Re: [lamps] CAA records on CNAMEs
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 17 March 2019 18:03 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7DCD1277CC for <spasm@ietfa.amsl.com>; Sun, 17 Mar 2019 11:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GlkNeiPZJA35 for <spasm@ietfa.amsl.com>; Sun, 17 Mar 2019 11:03:02 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8138126DFA for <spasm@ietf.org>; Sun, 17 Mar 2019 11:03:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id A988445BFD for <spasm@ietf.org>; Sun, 17 Mar 2019 20:02:58 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id i-feYsDgbbQy for <spasm@ietf.org>; Sun, 17 Mar 2019 20:02:58 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id E96F77A for <spasm@ietf.org>; Sun, 17 Mar 2019 20:02:56 +0200 (EET)
Date: Sun, 17 Mar 2019 20:02:56 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: spasm@ietf.org
Message-ID: <20190317180256.GA4279@LK-Perkele-VII>
References: <20190316223225.GC11586@netmeister.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20190316223225.GC11586@netmeister.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Xc57Tmf5joK5JTHLZ1xr72NjQuk>
Subject: Re: [lamps] CAA records on CNAMEs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2019 18:03:05 -0000
On Sat, Mar 16, 2019 at 06:32:26PM -0400, Jan Schaumann wrote: > > The "easiest" solution would be to allow CAA records on CNAMEs. This > (currently) violates RFC1912, Section 2.4. But per RFC2181, section > 10.1, we already allow e.g. SIG, NXT, and KEY RRs on CNAMEs; would it > make sense to allow CAA on CNAMEs as well? Unfortunately that would break DNS. There are few exceptions to "nothing alongside CNAME" rule, but that is because the RRtypes involved are magic DNSSEC ones. Trying to stick anything else alongside CNAME leads to horrible failure rates. That is not some servers fail, but almost all servers fail. E.g., see. CNAME@apex (SOA and NS). > An alternative solution was suggested in the slides noted above: change > the CAA resolution algorithm to first attempt a _prefix on which I can > set an override (i.e., '_prefix.someapp.example.com IN CAA issue > "letsencrypt.org"'). This proposal was not reflected in > https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, however, > so I assume there was discussion that concluded this to be undesirable? That lookup happens just on the full name, right after lookup on the name itself, right? I.e., not on any tree-climbed names. > A third possibility might be to add another 'override' tag to the CAA > definition, e.g.: > > example.com CAA 0 issue "digicert.com" > example.com CAA 0 override "someapp.example.com issue:letsencrypt.org" > > would mean that Digicert can issue certs for anything under example.com > with the exception of 'someapp.example.com', for which only Let's > Encrypt can issue a cert. One would presumably want to flag that as critical. And are overrides recursive or not? Based on description it looked that they require exact match. And how is the name represented? DNS can present all sorts of really wonky names, including ones containing spaces or dots. I do not think public CAs are allowed to issue for such names tho. > I'm seeking input on whether the workgroup would consider any of these > options or otherwise would revive the discussion around the need to find > a way to set CAA records on a CNAME separate from the parent label. -Ilari
- [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Wicinski
- Re: [lamps] CAA records on CNAMEs Russ Housley
- Re: [lamps] CAA records on CNAMEs Ilari Liusvaara
- Re: [lamps] CAA records on CNAMEs Ilari Liusvaara
- Re: [lamps] CAA records on CNAMEs Tim Wicinski
- Re: [lamps] CAA records on CNAMEs Salz, Rich
- Re: [lamps] CAA records on CNAMEs Phillip Hallam-Baker
- Re: [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Hollebeek
- Re: [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Hollebeek
- Re: [lamps] CAA records on CNAMEs Phillip Hallam-Baker