IETF Logo Mail Archive

Re: [Spasm] CAA erratum 4515

Jacob Hoffman-Andrews <jsha@eff.org> Sun, 12 March 2017 23:53 UTC

Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6D4A12940C for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 16:53:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id En_jq6lxjZgZ for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 16:53:57 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D3C9129401 for <spasm@ietf.org>; Sun, 12 Mar 2017 16:53:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=RmFlKJA7qaOZroCGCrNPvHLifm1l+TzGdrnJWUP6KWw=; b=3sY/yiFL7L5uRD8UUWuMJk+6F9IcY+/rg3KBUhnwZbAz6ep1C3JuYOwGofRu0LsAQ3SlUaRprXvh6y9hvTKvdf5hRTIlJm+/UV9/6uO857PLUadY/MrSvL1zgFGeaczh9gHSz+XaMMns1NyMQDvFqaXsjN0XsvvMydKVqM5xtyo=;
Received: ; Sun, 12 Mar 2017 16:53:56 -0700
To: Ryan Sleevi <ryan-ietf@sleevi.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <20170311201904.GQ7733@mournblade.imrryr.org> <fede5d8f9f2c43518d8a3c502c60558a@usma1ex-dag1mb1.msg.corp.akamai.com> <389a248f-37e4-9ff7-b330-b840e7c47931@eff.org> <CAErg=HEC=YL-wWEygqtmivN0axZ_cddkM-WDc8RA+jVTJYmVgQ@mail.gmail.com> <0d7afa83-a9d7-f977-ca36-533fc13b720e@eff.org> <CAErg=HF2WnSYtxs6r_svx-zCmt8ApkVsg6R7cezaYO=3WoVKQA@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <7129a939-35f1-f55b-703b-9f39f6110520@eff.org>
Date: Sun, 12 Mar 2017 16:53:53 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAErg=HF2WnSYtxs6r_svx-zCmt8ApkVsg6R7cezaYO=3WoVKQA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------9B5D47D07268D7AF1A72187B"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/sIrUJzB1nrM9H_VSt6wcwSUhZQU>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, "Salz, Rich" <rsalz@akamai.com>, Peter Bowen <pzb@amzn.com>, "spasm@ietf.org" <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>, Phillip Hallam-Baker <phill@hallambaker.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 23:53:58 -0000

> 1. Policy set by user-facing domain owner for their own hostnames.
> 2. Blanket policy set by CDN for hostnames they operate on their
customers' behalf.
> 3. Policy set by CDN for their own hostnames, which share the same
base domain as the CNAME targets used in (2).

So, back to the subjective evaluation: Now it's clear that the CDN in
our scenario is the only one who can add CAA records. If a customer
wants (1) they need cooperation from their CDN, and the CDN needs to
implement a trampoline no matter what.

*In the non-tree-climbing world*

If a CDN wants to implement (3), they put in place a single CAA record
and it doesn't impact (1) or (2). If the CDN wants to implement (1) or
(2), they put in a CAA record at each of their CNAME targets. Neither
policy affects the other in any way, assuming that CNAME targets are
never base domains.

*In the tree-climbing world*

If a CDN wants to implement (3), they have to carefully understand CAA
and be sure to add a separate "any" record to each of their CNAME
targets. They also have to make sure to copy that CAA record to any new
CNAME targets they create.

I argue that this is less intuitive and more difficult than in the
tree-climbing world. More difficult, because it requires deploying extra
CAA records to express a straightforward policy. Less intuitive, because
most DNS-using applications don't care about the hostnames that are part
of a CNAME chain, only the "final value" received from a recursive
resolver. For instance, when looking up an A record, Chrome doesn't care
about the CNAME aliases in between, only the final A record.

Also, as a concrete example of the non-intuitiveness, Rob (one of the
CAA authors) mentioned on the CA/Browser Forum list that he has had to
double-check the lookup algorithm with Phill, his co-author. I've also
been confused by the CAA lookup algorithm, as have my coworkers. I can't
speak for Rob, but for me a big part of the confusion has been the fact
that tree-climbing seems like an anomaly in the DNS world.

v2.23.0 | Report a Bug | By Email