[cabfpub] Ballot 187 - Make CAA Checking Mandatory

philliph at comodo.com philliph at comodo.com
Sat Feb 25 16:16:32 UTC 2017

> On Feb 24, 2017, at 9:17 PM, Peter Bowen <pzbowen at gmail.com> wrote:
> On Fri, Feb 24, 2017 at 5:49 PM, philliph--- via Public
> <public at cabforum.org> wrote:
>> On the CAA recursive part, I am trying to track down why there is an
>> existing errata that makes a normative change with held for update status.
>> The issue here is not in the PKIX part, it is what a CNAME/DNAME record
>> means. Different people in the DNS community took different positions. We
>> ended up concluding that the recursive interpretation was the appropriate
>> one, i.e. least likely to cause mistakes.
> I'm still confused.  Consider the following records (I'm leaving out
> class and TTL for simplicity:
> beta.shop.example.com. A
> shop.example.com. CNAME xmpl.cdn.bighost.com.
> example.com. A
> example.com. MX 10 mail1.mailhost.fast.
> example.com. NS ns1.cheapdns.biz.
> example.com. NS ns2.cheapdns.org.
> cdn.bighost.com. DNAME cdnhost.xyz.
> bighost.com. NS ns1.dnshost.com.
> bighost.com. NS ns2.dnshost.com.
> xmpl.cdnhost.xyz. A
> cdnhost.xyz. NS ns1.dnshost.com.
> cdnhost.xyz. NS ns2.dnshost.com.
> If a CA gets a certificate request that includes
> dNSName:beta.shop.example.com, what DNS queries must it make to check
> for CAA records?
> Thanks,
> Peter

The sequence is:

cdn.bighost.com  *
xmpl.cdnhost.xyz  *
cdnhost.xyz  *
xyz  *

Now if people were to say they think the lookups with the asterisks are a problem then we can propose an update to the RFC.

More information about the Public mailing list