I don't like erratum 5097. It just deletes the mention of DNAME, which can easily be misinterpreted as not permitting DNAME following for CAA (or even worse, allows DNAME to be handled however you want). Erratum 5097 also has not been approved by IETF (and shouldn't be, for this reason).
The "natural" interpretation of DNAME, which has been discussed on various CA/Browser forum calls and at the Taiwan face to face meeting, is that DNAME must be handled in compliance with RFC 6672, which explains how synthesized CNAMEs work. My own personal preferred fix for RFC 6844 is to replace "CNAME or DNAME alias record specified at the label X" with "CNAME alias record specified at the label X, or a DNAME alias record *in effect at* the label X (see RFC 6672)" But anyway, I think everyone agrees what we want: DNAMEs work the way they do everywhere else. There's nothing special about them for CAA. -Tim -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+thollebeek=trustwave....@lists.mozilla.org] On Behalf Of Andrew Ayer via dev-security-policy Sent: Wednesday, October 25, 2017 5:05 PM To: Kathleen Wilson <kwil...@mozilla.com> Cc: Kathleen Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DRAFT November 2017 CA Communication Hi Kathleen, I suggest being explicit about which CAA errata Mozilla allows. For CNAME, it's erratum 5065. For DNAME, it's erratum 5097. Link to errata: https://scanmail.trustwave.com/?c=4062&d=rPzw2czQrwDIggzGnHPfXELR5_onUMc5So6YlzbIiQ&s=5&u=https%3a%2f%2fwww%2erfc-editor%2eorg%2ferrata%5fsearch%2ephp%3frfc%3d6844 We don't want CAs to think they can follow any errata they like, or to come up with their own interpretation of what "natural" means :-) Regards, Andrew On Wed, 25 Oct 2017 12:46:40 -0700 (PDT) Kathleen Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > All, > > I will greatly appreciate your thoughtful and constructive feedback on > the DRAFT of Mozilla's next CA Communication, which I am hoping to > send in early November. > > https://scanmail.trustwave.com/?c=4062&d=rPzw2czQrwDIggzGnHPfXELR5_onU > Mc5St_PkWKbjQ&s=5&u=https%3a%2f%2fwiki%2emozilla%2eorg%2fCA%2fCommunic > ations%23November%5f2017%5fCA%5fCommunication > > Direct link to the survey: > https://scanmail.trustwave.com/?c=4062&d=rPzw2czQrwDIggzGnHPfXELR5_onU > Mc5SomUljKdiw&s=5&u=https%3a%2f%2fccadb-public%2esecure%2eforce%2ecom% > 2fmozillacommunications%2fCACommunicationSurveySample%3fCACommunicatio > nId%3da051J00003mogw7 > > Thanks, > Kathleen > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://scanmail.trustwave.com/?c=4062&d=rPzw2czQrwDIggzGnHPfXELR5_onU > Mc5StnPlmSVhg&s=5&u=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fd > ev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://scanmail.trustwave.com/?c=4062&d=rPzw2czQrwDIggzGnHPfXELR5_onUMc5StnPlmSVhg&s=5&u=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy