Re: [lamps] New draft: rfc6844bis

Corey Bonnell <CBonnell@trustwave.com> Tue, 10 July 2018 13:58 UTC

Return-Path: <CBonnell@trustwave.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29311130FB1 for <spasm@ietfa.amsl.com>; Tue, 10 Jul 2018 06:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=trustwave.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQMwnVIs00Gm for <spasm@ietfa.amsl.com>; Tue, 10 Jul 2018 06:58:37 -0700 (PDT)
Received: from seg-node-elk-02.trustwave.com (seg-node-elk-02.trustwave.com [204.13.202.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B923130ED8 for <spasm@ietf.org>; Tue, 10 Jul 2018 06:58:36 -0700 (PDT)
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (Not Verified[216.32.181.85]) by seg-node-elk-02.trustwave.com with Trustwave SEG (v8, 0, 6, 10791) (using TLS: TLSv1.2, AES256-SHA256) id <B5b44bb8a0001>; Tue, 10 Jul 2018 08:58:34 -0500
Received: from SN6PR07MB4575.namprd07.prod.outlook.com (52.135.95.19) by SN6PR07MB4941.namprd07.prod.outlook.com (52.135.119.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.20; Tue, 10 Jul 2018 13:58:32 +0000
Received: from SN6PR07MB4575.namprd07.prod.outlook.com ([fe80::d0e2:e12:541d:c131]) by SN6PR07MB4575.namprd07.prod.outlook.com ([fe80::d0e2:e12:541d:c131%2]) with mapi id 15.20.0930.022; Tue, 10 Jul 2018 13:58:32 +0000
From: Corey Bonnell <CBonnell@trustwave.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, SPASM <spasm@ietf.org>
Thread-Topic: [lamps] New draft: rfc6844bis
Thread-Index: AQHT+Q/DosfAyanL40+VifZ4n+PYpqSIdv2A
Date: Tue, 10 Jul 2018 13:58:32 +0000
Message-ID: <0EA657BD-8E44-4173-8059-8A312998DAA4@trustwave.com>
References: <d25080b7-d21c-219e-8d99-7c19afb5b30f@eff.org>
In-Reply-To: <d25080b7-d21c-219e-8d99-7c19afb5b30f@eff.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=CBonnell@trustwave.com;
x-originating-ip: [204.13.202.248]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR07MB4941; 7:MORnrk5sbe6XP5XussqNvqiIs8iPk3oqjre4R/DXSKJBkJJYj0FiUpkO7lHdndvGVlw7a55hRqHAkzaH2TodetOjc7Ozki00jfmIL5aPs8xTV1UsjdOkGX5bY1AjaMgIiha+dvgTNM0nAVixsz4MwIVLS/AgbGG5cLEHNW9l2wj4z8xni/RKteUStSupgMYKRI0rNKMcM57ogvhkGAFvssb1mtunWzwq9i7ozfiPILPFQw/mrVkVEx2K2r684bcr
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: aa70415b-c53e-4cc3-657c-08d5e66d38e8
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:SN6PR07MB4941;
x-ms-traffictypediagnostic: SN6PR07MB4941:
x-microsoft-antispam-prvs: <SN6PR07MB4941444E316485F7AD56E51CCF5B0@SN6PR07MB4941.namprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(232896897485771)(158342451672863)(192374486261705)(171964332516350);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(3231311)(944501410)(52105095)(10201501046)(149027)(150027)(6041310)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:SN6PR07MB4941; BCL:0; PCL:0; RULEID:; SRVR:SN6PR07MB4941;
x-forefront-prvs: 0729050452
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(39860400002)(376002)(136003)(366004)(51914003)(199004)(189003)(53754006)(36756003)(53936002)(6506007)(81156014)(82746002)(81166006)(66066001)(8936002)(8676002)(478600001)(72206003)(83716003)(25786009)(68736007)(446003)(11346002)(256004)(105586002)(14444005)(305945005)(80792005)(3846002)(316002)(76176011)(7736002)(110136005)(102836004)(186003)(6116002)(26005)(86362001)(2616005)(476003)(966005)(6486002)(6512007)(6306002)(97736004)(5250100002)(486006)(14454004)(2906002)(6246003)(561944003)(33656002)(106356001)(99286004)(6436002)(15974865002)(229853002)(5660300001)(2900100001)(19400905002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR07MB4941; H:SN6PR07MB4575.namprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: trustwave.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: KGNNjEO41VpOCvPihHg2MCujwZnacb1M8LG1JA/53jsEZ3aFU9K9FiGTZRpD5h1trv7B7UrNNtYY9/hYU+WnwuFDkDd6+rLhm3R4aLK1kYRHgr/ejbJnekhE4gk+WQIfRB4VAAhsJRLKtRNt3rFmJ5jFrlS2ea63F06e8PQ15VB6WXeOq0xDqQHHZCgNm7RrwmSTvWpZ9aB/WPZhndYGCmovRvx2DGODwtPr7TX9Tj1Iz0wykL0/UgO7/vQPFNgfDcky0Kkl6Y7qtd2iNmzy+jS6xhv2WAGBel8FBLgltJrppYMjB7VmsdRVtsBlP7JFOeq42qwPfLBgL30722F6eQMvZYAhxe/Pv9eLE9oWPcE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <A407580615738E41A4B9DB11B30B020C@namprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: trustwave.com
X-MS-Exchange-CrossTenant-Network-Message-Id: aa70415b-c53e-4cc3-657c-08d5e66d38e8
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2018 13:58:32.2277 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cb1dab68-a067-4b6b-ae7e-c012e8c33f6a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR07MB4941
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trustwave.com; s=080318_segcloud; t=1531231115; bh=FJ0CCl7NX+2pWUEyKYmQ2Is670iXHdwC3UMnmm9VV4Y=; h=From:To:Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:authentication-results: x-originating-ip:x-ms-publictraffictype: x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-exchange-antispam-report-test:x-ms-exchange-senderadcheck: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf: x-microsoft-antispam-message-info:spamdiagnosticoutput: spamdiagnosticmetadata:Content-Type:Content-ID: Content-Transfer-Encoding:MIME-Version:X-OriginatorOrg: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id: X-MS-Exchange-Transport-CrossTenantHeadersStamped; b=j+W7CFIc6BUuwBTMNdyJVapTlZhRQjGDksAvD2q9nm4X4wLXkQjL1QTfFOQL9nB06 TjmkRBvBHmmvJYYkJjCtuRXzVvmIiMt8HAIXcnfAxIwdbXpFprEKIW5qgx+X0qr/yo uClta4Zhf3RzO5Gjz7niQ/mCS9Bnl05u+qgn5li7LFhqJaX1NcNjlBeFzMD0omHHjd mju+amXs9umfil9JVAtckH/GeqVww6KQSOo+htefC1YsHEFYVVudHoxz6M2liiPpqT CQaDUPOLIIh/F69ympQ0zv5xkvuYCdL24LYt51AuC512WUV2olFLk29wcVpORfnM+z n9BnPfe9YWBYQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/VGDZ07ezZz3BLUvpmv-ZCVFvpyA>
Subject: Re: [lamps] New draft: rfc6844bis
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 13:58:40 -0000

Hi Jacob,
Thanks for getting the 6844-bis draft together. Your phrasing on the proper handling of non-empty CAA record sets that don't contain issue/issuewild tags is clear and should make this particular scenario unambiguous.

It looks like the updated ABNF grammar for the issue property tag is missing some line breaks, as several of the production rules are now on the same line.

There is one more issue that we might want to tackle as part of the 6844-bis effort: changing the "SHOULD" for making CAA queries against authoritative nameservers to a "MUST" (section 6.3: For example, all portions of the DNS lookup process SHOULD be performed against the authoritative name server). This was originally mentioned in https://blog.cloudflare.com/caa-of-the-wild/, but I don't think this has been brought up on this mailing list before and thought we should at least discuss it. My opinion is that it should remain a "SHOULD" in the RFC, otherwise the RFC is dictating policy. The preferable route is to define required lookup properties in policy explicitly (eg, the Baseline Requirements would dictate that all lookups MUST be performed against an authoritative nameserver).

Thanks,
Corey Bonnell
Senior Software Engineer

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

On 5/31/18, 2:47 PM, "Spasm on behalf of Jacob Hoffman-Andrews" <spasm-bounces@ietf.org on behalf of jsha@eff.org> wrote:

    Hi all,
    
    I've uploaded rfc6844bis 
    (https://scanmail.trustwave.com/?c=4062&d=o8OQ2yujgVEeFlV5bl_Op4ySAduGL3C5TmGWzUjgqQ&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2fdraft-ietf-lamps-rfc6844bis-00%29 which is 
    the WG version of 
    https://scanmail.trustwave.com/?c=4062&d=o8OQ2yujgVEeFlV5bl_Op4ySAduGL3C5TmPEnEi3pA&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2fdraft-hoffman-andrews-caa-simplification-03 
    Differences versus the last draft:
    
    - Adopted Corey's improved ABNF grammar, which also allows hyphens in 
    property names, and spaces around the equal signs in properties.
    - Clarified how to handle CAA RRsets that have no issue or issuewild 
    tags, but do have other CAA tags. Thanks for the proposal on this, Corey!
    - Added a "Differences vs RFC 6844" section.
    - Emptied the IANA Considerations section, which was copied from RFC6844 
    but irrelevant because the values in it had already been registered with 
    IANA.
    - Added a section to "Deployment Considerations" regarding private 
    nameservers.
    - Improved the wording of "Bogus DNSSEC Responses" section (under 
    "Deployment Considerations").
    
    If you would like to read the individual commits, they are available at 
    https://scanmail.trustwave.com/?c=4062&d=o8OQ2yujgVEeFlV5bl_Op4ySAduGL3C5TjKZyk29rg&s=5&u=https%3a%2f%2fgithub%2ecom%2fjsha%2fcaa-simplification%2fcommits%2fmaster
    
    Thanks,
    Jacob
    
    _______________________________________________
    Spasm mailing list
    Spasm@ietf.org
    https://scanmail.trustwave.com/?c=4062&d=o8OQ2yujgVEeFlV5bl_Op4ySAduGL3C5Tj6Snknk_A&s=5&u=https%3a%2f%2fwww%2eietf%2eorg%2fmailman%2flistinfo%2fspasm