[cabfpub] Ballot 187 - Make CAA Checking Mandatory

Ryan Sleevi sleevi at google.com
Fri Feb 24 20:36:54 UTC 2017


I just received a question from an auditor who was seeking clarification of
this ballot, which may be the opportunity to improve some of the language.

The question is as follows:

"CAA checking is optional if the domain's DNS is operated by the CA or an
Affiliate of the CA."

This could be due to my lack of fully understanding DNS terminologies, but
by the above, do you interpret it to mean (a) A CA that also controls the
DNS record of a domain, or (b) A CA that also operates the DNS server used
by the domain.

Here is a scenario if it helps explain my question better:

I buy a domain from say Example CA, and manage my DNS records through
Example CA’s DNS service. Will Example CA have to check the CAA record
before issuing a certificate to my domain or is CAA optional for them since
they also operate the DNS server?
I interpret “operate DNS” as below (https://tools.ietf.org/html/rfc7719)

  DNS operator:  An entity responsible for running DNS servers.  For a
      zone's authoritative servers, the registrant may act as their own
      DNS operator, or their registrar may do it on their behalf, or
      they may use a third-party operator.  For some zones, the registry
      function is performed by the DNS operator plus other entities who
      decide about the allowed contents of the zone




I believe this question is highlighting whether "operate" represents being
the authoritative name servers versus practical demonstration of control.
Alternatively, we might pose the question as "Does demonstration of control
of _a_ record equivocate to demonstration of control of the CAA record", if
I understand the question correctly.

My belief and support is that the intent of "operated by the CA or an
Affiliate of the CA" was to match the terminology from RFC 7719, which
would specifically mean the interpetation (b), and the answer to the
hypothetical question is "No, demonstration of control of a record is not
sufficient, demonstration of operation of the authoritative name servers is"

Is that consistent with the intent Gerv? If so, does that look like
something you see as easy to correct? I'm wondering whether introducing RFC
7719 as the normative dependency might provide better clarity to this
question.

On Thu, Feb 23, 2017 at 10:17 AM, Gervase Markham via Public <
public at cabforum.org> wrote:

> On 23/02/17 10:15, Dimitris Zacharopoulos wrote:
> > So, all three conditions MUST apply at the same time. Perhaps you might
> > want to make this more explicit by either adding "and" at the end of the
> > first bullet or by changing the sentence before the three bullets, to
> > state that all tree conditions must apply.
>
> AIUI, the usual convention in English is to put a single "and" (or "or")
> at the end of the last-but-one bullet in a list, as I have in this case.
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170224/e99274e7/attachment-0003.html>


More information about the Public mailing list