Re: [lamps] Next steps on CAA

Phillip Hallam-Baker <> Sat, 07 October 2017 20:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8D76B132195 for <>; Sat, 7 Oct 2017 13:25:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id joRnaYOpcNrB for <>; Sat, 7 Oct 2017 13:25:56 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF19D13293A for <>; Sat, 7 Oct 2017 13:25:55 -0700 (PDT)
Received: by with SMTP id c77so32314299oig.0 for <>; Sat, 07 Oct 2017 13:25:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=kKNgYKPosoNGS+3HdXwOfAASr/+Tv8/GVHGEnTL6y1U=; b=uPCryobKz5w5Ob1Y4qubibpwWjSYGB7s4CdKbDca+JjfnEDCVK2Dt8Ci+NFJjnnQna 1QHWJ+GrGEWNCbtscTC9m9h1J1FzyeZLfaHKnyrzke5Po9yUuD51Abrjbm2bDlKuC6SE 7fMSaV0eVQprWr9c9xXee/g1pVAGgX+1vX2KPShgKdjfteB6RlHGaU8btkEOXiz81G4a YkQJGoOVHmFLjKOL7+etTw18AcUzNckd5tO2bn+uTwa1texsQHPiqIzS8Mq5NIJFELh4 3RPdIjrnsHkwQzQjIB2IqJvz5d+JK4GIruDegs8hpTtgwDZYgAYKcvK+yLRDtIm+yvVE cuig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=kKNgYKPosoNGS+3HdXwOfAASr/+Tv8/GVHGEnTL6y1U=; b=q8NqVhLLflDtQZ0fEgJT0xBbgvaJyV2EiXXCvtNpNxcWPWpJiK4eGm7cQjdemK2IvZ ChLJTo3pnxaTdICq65KkH8GmpCYsTBZqrVvXvQKfjPcr7WJBpBgTCvUGTBQojKl4CsC8 YBrusAzTVAkn/tig5YkZ6K7tak6EwLUk5Pnp9uAerVtrill/ql4vrVsKTZogVtYPwIew QodolVJpkBWgbnMIxL5T7fwxaL/hEAWp40ATCXNFTgqVDIMiDYeK/bmJ5HHYF34s7t1e MJhxTr/cGM9nUNXdupTESimZgXq0lXGHatr1ytLmOJsY5z4twhQLgNJ8L6W0nafLXqfi IxRQ==
X-Gm-Message-State: AMCzsaVLUH0B4Gnlc3eBhH5llD9deWNdt7ObW0W8/I1Pks6NfKA2Xiz9 DbeIgjWJoXeabKiVGiToZe+fzCJF6ZSoGDxzACw=
X-Google-Smtp-Source: AOwi7QBu8KJh+uoOcg3gpyob66H8YFycoVhhfGxxz6pYeMWvwU7T29Yu8VGjmmL4+84iBaGZRagIhczZyuL1C7mVEDk=
X-Received: by with SMTP id d22mr3330678oic.68.1507407955225; Sat, 07 Oct 2017 13:25:55 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Sat, 7 Oct 2017 13:25:54 -0700 (PDT)
In-Reply-To: <alpine.OSX.2.21.1710071606190.37220@ary.qy>
References: <> <20171007185103.13239.qmail@ary.lan> <> <alpine.OSX.2.21.1710071606190.37220@ary.qy>
From: Phillip Hallam-Baker <>
Date: Sat, 7 Oct 2017 16:25:54 -0400
X-Google-Sender-Auth: yIBcv743ZpyJERaFqH_rGNn0W5s
Message-ID: <>
To: John R Levine <>
Cc: SPASM <>
Content-Type: multipart/alternative; boundary="001a1140f7b8b3f633055afac39f"
Archived-At: <>
Subject: Re: [lamps] Next steps on CAA
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 07 Oct 2017 20:25:57 -0000

On Sat, Oct 7, 2017 at 4:13 PM, John R Levine <> wrote:

> On Sat, 7 Oct 2017, Phillip Hallam-Baker wrote:
>> Right.  I think that solves everything but the DNAME problem, and I
>>> think the DNAME problem, if it actually exists, is insoluble.
> ​I don't think there is a DNAME problem.
> Neither do I but for a completely different reason.
> The CNAME problem here is that you use a CNAME to point your web server at
> a third party host but you want to publish your own CAA, not the host's CAA.
> Hypothetically, you might want to do the same thing with DNAME, but every
> DNAME I've ever seen other than AS112 aliases two name trees where the
> corresponding names are (or at least are supposed to be) under the same
> control.

​If DNAME appeared on the wire, that would be a good reason to make use of
it. for that purpose. Unfortunately, the only time you can rely on it being
published is when DNSSEC is in use.

When CAA was originally written, CDNs were sufficiently rare that the main
use of CNAME was also name equality under the same control. That has