On 18/03/2019 16:42, Corey Bonnell wrote:
Perhaps not very elegant, but you can encode an “allow all issuers” CAA RRSet by specifying a single iodef CAA record without any issue/issuewild records in the RRSet, which will probably be treated as permission to issue for CAs. I say “probably” because the RFC wasn’t clear on the proper handling RRSets with no issue/issuewild property tags, but this was clarified in the CAB Forum in Ballot 219 (https://cabforum.org/2018/04/10/ballot-219-clarify-handling-of-caa-record-sets-with-no-issue-issuewild-property-tag/) to explicitly allow the above behavior (although of course some CAs may be more restrictive and disallow issuance in this case).
Huh, I hadn't considered that interpretation. Indeed, a strict reading of the RFC suggests that would work. It seems an arbitrary non-defined non-critical CAA tag record should work too (if using an actual iodef is undesirable for some reason). Maybe such a tag should be defined for this purpose?
Though this won't help Amazon/Google/etc, as having a higher-level CAA record would require tree-climbing on CNAME targets, which was removed by errata 5065. Sorry for the noise.
-- Hector Martin "marcan" Public key: https://mrcn.st/pub _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
