IETF Logo Mail Archive

Re: [Spasm] CAA erratum 4515

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 11 March 2017 20:19 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B3011293FB for <spasm@ietfa.amsl.com>; Sat, 11 Mar 2017 12:19:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WM5Aud0rZkuH for <spasm@ietfa.amsl.com>; Sat, 11 Mar 2017 12:19:05 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6278D1295A3 for <spasm@ietf.org>; Sat, 11 Mar 2017 12:19:05 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 59A517A3309; Sat, 11 Mar 2017 20:19:04 +0000 (UTC)
Date: Sat, 11 Mar 2017 20:19:04 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: SPASM <spasm@ietf.org>
Message-ID: <20170311201904.GQ7733@mournblade.imrryr.org>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/iP3mXdzvdyDyLs0TJM2M1mQ66-g>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: spasm@ietf.org
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 20:19:06 -0000

On Fri, Mar 10, 2017 at 12:02:57PM -0500, Ryan Sleevi wrote:

> We end up with the following configurations:
> 
> - Self-Managed, Recursive, Trampoline'd
> www.example.com  CNAME staffie.example.net
> www.example.com  CAA 0 issue "good-ca.example.org"

This should not be possible, one surely can't have both CNAME and
CAA records for the same owner domain.

> OR (and more problematically)
> 
> www.example.com  CNAME staffie.example.net
> www.example.com  CAA 0 issue "evil-ca.example.org"

Ditto.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email