[cabf_validation] CNAME ballot

Rick Andrews Rick_Andrews at symantec.com
Mon Mar 6 13:36:29 MST 2017


In general, I think my answer to "why not" questions is that adding options
might create unintended consequences, so we should be sure there's enough
need and value to balance out the (potential) added risk. 

 

In this specific case, I don't feel too strongly that there's a lot of added
risk.I understand the value that Robin and Jeremy described, so I'm content
with it and won't raise any more objections.

 

-Rick

 

From: Robin Alden [mailto:robin at comodo.com] 
Sent: Monday, March 06, 2017 10:25 AM
To: Rick Andrews <Rick_Andrews at symantec.com>; 'CA/Browser Forum Validation
WG List' <validation at cabforum.org>; 'Jeremy Rowley'
<jeremy.rowley at digicert.com>
Subject: RE: [cabf_validation] CNAME ballot

 

Hi Rik,

1)      I guess there's some inertia.  Our customers used a CNAME method for
a long time.

2)      Breadth of knowledge and support for TXT.  While I would agree that
the support for TXT records is now really high, we have customers using DNS
systems behind automation platforms or behind 'control panels' (a generic
term and not including cPanel in this case) which support CNAMEs but don't
support TXT.

3)      I just saw Jeremy's response, but I too would ask 'Why not?'

Regards
Robin

 

 

From: Rick Andrews [mailto:Rick_Andrews at symantec.com] 
Sent: 06 March 2017 18:12
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >; 'Jeremy Rowley'
<jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> >
Cc: Robin Alden <robin at comodo.com <mailto:robin at comodo.com> >
Subject: RE: [cabf_validation] CNAME ballot

 

I guess I still don't understand why there's a need to do this with CNAME
records, when a TXT record will do. You're right that there's no requirement
that the CNAME resolve to anything, but there are semantics to CNAME
records, whereas TXT records just hold arbitrary data. Are there cases where
someone cannot use a TXT record?

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Robin
Alden via Validation
Sent: Monday, March 06, 2017 9:58 AM
To: 'Jeremy Rowley' <jeremy.rowley at digicert.com
<mailto:jeremy.rowley at digicert.com> >
Cc: Robin Alden <robin at comodo.com <mailto:robin at comodo.com> >; 'CA/Browser
Forum Validation WG List' <validation at cabforum.org
<mailto:validation at cabforum.org> >
Subject: Re: [cabf_validation] CNAME ballot

 

Jeremy,

                Sorry, I just realized you already said this was being added
to the updated 169 ballot.

Please just accept our latecomer support for your inclusion of CNAME in the
"DNS Change" method to that ballot.

 

Regards
Robin Alden

Comodo

 

From: Robin Alden [mailto:robin at comodo.com] 
Sent: 06 March 2017 17:32
To: 'Doug Beattie' <doug.beattie at globalsign.com
<mailto:doug.beattie at globalsign.com> >; 'Jeremy Rowley'
<jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> >
Cc: 'CA/Browser Forum Validation WG List' <validation at cabforum.org
<mailto:validation at cabforum.org> >
Subject: RE: [cabf_validation] CNAME ballot

 

Hi Jeremy, Doug,

                I've been considering domain control validation using
CNAMEs, and I re-read this thread.

 

Jeremy, we'll endorse your one word insertion, if you're still game.

 

Doug said..

> What does confirming the presence of a random number in a CNAME record
mean?  There is no place to put a random number "in a CNAME record", it's
just an alias.

Yes, there is a place you can put the random value.  You put it in the right
hand side of the CNAME.

You're right that it's intended to be an alias, and that DNS name syntax
rules apply to the right hand side of the CNAME, but there is no requirement
that the name at the right hand side of the CNAME actually resolves.

 

Doug said..

> Assuming this means you can put a random value in the DNS entry for the
fqdn supplied in a CNAME record, Is this change intended to only be used for
DNS validation or can this be used for file based or email validation as
well? 

It is not intended to be used with file or email based validation.
3.2.2.4.7 provides a method of confirming applicant control.  It is not a
factor or a sub-method to be used within other methods of confirming
control.

In fact the use of CNAMEs in any other method is already achieved by the
definition of 'Authorization Domain Name' which reads:

"Authorization Domain Name: The Domain Name used to obtain authorization for
certificate issuance for a

given FQDN. The CA may use the FQDN returned from a DNS CNAME lookup as the
FQDN for the purposes of

domain validation."

 

Here's an example that would work with Jeremy's proposed 1 word change to
3.2.2.4.7.

 

<Example1>

Given: The domain name the applicant wants in a certificate is
'sub1.example.com'.

Given: The CA is WonderCA Corp.

 

The applicant sets up a DNS record of the form

<_CA-specific-prefix>.domain.com CNAME <rnd>.validation.com

Specifically, in this contrived example

_WonderCA.sub1.example.com CNAME
bm9lwphmmw4jkzym4zjwvnzdiyllr7t9apsdadpj4bjqz2z9al0eg3icoidblyo.wonderca.com

 

The random value (or request token) in this case is the first 63 character
long DNS label on the right hand side.  63 characters is the longest that a
single DNS label can be, but there would be nothing to stop you using
multiple labels to store a longer value if required - up to the 255
character limit on a DNS name.

 

So when the CA executes this command 

dig _WonderCA.sub1.example.com CNAME +short

this would be the response..

bm9lwphmmw4jkzym4zjwvnzdiyllr7t9apsdadpj4bjqz2z9al0eg3icoidblyo.wonderca.com
.

</Example1>

 

Regards
Robin

 

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug
Beattie via Validation
Sent: 15 December 2016 17:08
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Doug Beattie <doug.beattie at globalsign.com
<mailto:doug.beattie at globalsign.com> >
Subject: Re: [cabf_validation] CNAME ballot

 

Jeremy,

 

I think we need an example or two with supplemental info with this ballot to
describe how it could be used - not necessarily in the body of the change
for the ballot, but in the introduction/background.  I'm still not clear on
the various scenarios for how it could be used.

 

Doug

 

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug
Beattie via Validation
Sent: Thursday, December 8, 2016 10:50 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Doug Beattie <doug.beattie at globalsign.com
<mailto:doug.beattie at globalsign.com> >
Subject: Re: [cabf_validation] CNAME ballot

 

Jeremy,

 

Sorry I missed the call last week.

 

What does confirming the presence of a random number in a CNAME record mean?
There is no place to put a random number "in a CNAME record", it's just an
alias.

 

Assuming this means you can put a random value in the DNS entry for the fqdn
supplied in a CNAME record, Is this change intended to only be used for DNS
validation or can this be used for file based or email validation as well?
In other words, if we have this:

 

NAME                        TYPE              VALUE

--------------------------------------------------

bar.example.com.        CNAME       foo.example.com.

 

Can send an email to admin at foo.example.com <mailto:admin at foo.example.com>
to validate the SAN bar.example.com?  

Can I put a random number in well-known on foo.example.com to approve the
SAN bar.example.com?

 

Assuming you want to use foo.example.com to validate bar.example.com, should
we embed this rule into the definition of Authorization Domain name?  I'm
having Deja-vu

 

Doug

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of
Jeremy Rowley via Validation
Sent: Thursday, December 1, 2016 10:47 AM
To: validation (validation at cabforum.org <mailto:validation at cabforum.org> )
<validation at cabforum.org <mailto:validation at cabforum.org> >
Cc: Jeremy Rowley <jeremy.rowley at digicert.com
<mailto:jeremy.rowley at digicert.com> >
Subject: [cabf_validation] CNAME ballot

 

This is the CNAME ballot discussed last week:

Confirming the Applicant's control over the requested FQDN by confirming the
presence of a Random Value or Request Token in a DNS TXT, CNAME, or CAA
record for an Authorization Domain Name or an Authorization Domain Name that
is prefixed with a label that begins with an underscore character. 

If a Random Value is used, the CA or Delegated Third Party SHALL provide a
Random Value unique to the certificate request and SHALL not use the Random
Value after (i) 30 days or (ii) if the Applicant submitted the certificate
request, the timeframe permitted for reuse of validated information relevant
to the certificate (such as in Section 3.3.1 of these Guidelines or Section
11.14.3 of the EV Guidelines). 

               

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170306/d644b3d2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5725 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170306/d644b3d2/attachment-0001.bin>


More information about the Validation mailing list