IETF Logo Mail Archive

[lamps] CAA DNAME behavior is surprising

Andrew Ayer <agwa@andrewayer.name> Thu, 24 August 2017 22:15 UTC

Return-Path: <agwa@andrewayer.name>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80C5313235C for <spasm@ietfa.amsl.com>; Thu, 24 Aug 2017 15:15:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewayer.name
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4sUXTjGVTryj for <spasm@ietfa.amsl.com>; Thu, 24 Aug 2017 15:15:05 -0700 (PDT)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [IPv6:2600:3c00:e000:6c::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2990C13219C for <spasm@ietf.org>; Thu, 24 Aug 2017 15:15:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=beanwood20160511; t=1503612904; bh=N6YH5VT2S8teO9ziZMVTRH4cJ72/DHc3Yy97dE1btPc=; h=Date:From:To:Subject; b=OJV6cyg1hf2kbNqvAw2JZ/s3sqrmFeMKIRvhPloOMVx7Gtat/zcDUIiDekSF1FV1B 7DAkcFgQUQF5miZDDViQBW7slq/csafdTNKF7867W1Fvebf9Nxec47BN34KGZ9Swk4 36sBSaOp+j1iI0to9KU+hDr6N/Bm2vT2Di/XKpzpEWipM+NjtxST0wHTTwNerKW3XC 5p/4YTGtyo6SaR/hcPX1DzrjwuVRagg9ulWk7ZbKNUCboW7u2hZeMxAZvacy5xJs65 f9dKyLx7NPceckl/XqrOonnwPLYKqAs05njO1ApjADnH1B5cdjpVdolosisoDObL5E xnUf6PdecH/Gg==
Date: Thu, 24 Aug 2017 15:15:03 -0700
From: Andrew Ayer <agwa@andrewayer.name>
To: spasm@ietf.org
Message-Id: <20170824151503.172306cafdc978621d14d526@andrewayer.name>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/qB4PVvh6dyAV8RUsEwbXKMLN6qA>
Subject: [lamps] CAA DNAME behavior is surprising
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 22:15:06 -0000

Roughly speaking, the CAA lookup algorithm in RFC 6844 section 4 says
that if X does not have a CAA record, but is an alias, then the CA
should look for a CAA record at the target of X.

Specifically, it defines "alias" to be either a CNAME or a DNAME:

"Let ... A(X) be the target of a CNAME or DNAME alias record specified
at the label X."

A straightforward interpretation of this language is that if you have
the following records:

sub1.example.com.  IN  DNAME  sub2.example.com.
sub2.example.com.  IN  CAA    0 issue "example.net"
example.com.       IN  CAA    0 issue "example.org"

then the only CA that is allowed to issue for sub1.example.com is
example.net.  This is the case even with erratum 5065.

However, this does not match the typical behavior of DNAME.  Per section 2.3
of RFC 6672:

"Unlike a CNAME RR, a DNAME RR redirects DNS names subordinate to its
owner name; the owner name of a DNAME is not redirected itself."

It's therefore rather surprising that CAA says you should follow the
DNAME target of X and use the CAA record there.  Given the above
records, I would expect example.org, not example.net, to be the only CA
that can issue for sub1.example.com.

Is this behavior intentional?  If so, what was its motivation?

Regards,
Andrew

v2.23.0 | Report a Bug | By Email