[cabfpub] [Ext] Fixup ballot for CAA

Phillip Hallam-Baker philliph at comodo.com
Mon Jul 10 19:03:00 MST 2017


I think that at this stage the only review relevant would be if what was submitted did not match what was agreed in the LAMPS thread.

I did make one very minor correction which was to change should to SHOULD and that has no semantic change it merely flags that there is a normative consideration.

> On Jul 10, 2017, at 9:57 PM, Jacob Hoffman-Andrews <jsha at eff.org> wrote:
> 
> Phillip has posted the latest version of the CAA erratum, which has been
> looked at and generally appears good. The next step will be to get it
> into "Held for Document Update." Meanwhile, please take a look and speak
> up if you see any blocking problems, so we can ballot it shortly after
> the move to "Held for Document Update."
> 
> https://www.rfc-editor.org/errata/eid5065
> 
> Errata ID: 5065
> 
> Status: Reported
> Type: Technical
> 
> Reported By: Phillip Hallam-Baker
> Date Reported: 2017-07-10
> Section 4 says:
> 
>   Let CAA(X) be the record set returned in response to performing a CAA
>   record query on the label X, P(X) be the DNS label immediately above
>   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
>   alias record specified at the label X.
> 
>   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise
> 
>   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
>      R(A(X)), otherwise
> 
>   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise
> 
>   o  R(X) is empty.
> It should say:
> 
>   Let CAA(X) be the record set returned in response to performing a CAA
>   record query on the label X, P(X) be the DNS label immediately above
>   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
>   alias record chain specified at the label X.
> 
>   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise
> 
>   o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
>      CAA(A(X)), otherwise
> 
>   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise
> 
>   o  R(X) is empty.
> 
>  Thus, when a search at node X returns a CNAME record, the CA will
>  follow the CNAME record chain to its target. If the target label
>  contains a CAA record, it is returned.
> 
>  ?O?therwise, the CA continues the search at
>  the parent of node X.
> 
>  Note that the search does not include the parent of a target of a
>  CNAME record (except when the CNAME points back to its own path).
> 
>  To prevent resource exhaustion attacks, CAs SHOULD limit the length of
>  CNAME chains that are accepted. However CAs MUST process CNAME
>  chains that contain 8 or fewer CNAME records.
> Notes:
> 
> This is the updated errata to replace the ones previously deleted. It
> has been reviewed by all the parties concerned. Since this is a breaking
> change, this will have to go to hold for document update. The LAMPS
> working group is currently considering a more radical re-working of the
> CAA discovery scheme as a work item for its new charter.
> 
> I will be in Prague to discuss...
> 



More information about the Public mailing list