IETF Logo Mail Archive

Re: [lamps] Next steps on CAA

Phillip Hallam-Baker <phill@hallambaker.com> Sat, 07 October 2017 02:50 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 104EE132D8A for <spasm@ietfa.amsl.com>; Fri, 6 Oct 2017 19:50:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CnArhVs1Z-Oz for <spasm@ietfa.amsl.com>; Fri, 6 Oct 2017 19:50:17 -0700 (PDT)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADD7513292F for <spasm@ietf.org>; Fri, 6 Oct 2017 19:50:16 -0700 (PDT)
Received: by mail-oi0-x22f.google.com with SMTP id h200so5329655oib.4 for <spasm@ietf.org>; Fri, 06 Oct 2017 19:50:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UvlPr6AWvIiUDwN016GAzK8x0uhbKXoXUIhHRnGI0LE=; b=Tc4a+9KVap+Gp1mZzEwfoH3IJgn4KZIQ2j4vhKuNkbiYc52jTsK0EV1CAzb1pVxjI/ ENngeVP7/ak1OrcL4ohnK2rXqvGUc/LJQH3z9wBCqyXPvAkmMIIqEQLNOW8dKeC4K9Ir A2d79gN20Jblo/pSqQxi9FnwNMy9n8c0zTh223p2Rs78HFXvOe9/gHhqkbaOFUK7fXwz dC8o1BCNEkwo7YUGdstxyLLbundMj0z6ej3b+TTaBbVdz5sm4k0p+YO3knwJaynqZd9F Wna+USl/1i/XLEzhR3vr1EfeUb1vBkBoPXI/azDOxe4TCjKJVKIUvcbd1MCrlEMTE3N6 QIdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=UvlPr6AWvIiUDwN016GAzK8x0uhbKXoXUIhHRnGI0LE=; b=aNzuWiWCA3yxqzGUMkRhOXJaXUDvZ6dt7qJ/lkT8oM2qohPP0iY7eGR9FlS/jMs5RW avzRnfdwBDtXgP+7MtFMXqqLFhnQsjhdLPWIRKgNYFid+/1MdvdqyCfOqYvFvmZaNWbp oy1UnlmNNxaUJs/zDqGX2yrUdVE/BAjYr2F1T/R7CdJS0RjY7jNqhFbCS72ZIQcX09lW A6ScmX937SbOcTWUE3FgoMeDhYGd8HoEWy6n0mv87uWlhphnw5mzpw+VRe62o9REHQf+ aLgBKyWH1WQzgDNdhsAi9nwocKYf/aVAFfHn0hC+LGVUeU3DjvMmd/HrScok9EEx4WqP Kw4w==
X-Gm-Message-State: AMCzsaVbrtb/9tSCq0tjQAzVrmWywhhMWew5s3fV5N8t0Ca13mwTL2Gk ZhJrGdo9cIjxubEWIoSrBiv1mrVHiSdR9JXHKNo=
X-Google-Smtp-Source: AOwi7QA7fNMwtC6eYUaHg+7RWH2kvqfD7sv7c//rcS7lSeUc8qyFfzRpqVA45DEkwKfdhLWz5BnEnz6K/pJ0ivvK9fs=
X-Received: by 10.202.166.9 with SMTP id p9mr2042027oie.220.1507344615990; Fri, 06 Oct 2017 19:50:15 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.95.12 with HTTP; Fri, 6 Oct 2017 19:50:15 -0700 (PDT)
In-Reply-To: <alpine.OSX.2.21.1710061822300.33785@ary.qy>
References: <CACh0qC+jRjPMsf7YmDqoKZ0X1zWE2p=fUAo5uN3bZwwzBRG9Kg@mail.gmail.com> <alpine.OSX.2.21.1710061656080.33175@ary.qy> <7b98f765-4fea-5b71-e860-e46c11d6617e@eff.org> <alpine.OSX.2.21.1710061748500.33785@ary.qy> <61e71386-fb35-0c00-e473-03f2a100c32c@eff.org> <alpine.OSX.2.21.1710061822300.33785@ary.qy>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 06 Oct 2017 22:50:15 -0400
X-Google-Sender-Auth: 4yLA1tmOw7ixGG72y1R4iYmSYH8
Message-ID: <CAMm+Lwj3NkBnXy8_ERS+ZnRE3OhFrJi2WwaDeThiNimqm5Domg@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: Jacob Hoffman-Andrews <jsha@eff.org>, SPASM <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="001a11394aa263eb7f055aec040a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/xVrIm7xIo_dT2JUF0I6gGenQP6w>
Subject: Re: [lamps] Next steps on CAA
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Oct 2017 02:50:18 -0000

On Fri, Oct 6, 2017 at 6:25 PM, John R Levine <johnl@taugh.com> wrote:

> mydom.example.  CAA issue "nope"   ; no web server here
>>> www.mydom.example. CNAME somehost.example. ; web server here
>>>
>>> Where does the CAA go?
>>>
>> Three options:
>>
>>  - Remove the record on mydom.example
>>
>
> I don't want a web server at all that name.  No dice.
>
>  - Adjust the record for mydom.example to allow issuance by preferred CAs
>>
>
> I still don't want a web server at that name.  No dice.
>
>  - Ask the maintainer of somehost.example to install an appropriate CAA
>> record
>>
>
> If you'll review the message two or three back at in this thread, you'll
> note that there are cases where somehost.example has 400,000 names CNAMEd
> to it.  No dice.
>
> Waving this problem away is not helpful.
>


​Hence the proposal for

_prefix.​www.mydom.example CAA ...

v2.23.0 | Report a Bug | By Email