IETF Logo Mail Archive

Re: [lamps] Next steps on CAA

"John R Levine" <johnl@taugh.com> Sat, 07 October 2017 20:39 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71E8C134AC1 for <spasm@ietfa.amsl.com>; Sat, 7 Oct 2017 13:39:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=k4Yc991C; dkim=pass (1536-bit key) header.d=taugh.com header.b=jxw5MDdb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGI-m8aP18W5 for <spasm@ietfa.amsl.com>; Sat, 7 Oct 2017 13:39:57 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08795134326 for <spasm@ietf.org>; Sat, 7 Oct 2017 13:39:56 -0700 (PDT)
Received: (qmail 27157 invoked from network); 7 Oct 2017 20:39:56 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=6a13.59d93b9c.k1710; bh=BPCEFjGJE2EogJjnWpowpOmrND8w+6cPSYo4Iwmx4mI=; b=k4Yc991CmbcgnTdDwZjSwdmCDHgRDEUl25KkOgiAadkyFl3MpTUgAuPoyOXt7K3Qkgr8uuEJ43ewUtFojOsubUDfAMwK9D90bMq4100wV6Oqafi7FwNUM4IUcQXyIFVxb/slTrD94bfmfUQjK2seeNlLNBxH5K7jzxNNJ7UFBv9AYSaDsOPNcR006MvTtzc/FHugoQxtXpItApe4Kc2rQ0oZQWpIXGHp0LiScob+j8EoOl0DAHDLpRv/g2LqZOU5
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=6a13.59d93b9c.k1710; bh=BPCEFjGJE2EogJjnWpowpOmrND8w+6cPSYo4Iwmx4mI=; b=jxw5MDdbMyqV+rxTz+N0wGfC8GwxnRqNhgp/yaf3WEMumD2IhE5KUy3yaao6wZ2dk1wnr6Xd1ZQQR+hIXYjxLjy6yVXEi4leB46/V09IigdwqIywMRd6BRnC3DBrQMf6xhlMsA8iJXGFg3d6SK8qa1NNH+aas5KssnI3u2gPhGQFOMf8V9/6Y9NUTi6NfnaBKe4Wz7ykx5dVvdrlF6eUiwUIfd+FVsZVe9OYKeDEGjWDmg6hsTnmTHLT5i5QGSVG
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 07 Oct 2017 20:39:55 -0000
Date: Sat, 07 Oct 2017 16:39:55 -0400
Message-ID: <alpine.OSX.2.21.1710071635120.37332@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: SPASM <spasm@ietf.org>
In-Reply-To: <CAMm+LwiqmzMUKno5osvfvgoP4q0qucuA0HPGCXHaK2bzFYFHgg@mail.gmail.com>
References: <CAMm+Lwj3NkBnXy8_ERS+ZnRE3OhFrJi2WwaDeThiNimqm5Domg@mail.gmail.com> <20171007185103.13239.qmail@ary.lan> <CAMm+Lwiy1U_CrJ+1HxqBEbpRr99vGC0o6ztX-yCMF1YpvEZe7Q@mail.gmail.com> <alpine.OSX.2.21.1710071606190.37220@ary.qy> <CAMm+LwiqmzMUKno5osvfvgoP4q0qucuA0HPGCXHaK2bzFYFHgg@mail.gmail.com>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1725020819-1507408795=:37332"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/WBJTnOpauPvOLxpwqqTF6dwuUiA>
Subject: Re: [lamps] Next steps on CAA
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Oct 2017 20:39:58 -0000

On Sat, 7 Oct 2017, Phillip Hallam-Baker wrote:
>>> Right.  I think that solves everything but the DNAME problem, and I
>>>> think the DNAME problem, if it actually exists, is insoluble.
>>>
>> ​I don't think there is a DNAME problem.

> ​If DNAME appeared on the wire, t...

> When CAA was originally written, CDNs were sufficiently rare that the main
> use of CNAME was also name equality under the same control. That has
> changed.

Right about CNAMEs.

The DNAME problem (if it exists) has nothing to do with whether the DNAME 
shows up in the DNS answer.  It's whether it's important to be able to 
publish a CAA record that describes a policy for a DNAME'd web server, 
with the CAA not DNAME'd, just like the CNAME problem that prefixed names 
address.

As I've said several times, although it's hypothetically possible, I doubt 
it's an issue in practice because other than the exotic AS112 I've never 
seen anyone use DNAME to point names at a third party.  That's fortunate 
since the prefix hack doesn't help for DNAMEs.

R's,
John

v2.23.0 | Report a Bug | By Email