IETF Logo Mail Archive

Re: [lamps] CAA records on CNAMEs

Jan Schaumann <jschauma@netmeister.org> Mon, 18 March 2019 16:02 UTC

Return-Path: <jschauma@netmeister.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83BB1129AA0 for <spasm@ietfa.amsl.com>; Mon, 18 Mar 2019 09:02:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulTh91Qjjysj for <spasm@ietfa.amsl.com>; Mon, 18 Mar 2019 09:02:41 -0700 (PDT)
Received: from panix.netmeister.org (panix.netmeister.org [IPv6:2001:470:30:84:e276:63ff:fe72:3900]) by ietfa.amsl.com (Postfix) with ESMTP id B8B70128B36 for <spasm@ietf.org>; Mon, 18 Mar 2019 09:02:11 -0700 (PDT)
Received: by panix.netmeister.org (Postfix, from userid 1000) id 2E56365341; Mon, 18 Mar 2019 12:02:11 -0400 (EDT)
Date: Mon, 18 Mar 2019 12:02:11 -0400
From: Jan Schaumann <jschauma@netmeister.org>
To: spasm@ietf.org
Message-ID: <20190318160211.GC22311@netmeister.org>
Mail-Followup-To: spasm@ietf.org
References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190317180256.GA4279@LK-Perkele-VII>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/SSUqch7mK6wc94En48ZXXUey4WA>
Subject: Re: [lamps] CAA records on CNAMEs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 16:02:46 -0000

Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> On Sat, Mar 16, 2019 at 06:32:26PM -0400, Jan Schaumann wrote:
 
> > An alternative solution was suggested in the slides noted above: change
> > the CAA resolution algorithm to first attempt a _prefix on which I can
> > set an override (i.e., '_prefix.someapp.example.com IN CAA issue
> > "letsencrypt.org"').  This proposal was not reflected in
> > https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, however,
> > so I assume there was discussion that concluded this to be undesirable?
> 
> That lookup happens just on the full name, right after lookup on the
> name itself, right? I.e., not on any tree-climbed names.

I'm not the author of the original proposal, but I'd think the lookup
could work in one of two ways:

1) only perform the lookup on the full name iff it is a CNAME
2) perform the lookup on any tree-climbed name

(1) has the advantage of simplicity, at the cost of (some)
inconsistency; (2) has the advantage of consistency at the cost of
complexity and performance.  Worse is Better suggests (1).


As for how to handle combinations with DNAMEs, I suppose under (1), the
situation is largely unchanged:

With 'example.com DNAME example.net' a lookup for a CAA record for
someapp.example.com would yield:

- per the DNAME requirement, there must not be any record for
  someapp.example.com, so we only look at someapp.example.net:
- if someapp.example.net has a CAA record, return that; else
- if someapp.example.net is a CNAME to someapp.example.org:
  - if _caa.someapp.example.net has a CAA record, return that; else
  - if someapp.example.org has a CAA record, return that; else
- try example.com, which falls under the DNAME, so check example.net; if
  that has a CAA record, return; else
- try .com


> > A third possibility might be to add another 'override' tag to the CAA
> > definition, e.g.:
> >
> > example.com CAA 0 issue "digicert.com"
> > example.com CAA 0 override "someapp.example.com issue:letsencrypt.org"
 
> And are overrides recursive or not? Based on description it looked that
> they require exact match.

For simplicity, I think it might make sense to require that an
'override' can only be given for specific labels above in the tree.
That is, no wildcards and no further recursion.

In order to simplify matching of records and names, we could swap the
order, to the symtax might be:

override "<issue|issuewild|iodef>:<value> <name>"

In example, this might look like so:

example.com CAA 0 iodef "mailto:security@example.com"
example.com CAA 0 issue "digicert.com"
example.com CAA 0 override "issue:letsencrypt.org foo.example.com"
example.com CAA 0 override "issuewild:globalsign.com bar.example.com"
example.com CAA 0 override "iodef:mailto:bofh@example.net bofh.example.com"


I'll also note that in a parallel thread on mozilla.dev.security.policy,
it was noted that there may be a need for an explicit way to allow any
CA to issue (in contrast to not having a CAA record, and thus requiring
a tree-climb ending only possibly in an implicit approval of any CA):
https://groups.google.com/d/msg/mozilla.dev.security.policy/DVa-xn1VsOA/DhQk9RZmDAAJ

-Jan

v2.23.0 | Report a Bug | By Email