On Fri, Mar 15, 2019 at 4:40 PM Jan Schaumann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> > wrote: > > > I don't think we here will really be able to do anything for this; as you > > note, this is really a question about fundamental DNS specification, and > > whether or not other records can live along-side a CNAME. That seems like > > it'd be IETF's DNS group? > > Fair. I was just wondering if this group had any concerns or opinions > on the matter. Yeah, apologies if that seemed dismissive; it was more that I don't think we could accomplish the specific proposal. It does highlight opportunities to understand the problem though and look at ways to address it. One could imagine an alternative solution (as opposed to changing the CAA spec) would be a way to delegate authority for certain CNAME'd subdomains. That is, an issue/issuewild parameter tag with a CA-specific property defined by the CA/Browser Forum (or by IETF) that detailed specific provisions for certain CNAMEs children. Elegant? No. But perhaps easier than updating DNS RFCs :) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy