iUzCLp0GrbiwdFFeKn/Le1/rNZeYqIa+e1jg4fyu/cbRlfrlMs/Lg95N7JdKN4KJ5ZdK4zGcjA8IHvhi547F6DbdAr5xiBnNQcKn7WkCebusKCD/7JdB+d1LMyxuamRAX+gz5r7U=
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-by2nam05lp2057.outbound.protection.outlook.com [104.47.50.57]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-128-p4OXLgC4MbGiMhD6UZqtZA-1; Mon, 18 Mar 2019 12:53:28 -0400
X-MC-Unique: p4OXLgC4MbGiMhD6UZqtZA-1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aEL245B9Ead7emtKwT/TqM2zvIuK1NxrYNWpbJ4IdTU=; b=IWBAPl3N2nxjo9PMJxNn3NCM5HPjM/zGM/+kWJ9/AMwS2FksFxhtlv9yOtgqPJIffZaw5U4qMM3RR32gUXQqXXWgaPhijODKhOhXz4c+ruP56XvjBa32iSwn4ejv59nFI97/QZeO2Vk1afin+9Zhq3jVjzJ97GgBnzi6CVMGDqU=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1284.namprd14.prod.outlook.com (10.173.162.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.14; Mon, 18 Mar 2019 16:53:25 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941%4]) with mapi id 15.20.1709.015; Mon, 18 Mar 2019 16:53:25 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Jan Schaumann <jschauma@netmeister.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] CAA records on CNAMEs
Thread-Index: AQHU3EgqDykQXQcrQ0mC8Zclj0PKi6YQHrsAgAFwmICAAAyfkA==
Date: Mon, 18 Mar 2019 16:53:25 +0000
Message-ID: <BN6PR14MB1106E81499036021704CA32683470@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII> <20190318160211.GC22311@netmeister.org>
In-Reply-To: <20190318160211.GC22311@netmeister.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tim.hollebeek@digicert.com;
x-originating-ip: [98.111.253.32]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 76aa3bcd-c065-4c52-aae6-08d6abc23d18
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1284;
x-ms-traffictypediagnostic: BN6PR14MB1284:
x-microsoft-antispam-prvs: <BN6PR14MB128422EA2A62DF72772E318483470@BN6PR14MB1284.namprd14.prod.outlook.com>
x-forefront-prvs: 098076C36C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(136003)(366004)(346002)(376002)(13464003)(189003)(199004)(186003)(53546011)(2906002)(6436002)(99936001)(102836004)(53936002)(76176011)(26005)(99286004)(33656002)(8936002)(66066001)(229853002)(561944003)(14444005)(9686003)(2501003)(256004)(8676002)(6306002)(97736004)(74316002)(55016002)(19627235002)(106356001)(105586002)(14454004)(6506007)(81156014)(86362001)(81166006)(7696005)(6246003)(11346002)(71200400001)(5660300002)(7736002)(52536014)(6116002)(966005)(44832011)(3846002)(478600001)(476003)(110136005)(305945005)(446003)(68736007)(71190400001)(486006)(25786009)(316002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1284; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 9Xlleabhn72OBPFm0kwE3rBqhFN5tJfu8z8HxLYcIXgze8b504kIw2AdTXTg4CNPEgTc+CzYJGbDwaZ3cYhWEHQtWBD6EN7shXaILTfgLlOjRE9LED609/cPGLoFULhIWa0IX8WQhynai3UTG+koA1sKuUpPfkDPvzeqNpk+qtrHxgQxhAyqY3P/bCuG6zoEl027prtiK4HpVcOTziQlaS+FZ2eKfoOf4Zd+kDnmviFj7R/qOkUNy/zyGaQZuqFiHKVTzpGhPDAsF2lhYdAt1vFtcqrH7KvT4FkVGcWHoO/mrsYhHwY6/cqtFWHnbaEwP3EZx+QB+O8thyES4kpzjWujszM4glsywsPhtYnDnlro8pYI0rItahAVOjIGJO6WzgXSMXrRdG4uAzlbhtXRgLJ7EztoEl7oVnpwsNhbHJ0=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_04F6_01D4DD89.9058BE20"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 76aa3bcd-c065-4c52-aae6-08d6abc23d18
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2019 16:53:25.5084 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1284
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/YJ8O5AisYZioQv7s2Gf9ufCEK28>
Subject: Re: [lamps] CAA records on CNAMEs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 16:53:38 -0000

The problem is the "override" proposal adds another huge level of complexity
on top of the semantics of the issue tag and every other tag involved in the
issuance of certificates in the future (there will be more).

As such, I think the proposal is strictly inferior to much simpler solutions
e.g. the ones involving prefix tags.  You can even do clever things like
saying the prefix tag is only relevant for CNAME records (this avoids having
to do an additional DNS lookup for every node just to check if the prefix
tag exists at that node).

The prefix tag issue resurfaces every six to twelve months or so; interested
persons should probably just concentrate on pushing that across the goal
line.  Though I think it probably isn't necessary to hold up RFC6844bis for
it.  We already said "no" to one other request to extend CAA that
potentially could have held up RFC6844bis.  It can be its own RFC.

-Tim

> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Jan Schaumann
> Sent: Monday, March 18, 2019 12:02 PM
> To: spasm@ietf.org
> Subject: Re: [lamps] CAA records on CNAMEs
> 
> Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> > On Sat, Mar 16, 2019 at 06:32:26PM -0400, Jan Schaumann wrote:
> 
> > > An alternative solution was suggested in the slides noted above:
> > > change the CAA resolution algorithm to first attempt a _prefix on
> > > which I can set an override (i.e., '_prefix.someapp.example.com IN
> > > CAA issue "letsencrypt.org"').  This proposal was not reflected in
> > > https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/,
> > > however, so I assume there was discussion that concluded this to be
> undesirable?
> >
> > That lookup happens just on the full name, right after lookup on the
> > name itself, right? I.e., not on any tree-climbed names.
> 
> I'm not the author of the original proposal, but I'd think the lookup
could work
> in one of two ways:
> 
> 1) only perform the lookup on the full name iff it is a CNAME
> 2) perform the lookup on any tree-climbed name
> 
> (1) has the advantage of simplicity, at the cost of (some) inconsistency;
(2) has
> the advantage of consistency at the cost of complexity and performance.
> Worse is Better suggests (1).
> 
> 
> As for how to handle combinations with DNAMEs, I suppose under (1), the
> situation is largely unchanged:
> 
> With 'example.com DNAME example.net' a lookup for a CAA record for
> someapp.example.com would yield:
> 
> - per the DNAME requirement, there must not be any record for
>   someapp.example.com, so we only look at someapp.example.net:
> - if someapp.example.net has a CAA record, return that; else
> - if someapp.example.net is a CNAME to someapp.example.org:
>   - if _caa.someapp.example.net has a CAA record, return that; else
>   - if someapp.example.org has a CAA record, return that; else
> - try example.com, which falls under the DNAME, so check example.net; if
>   that has a CAA record, return; else
> - try .com
> 
> 
> > > A third possibility might be to add another 'override' tag to the
> > > CAA definition, e.g.:
> > >
> > > example.com CAA 0 issue "digicert.com"
> > > example.com CAA 0 override "someapp.example.com
> issue:letsencrypt.org"
> 
> > And are overrides recursive or not? Based on description it looked
> > that they require exact match.
> 
> For simplicity, I think it might make sense to require that an 'override'
can only
> be given for specific labels above in the tree.
> That is, no wildcards and no further recursion.
> 
> In order to simplify matching of records and names, we could swap the
order,
> to the symtax might be:
> 
> override "<issue|issuewild|iodef>:<value> <name>"
> 
> In example, this might look like so:
> 
> example.com CAA 0 iodef "mailto:security@example.com"
> example.com CAA 0 issue "digicert.com"
> example.com CAA 0 override "issue:letsencrypt.org foo.example.com"
> example.com CAA 0 override "issuewild:globalsign.com bar.example.com"
> example.com CAA 0 override "iodef:mailto:bofh@example.net
> bofh.example.com"
> 
> 
> I'll also note that in a parallel thread on mozilla.dev.security.policy,
it was
> noted that there may be a need for an explicit way to allow any CA to
issue (in
> contrast to not having a CAA record, and thus requiring a tree-climb
ending
> only possibly in an implicit approval of any CA):
> https://groups.google.com/d/msg/mozilla.dev.security.policy/DVa-
> xn1VsOA/DhQk9RZmDAAJ
> 
> -Jan
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email