DNS Certification Authority Authorization (CAA) Resource Record
draft-ietf-lamps-rfc6844bis-07
Yes
Roman Danyliw
No Objection
Warren Kumari
(Alvaro Retana)
(Deborah Brungard)
(Ignas Bagdonas)
(Magnus Westerlund)
(Martin Vigoureux)
(Mirja Kühlewind)
(Suresh Krishnan)
Note: This ballot was opened for revision 06 and is now closed.
Roman Danyliw
Yes
Warren Kumari
No Objection
Éric Vyncke
No Objection
Comment
(2019-05-20 for -06)
Sent
Thank you all for the work put into this document. I appreciate the section 7 about the differences with RFC 6844. == COMMENTS == -- Section 2.2 -- "Domain Name: The label assigned to a node in the Domain Name System." AFAIK RFC 1034 defines it differently "The domain name of a node is the list of the labels on the path from the node to the root of the tree" Or are we talking about different "domain names" ? "Wildcard domain name": it would be interesting to define not only the syntax but also the semantic do those wildcard domain names. -- Section 3 -- While I am not a security expert, a TLD could add a CAA forcing all its FQDN to either use the CA defined in the TLD CAA RRset or add a per FQDN CAA (which may raise the bar for small not-so-managed domains which otherwise could have used a cheap and easy CA such as letsencrypt). Is it really good to climb the DNS tree up to the TLD? Just curious. == NITS == -- Section 3 -- I would have preferred a recursive definition rather than an interative algorithm but this is a matter of taste ;-)
Alissa Cooper Former IESG member
No Objection
No Objection
(2019-05-28 for -06)
Sent
Please respond to the Gen-ART review.
Alvaro Retana Former IESG member
No Objection
No Objection
(for -06)
Not sent
Barry Leiba Former IESG member
No Objection
No Objection
(2019-05-28 for -06)
Sent
— Section 4.1 — Tag Length: A single octet containing an unsigned integer specifying the tag length in octets. The tag length MUST be at least 1 and SHOULD be no more than 15. What happens if it’s more than 15? What’s the interoperability issue, and how would an implementor decide what to do with this requirement? Tags MAY contain US-ASCII characters 'a' through 'z', 'A' through 'Z', and the numbers 0 through 9. Tags SHOULD NOT contain any other characters. Matching of tags is case insensitive. Why “SHOULD NOT”, rather than “MUST NOT”? Why might my implementation need to use other characters, and what are the interoperability consequences of doing so? — Section 4.1.1 — Tag: Is a non-zero sequence of US-ASCII letters and numbers in lower case. Make it “non-zero-length”. -- Section 4.4 — The iodef Property Tag takes a URL as its Property Value. The URL scheme type determines the method used for reporting: I presume that *only* the specified schemes (mailto, http, https) are allowed; it would help to be explicit about that, lest someone get ideas to use sip or some such. — Section 5.6 — In practice, such an attack would be of minimal effect since any competent competitor that found itself unable to issue certificates due to lack of support for a Property marked critical SHOULD investigate the cause and report the reason to the customer. The customer will thus discover that they had been deceived. This doesn’t strike me as a BCP 14 “SHOULD”, but a normal English “should”.
Benjamin Kaduk Former IESG member
No Objection
No Objection
(2019-05-27 for -06)
Sent
[updating to note that some of the content from Section 5.7 of draft-ietf-acme-caa may be worth mentioning in the security considerations of this document] Thanks for this helpful update! Section 2.2 I'm not entirely sure why we're going "backwards" from referencing STD13 to referencing RFCs 1034 and 1035 individually (in the definition of "Domain Name System"). Section 3 RelevantCAASet(domain): for domain is not ".": if CAA(domain) is not Empty: return CAA(domain) domain = Parent(domain) return Empty It would be nice to get an explicit note about whether this is intended to be pseudocode, Python code, etc.. Specifically, the "for domain is not '.'" syntax seems like it might be a more natural fit for a "while" construct. Section 4.3 issuewild properties MUST be ignored when processing a request for a Domain Name (that is, not a Wildcard Domain Name). I don't wish to revisit well-trodden ground (as I suspect this is), but note that the provided defitinions in Section 2.2 don't seem to exclude Wildcard Domain Names from being Domain Names, so that "that is" in the quoted text is not accurate. (In particular, note that the Wildcard Domain Name definition says that it is "a Domain Name consisting of [...]".) Section 4.5 The critical flag is intended to permit future versions of CAA to introduce new semantics that MUST be understood for correct processing of the record, preventing conforming CAs that do not recognize the new semantics from issuing certificates for the indicated Domain Names. It's not clear to me that the normative "MUST" is best, here. (Is anyone's behavior being constrained by this statement?) Section 5.1 An Issuer MUST NOT issue certificates if doing so would conflict with the Relevant RRSet, irrespective of whether the corresponding DNS records are signed. I recognize that this is already the security considerations section, but this requirement introduces its own security considerations, namely that in cases where CAA responses received by the Issuer can be spoofed, there is an opportunity for denial of service. Section 5.4 does not seem to address this additional consideration relating to spoofing. Section 5.5 perhaps touches on it, but merely talks about "introduction" of a CAA RR, which may or may not imply the possibility of spoofing to an arbitrary reader. Use of DNSSEC allows an Issuer to acquire and archive a proof that they were authorized to issue certificates for the Domain Name. Verification of such archives MAY be an audit requirement to verify CAA record processing compliance. Publication of such archives MAY be a transparency requirement to verify CAA record processing compliance. Neither of these "MAY"s seem to be constraining the parties involved in this specification, which makes me wonder if they are more appropriate as ordinary "may"s. Section 5.4 Data cached by third parties MUST NOT be relied on but MAY be used to support additional anti-spoofing or anti-suppression controls. Is "relied on" meant to imply "relied on as the sole source of DNS CAA information"? Section 8 Should the registration of the 'CAA' RRtype also be updated to refer to [this document]?
Deborah Brungard Former IESG member
No Objection
No Objection
(for -06)
Not sent
Ignas Bagdonas Former IESG member
No Objection
No Objection
(for -06)
Not sent
Magnus Westerlund Former IESG member
No Objection
No Objection
(for -06)
Not sent
Martin Vigoureux Former IESG member
No Objection
No Objection
(for -06)
Not sent
Mirja Kühlewind Former IESG member
No Objection
No Objection
(for -06)
Not sent
Suresh Krishnan Former IESG member
No Objection
No Objection
(for -06)
Not sent