[cabfpub] [Ext] Fixup ballot for CAA
Phillip Hallam-Baker
philliph at comodo.com
Tue Jul 11 02:03:00 UTC 2017
I think that at this stage the only review relevant would be if what was submitted did not match what was agreed in the LAMPS thread.
I did make one very minor correction which was to change should to SHOULD and that has no semantic change it merely flags that there is a normative consideration.
> On Jul 10, 2017, at 9:57 PM, Jacob Hoffman-Andrews <jsha at eff.org> wrote:
>
> Phillip has posted the latest version of the CAA erratum, which has been
> looked at and generally appears good. The next step will be to get it
> into "Held for Document Update." Meanwhile, please take a look and speak
> up if you see any blocking problems, so we can ballot it shortly after
> the move to "Held for Document Update."
>
> https://www.rfc-editor.org/errata/eid5065
>
> Errata ID: 5065
>
> Status: Reported
> Type: Technical
>
> Reported By: Phillip Hallam-Baker
> Date Reported: 2017-07-10
> Section 4 says:
>
> Let CAA(X) be the record set returned in response to performing a CAA
> record query on the label X, P(X) be the DNS label immediately above
> X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
> alias record specified at the label X.
>
> o If CAA(X) is not empty, R(X) = CAA (X), otherwise
>
> o If A(X) is not null, and R(A(X)) is not empty, then R(X) =
> R(A(X)), otherwise
>
> o If X is not a top-level domain, then R(X) = R(P(X)), otherwise
>
> o R(X) is empty.
> It should say:
>
> Let CAA(X) be the record set returned in response to performing a CAA
> record query on the label X, P(X) be the DNS label immediately above
> X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
> alias record chain specified at the label X.
>
> o If CAA(X) is not empty, R(X) = CAA (X), otherwise
>
> o If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
> CAA(A(X)), otherwise
>
> o If X is not a top-level domain, then R(X) = R(P(X)), otherwise
>
> o R(X) is empty.
>
> Thus, when a search at node X returns a CNAME record, the CA will
> follow the CNAME record chain to its target. If the target label
> contains a CAA record, it is returned.
>
> ?O?therwise, the CA continues the search at
> the parent of node X.
>
> Note that the search does not include the parent of a target of a
> CNAME record (except when the CNAME points back to its own path).
>
> To prevent resource exhaustion attacks, CAs SHOULD limit the length of
> CNAME chains that are accepted. However CAs MUST process CNAME
> chains that contain 8 or fewer CNAME records.
> Notes:
>
> This is the updated errata to replace the ones previously deleted. It
> has been reviewed by all the parties concerned. Since this is a breaking
> change, this will have to go to hold for document update. The LAMPS
> working group is currently considering a more radical re-working of the
> CAA discovery scheme as a work item for its new charter.
>
> I will be in Prague to discuss...
>
More information about the Public
mailing list