Ryan Sleevi <r...@sleevi.com> wrote: > I?m not sure I follow - when you go someapp.example.com to > someapp.thirdparty.example, and they point to somewhere.somecdn.example, > why is the assumption that somewhere.somecdn.example WOULDN?T place a CAA > record?
It's been my observation that those systems do not set CAA records, for example, a domain hosted via $ host someapp.example.com someapp.example.com is an alias for ghs.googlehosted.com. ghs.googlehosted.com has address 172.217.7.179 ghs.googlehosted.com has IPv6 address 2607:f8b0:4004:800::2013 $ host -t caa ghs.googlehosted.com ghs.googlehosted.com has no CAA record $ or $ host someapp.example.com someapp.example.com is an alias for someapp.example.com.cdn.jiveon.com. someapp.example.com.cdn.jiveon.com is an alias for vanity20.jiveon.com.edgekey.net. vanity20.jiveon.com.edgekey.net is an alias for e13068.dscb.akamaiedge.net. e13068.dscb.akamaiedge.net has address 104.108.119.92 e13068.dscb.akamaiedge.net has IPv6 address 2600:1400:d:68a::330c e13068.dscb.akamaiedge.net has IPv6 address 2600:1400:d:697::330c $ host -t caa e13068.dscb.akamaiedge.net e13068.dscb.akamaiedge.net has no CAA record $ or $ host someapp.example.com someapp.example.com is an alias for someapp.example.com.cdn.cloudflare.net. someapp.example.com.cdn.cloudflare.net has address 104.16.125.51 someapp.example.com.cdn.cloudflare.net has address 104.16.126.51 $ host -t caa someapp.example.com.cdn.cloudflare.net someapp.example.com.cdn.cloudflare.net has no CAA record I also think that's reasonable, since any number of services might host their apps on the provider's platform, so they likely have a large number of CNAME records pointing to them. For each one, the service in question might use a different CA, and ghs.googlehosted.com (in this example) would need to add those CAs to its CAA records. -Jan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy