Skip to main content

DNS Certification Authority Authorization (CAA) Resource Record
draft-ietf-lamps-rfc6844bis-07

Revision differences

Document history

Date Rev. By Action
2019-09-20
07 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2019-08-12
07 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2019-08-06
07 (System) RFC Editor state changed to RFC-EDITOR from EDIT
2019-07-18
07 Amanda Baber IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK
2019-07-08
07 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2019-07-05
07 (System) IANA Action state changed to Waiting on RFC Editor from In Progress
2019-07-05
07 (System) IANA Action state changed to In Progress from Waiting on Authors
2019-06-14
07 (System) RFC Editor state changed to EDIT
2019-06-14
07 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2019-06-14
07 (System) Announcement was received by RFC Editor
2019-06-14
07 (System) IANA Action state changed to Waiting on Authors from In Progress
2019-06-13
07 (System) IANA Action state changed to In Progress
2019-06-13
07 Cindy Morgan IESG state changed to Approved-announcement sent from Approved-announcement to be sent
2019-06-13
07 Cindy Morgan IESG has approved the document
2019-06-13
07 Cindy Morgan Closed "Approve" ballot
2019-06-13
07 Cindy Morgan Ballot approval text was generated
2019-06-13
07 Roman Danyliw Comments have been addressed per -07
2019-06-13
07 Roman Danyliw IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::AD Followup
2019-05-30
07 (System) Sub state has been changed to AD Followup from Revised ID Needed
2019-05-30
07 Jacob Hoffman-Andrews New version available: draft-ietf-lamps-rfc6844bis-07.txt
2019-05-30
07 (System) New version approved
2019-05-30
07 (System) Request for posting confirmation emailed to previous authors: Phillip Hallam-Baker , Jacob Hoffman-Andrews , Rob Stradling
2019-05-30
07 Jacob Hoffman-Andrews Uploaded new revision
2019-05-30
06 Cindy Morgan IESG state changed to Approved-announcement to be sent::Revised I-D Needed from IESG Evaluation
2019-05-30
06 Cindy Morgan [Ballot Position Update] New position, No Objection, has been recorded for Warren "Ace" Kumari by Cindy Morgan
2019-05-29
06 Stefan Santesson Request for Last Call review by SECDIR Completed: Ready. Reviewer: Stefan Santesson. Sent review to list.
2019-05-29
06 Suresh Krishnan [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan
2019-05-29
06 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2019-05-28
06 Alissa Cooper [Ballot comment]
Please respond to the Gen-ART review.
2019-05-28
06 Alissa Cooper [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper
2019-05-28
06 Barry Leiba
[Ballot comment]
— Section 4.1 —

  Tag Length: A single octet containing an unsigned integer specifying
  the tag length in octets.  The tag …
[Ballot comment]
— Section 4.1 —

  Tag Length: A single octet containing an unsigned integer specifying
  the tag length in octets.  The tag length MUST be at least 1 and
  SHOULD be no more than 15.

What happens if it’s more than 15?  What’s the interoperability issue, and how would an implementor decide what to do with this requirement?

  Tags MAY contain US-ASCII characters 'a' through 'z', 'A' through
  'Z', and the numbers 0 through 9.  Tags SHOULD NOT contain any other
  characters.  Matching of tags is case insensitive.

Why “SHOULD NOT”, rather than “MUST NOT”?  Why might my implementation need to use other characters, and what are the interoperability consequences of doing so?

— Section 4.1.1 —

  Tag: Is a non-zero sequence of US-ASCII letters and numbers in lower
  case.

Make it “non-zero-length”.

-- Section 4.4 —

  The iodef Property Tag takes a URL as its Property Value.  The URL
  scheme type determines the method used for reporting:

I presume that *only* the specified schemes (mailto, http, https) are allowed; it would help to be explicit about that, lest someone get ideas to use sip or some such.

— Section 5.6 —

  In practice, such an attack would be of minimal effect since any
  competent competitor that found itself unable to issue certificates
  due to lack of support for a Property marked critical SHOULD
  investigate the cause and report the reason to the customer.  The
  customer will thus discover that they had been deceived.

This doesn’t strike me as a BCP 14 “SHOULD”, but a normal English “should”.
2019-05-28
06 Barry Leiba [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba
2019-05-27
06 Benjamin Kaduk
[Ballot comment]
[updating to note that some of the content from Section 5.7 of
draft-ietf-acme-caa may be worth mentioning in the security considerations
of this  …
[Ballot comment]
[updating to note that some of the content from Section 5.7 of
draft-ietf-acme-caa may be worth mentioning in the security considerations
of this  document]

Thanks for this helpful update!

Section 2.2

I'm not entirely sure why we're going "backwards" from referencing STD13
to referencing RFCs 1034 and 1035 individually (in the definition of
"Domain Name System").

Section 3

  RelevantCAASet(domain):
    for domain is not ".":
      if CAA(domain) is not Empty:
        return CAA(domain)
      domain = Parent(domain)
    return Empty

It would be nice to get an explicit note about whether this is intended
to be pseudocode, Python code, etc..  Specifically, the "for domain is
not '.'" syntax seems like it might be a more natural fit for a "while"
construct.

Section 4.3

  issuewild properties MUST be ignored when processing a request for a
  Domain Name (that is, not a Wildcard Domain Name).

I don't wish to revisit well-trodden ground (as I suspect this is), but
note that the provided defitinions in Section 2.2 don't seem to exclude
Wildcard Domain Names from being Domain Names, so that "that is" in the
quoted text is not accurate.  (In particular, note that the Wildcard
Domain Name definition says that it is "a Domain Name consisting of
[...]".)

Section 4.5

  The critical flag is intended to permit future versions of CAA to
  introduce new semantics that MUST be understood for correct
  processing of the record, preventing conforming CAs that do not
  recognize the new semantics from issuing certificates for the
  indicated Domain Names.

It's not clear to me that the normative "MUST" is best, here.  (Is
anyone's behavior being constrained by this statement?)

Section 5.1

              An Issuer MUST NOT issue certificates if doing so would
  conflict with the Relevant RRSet, irrespective of whether the
  corresponding DNS records are signed.

I recognize that this is already the security considerations section,
but this requirement introduces its own security considerations, namely
that in cases where CAA responses received by the Issuer can be spoofed,
there is an opportunity for denial of service.  Section 5.4 does not
seem to address this additional consideration relating to spoofing.
Section 5.5 perhaps touches on it, but merely talks about "introduction"
of a CAA RR, which may or may not imply the possibility of spoofing to
an arbitrary reader.

  Use of DNSSEC allows an Issuer to acquire and archive a proof that
  they were authorized to issue certificates for the Domain Name.
  Verification of such archives MAY be an audit requirement to verify
  CAA record processing compliance.  Publication of such archives MAY
  be a transparency requirement to verify CAA record processing
  compliance.

Neither of these "MAY"s seem to be constraining the parties involved in
this specification, which makes me wonder if they are more appropriate
as ordinary "may"s.

Section 5.4

            Data cached by third parties MUST NOT be relied on but MAY
  be used to support additional anti-spoofing or anti-suppression
  controls.

Is "relied on" meant to imply "relied on as the sole source of DNS CAA
information"?

Section 8

Should the registration of the 'CAA' RRtype also be updated to refer to
[this document]?
2019-05-27
06 Benjamin Kaduk Ballot comment text updated for Benjamin Kaduk
2019-05-27
06 Ignas Bagdonas [Ballot Position Update] New position, No Objection, has been recorded for Ignas Bagdonas
2019-05-27
06 Benjamin Kaduk
[Ballot comment]
Thanks for this helpful update!

Section 2.2

I'm not entirely sure why we're going "backwards" from referencing STD13
to referencing RFCs 1034 and …
[Ballot comment]
Thanks for this helpful update!

Section 2.2

I'm not entirely sure why we're going "backwards" from referencing STD13
to referencing RFCs 1034 and 1035 individually (in the definition of
"Domain Name System").

Section 3

  RelevantCAASet(domain):
    for domain is not ".":
      if CAA(domain) is not Empty:
        return CAA(domain)
      domain = Parent(domain)
    return Empty

It would be nice to get an explicit note about whether this is intended
to be pseudocode, Python code, etc..  Specifically, the "for domain is
not '.'" syntax seems like it might be a more natural fit for a "while"
construct.

Section 4.3

  issuewild properties MUST be ignored when processing a request for a
  Domain Name (that is, not a Wildcard Domain Name).

I don't wish to revisit well-trodden ground (as I suspect this is), but
note that the provided defitinions in Section 2.2 don't seem to exclude
Wildcard Domain Names from being Domain Names, so that "that is" in the
quoted text is not accurate.  (In particular, note that the Wildcard
Domain Name definition says that it is "a Domain Name consisting of
[...]".)

Section 4.5

  The critical flag is intended to permit future versions of CAA to
  introduce new semantics that MUST be understood for correct
  processing of the record, preventing conforming CAs that do not
  recognize the new semantics from issuing certificates for the
  indicated Domain Names.

It's not clear to me that the normative "MUST" is best, here.  (Is
anyone's behavior being constrained by this statement?)

Section 5.1

              An Issuer MUST NOT issue certificates if doing so would
  conflict with the Relevant RRSet, irrespective of whether the
  corresponding DNS records are signed.

I recognize that this is already the security considerations section,
but this requirement introduces its own security considerations, namely
that in cases where CAA responses received by the Issuer can be spoofed,
there is an opportunity for denial of service.  Section 5.4 does not
seem to address this additional consideration relating to spoofing.
Section 5.5 perhaps touches on it, but merely talks about "introduction"
of a CAA RR, which may or may not imply the possibility of spoofing to
an arbitrary reader.

  Use of DNSSEC allows an Issuer to acquire and archive a proof that
  they were authorized to issue certificates for the Domain Name.
  Verification of such archives MAY be an audit requirement to verify
  CAA record processing compliance.  Publication of such archives MAY
  be a transparency requirement to verify CAA record processing
  compliance.

Neither of these "MAY"s seem to be constraining the parties involved in
this specification, which makes me wonder if they are more appropriate
as ordinary "may"s.

Section 5.4

            Data cached by third parties MUST NOT be relied on but MAY
  be used to support additional anti-spoofing or anti-suppression
  controls.

Is "relied on" meant to imply "relied on as the sole source of DNS CAA
information"?

Section 8

Should the registration of the 'CAA' RRtype also be updated to refer to
[this document]?
2019-05-27
06 Benjamin Kaduk [Ballot Position Update] New position, No Objection, has been recorded for Benjamin Kaduk
2019-05-27
06 Martin Vigoureux [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux
2019-05-27
06 Mirja Kühlewind [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind
2019-05-24
06 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2019-05-22
06 Qin Wu Request for Telechat review by OPSDIR Completed: Ready. Reviewer: Qin Wu. Sent review to list.
2019-05-21
06 Roman Danyliw IESG state changed to IESG Evaluation from Waiting for Writeup
2019-05-21
06 Magnus Westerlund [Ballot Position Update] New position, No Objection, has been recorded for Magnus Westerlund
2019-05-20
06 Éric Vyncke
[Ballot comment]
Thank you all for the work put into this document. I appreciate the section 7 about the differences with RFC 6844.

== …
[Ballot comment]
Thank you all for the work put into this document. I appreciate the section 7 about the differences with RFC 6844.

== COMMENTS ==

-- Section 2.2 --

"Domain Name: The label assigned to a node in the Domain Name System." AFAIK RFC 1034 defines it differently "The domain name of a node is the list of the labels on the path from the node to the root of the tree" Or are we talking about different "domain names" ?

"Wildcard domain name": it would be interesting to define not only the syntax but also the semantic do those wildcard domain names.

-- Section 3 --

While I am not a security expert, a TLD could add a CAA forcing all its FQDN to either use the CA defined in the TLD CAA RRset or add a per FQDN CAA (which may raise the bar for small not-so-managed domains which otherwise could have used a cheap and easy CA such as letsencrypt). Is it really good to climb the DNS tree up to the TLD? Just curious.

== NITS ==

-- Section 3 --

I would have preferred a recursive definition rather than an interative algorithm but this is a matter of taste ;-)
2019-05-20
06 Éric Vyncke [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke
2019-05-20
06 (System) IANA Review state changed to IANA - Not OK from Version Changed - Review Needed
2019-05-20
06 Gunter Van de Velde Request for Telechat review by OPSDIR is assigned to Qin Wu
2019-05-20
06 Gunter Van de Velde Request for Telechat review by OPSDIR is assigned to Qin Wu
2019-05-17
06 Amy Vezza Placed on agenda for telechat - 2019-05-30
2019-05-17
06 Roman Danyliw Ballot has been issued
2019-05-17
06 Roman Danyliw [Ballot Position Update] New position, Yes, has been recorded for Roman Danyliw
2019-05-17
06 Roman Danyliw Created "Approve" ballot
2019-05-17
06 Roman Danyliw Ballot writeup was changed
2019-05-15
06 Peter Yee Request for Last Call review by GENART Completed: Ready with Issues. Reviewer: Peter Yee. Sent review to list.
2019-05-09
06 (System) IANA Review state changed to Version Changed - Review Needed from IANA - Not OK
2019-05-09
06 Jacob Hoffman-Andrews New version available: draft-ietf-lamps-rfc6844bis-06.txt
2019-05-09
06 (System) New version approved
2019-05-09
06 (System) Request for posting confirmation emailed to previous authors: Phillip Hallam-Baker , Jacob Hoffman-Andrews , Rob Stradling
2019-05-09
06 Jacob Hoffman-Andrews Uploaded new revision
2019-05-08
05 (System) IESG state changed to Waiting for Writeup from In Last Call
2019-05-06
05 (System) IANA Review state changed to IANA - Not OK from IANA - Review Needed
2019-05-06
05 Michelle Cotton
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-lamps-rfc6844bis-05. If any part of this review is inaccurate, please let …
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-lamps-rfc6844bis-05. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator has a question about one of the actions requested in the IANA Considerations section of this document.

The IANA Functions Operator understands that, upon approval of this document, there is a single action which we must complete.

In the Certification Authority Restrictions Flags registry

and the Certification Authority Restriction Properties

both located at:

https://www.iana.org/assignments/pkix-parameters/

[ RFC-to-be ] will be added as the reference for the registries.

IANA Question --> Should the other references to RFC 6844 at

https://www.iana.org/assignments/dns-parameters and

https://www.iana.org/assignments/pkix-parameters

also be changed to [ RFC-to-be ]?

The IANA Functions Operator understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

Thank you,

Michelle Cotton
IANA Services
2019-04-25
05 Tero Kivinen Request for Last Call review by SECDIR is assigned to Stefan Santesson
2019-04-25
05 Tero Kivinen Request for Last Call review by SECDIR is assigned to Stefan Santesson
2019-04-24
05 Jean Mahoney Request for Last Call review by GENART is assigned to Peter Yee
2019-04-24
05 Jean Mahoney Request for Last Call review by GENART is assigned to Peter Yee
2019-04-24
05 Cindy Morgan IANA Review state changed to IANA - Review Needed
2019-04-24
05 Cindy Morgan
The following Last Call announcement was sent out (ends 2019-05-08):

From: The IESG
To: IETF-Announce
CC: rdd@cert.org, lamps-chairs@ietf.org, Russ Housley , housley@vigilsec.com, …
The following Last Call announcement was sent out (ends 2019-05-08):

From: The IESG
To: IETF-Announce
CC: rdd@cert.org, lamps-chairs@ietf.org, Russ Housley , housley@vigilsec.com, spasm@ietf.org, draft-ietf-lamps-rfc6844bis@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (DNS Certification Authority Authorization (CAA) Resource Record) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'DNS
Certification Authority Authorization (CAA) Resource Record'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2019-05-08. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


  The Certification Authority Authorization (CAA) DNS Resource Record
  allows a DNS domain name holder to specify one or more Certification
  Authorities (CAs) authorized to issue certificates for that domain
  name.  CAA Resource Records allow a public Certification Authority to
  implement additional controls to reduce the risk of unintended
  certificate mis-issue.  This document defines the syntax of the CAA
  record and rules for processing CAA records by certificate issuers.

  This document obsoletes RFC 6844.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/ballot/


No IPR declarations have been submitted directly on this I-D.




2019-04-24
05 Cindy Morgan IESG state changed to In Last Call from Last Call Requested
2019-04-24
05 Roman Danyliw Last call was requested
2019-04-24
05 Roman Danyliw Last call announcement was generated
2019-04-24
05 Roman Danyliw Ballot approval text was generated
2019-04-24
05 Roman Danyliw Ballot writeup was generated
2019-04-24
05 Roman Danyliw IESG state changed to Last Call Requested from AD Evaluation::AD Followup
2019-03-27
05 Cindy Morgan Shepherding AD changed to Roman Danyliw
2019-03-24
05 Russ Housley Added to session: IETF-104: lamps  Tue-1120
2019-02-04
05 (System) Sub state has been changed to AD Followup from Revised ID Needed
2019-02-04
05 Jacob Hoffman-Andrews New version available: draft-ietf-lamps-rfc6844bis-05.txt
2019-02-04
05 (System) New version approved
2019-02-04
05 (System) Request for posting confirmation emailed to previous authors: lamps-chairs@ietf.org, Jacob Hoffman-Andrews , Phillip Hallam-Baker , Rob Stradling
2019-02-04
05 Jacob Hoffman-Andrews Uploaded new revision
2018-12-24
04 Eric Rescorla https://mozphab-ietf.devsvcdev.mozaws.net/D5745
2018-12-24
04 Eric Rescorla IESG state changed to AD Evaluation::Revised I-D Needed from Publication Requested
2018-12-03
04 Jacob Hoffman-Andrews New version available: draft-ietf-lamps-rfc6844bis-04.txt
2018-12-03
04 (System) New version approved
2018-12-03
04 (System) Request for posting confirmation emailed to previous authors: Jacob Hoffman-Andrews , Phillip Hallam-Baker , Rob Stradling
2018-12-03
04 Jacob Hoffman-Andrews Uploaded new revision
2018-11-06
03 Jacob Hoffman-Andrews New version available: draft-ietf-lamps-rfc6844bis-03.txt
2018-11-06
03 (System) New version approved
2018-11-06
03 (System) Request for posting confirmation emailed to previous authors: lamps-chairs@ietf.org, Jacob Hoffman-Andrews , Phillip Hallam-Baker , Rob Stradling
2018-11-06
03 Jacob Hoffman-Andrews Uploaded new revision
2018-11-04
02 Russ Housley
Shepherd Write-up for draft-ietf-lamps-rfc6844bis-02


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)?  Why is this the …
Shepherd Write-up for draft-ietf-lamps-rfc6844bis-02


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)?  Why is this the
proper type of RFC?  Is this type of RFC indicated in the title page
header?

  Proposed Standard.  Yes, the header call for Standards Track.
 
  This new RFC will obsolete RFC 6844, which is a Proposed Standard.
 

(2) The IESG approval announcement includes a Document Announcement
Write-Up.  Please provide such a Document Announcement Write-Up.  Recent
examples can be found in the "Action" announcements for approved
documents.  The approval announcement contains the following sections:

  Technical Summary:

  The Certification Authority Authorization (CAA) DNS Resource Record
  allows a DNS domain name holder to specify one or more Certification
  Authorities (CAs) authorized to issue certificates for that domain.
  CAA Resource Records allow a public Certification Authority to
  implement additional controls to reduce the risk of unintended
  certificate mis-issue.  This document defines the syntax of the CAA
  record and rules for processing CAA records by certificate issuers.

  Working Group Summary:

    There is consensus for this document in the LAMPS WG.

  Document Quality:

    S/MIME has wide support, and several implementers have said that
    they will implement this specification.  The CA/Browser Forum
    has been very vocal that they are planning to require CAs to
    implement it, so that community has reviewed it carefully.

  Personnel:

    Russ Housley is the document shepherd.
    Eric Rescorla is the responsible area director.


(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready for
publication, please explain why the document is being forwarded to the
IESG.

  The document shepherd did a thorough review of the document during
  WG Last Call.  All issues raised have been resolved.


(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

  No concerns.


(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization?  If so, describe the review that took
place.

  No special review needed.


(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the IESG
should be aware of?  For example, perhaps he or she is uncomfortable with
certain parts of the document, or has concerns whether there really is a
need for it.  In any event, if the WG has discussed those issues and has
indicated that it still wishes to advance the document, detail those
concerns here.

  No concerns.


(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed.  If not, explain why?

  The authors have explicitly stated that they are unaware of any
  IPR related to this document.


(8) Has an IPR disclosure been filed that references this document?  If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  No IPR disclosures have been submitted against RFC 6844 or this
  Internet-Draft.


(9) How solid is the WG consensus behind this document?  Does it
represent the strong concurrence of a few individuals, with others being
silent, or does the WG as a whole understand and agree with it?

  There is consensus for this document in the LAMPS WG.


(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent?  If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director.  (It should be in a
separate email because this questionnaire is publicly available.)

  No one has threatened an appeal.


(11) Identify any ID nits the Document Shepherd has found in this
document.  (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist).  Boilerplate checks are not enough; this check needs to be
thorough.

  This document, once it is approved, will obsolete RFC 6844.


(12) Describe how the document meets any required formal review criteria,
such as the MIB Doctor, media type, and URI type reviews.

  None needed.


(13) Have all references within this document been identified as either
normative or informative?

  Yes, the references are divided into normative and informative.


(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state?  If such normative
references exist, what is the plan for their completion?

  All normative references are already published.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the
Last Call procedure.

  There are no downward references.


(16) Will publication of this document change the status of any existing
RFCs?  Are those RFCs listed on the title page header, listed in the
abstract, and discussed in the introduction?  If the RFCs are not listed
in the Abstract and Introduction, explain why, and point to the part of
the document where the relationship of this document to the other RFCs is
discussed.  If this information is not in the document, explain why the
WG considers it unnecessary.

  This new RFC will obsolete RFC 6844.


(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document.  Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed
specification of the initial contents for the registry, that allocations
procedures for future registrations are defined, and a reasonable name
for the new registry has been suggested (see RFC 5226).

  No IANA updates or additions are needed.


(18) List any new IANA registries that require Expert Review for future
allocations.  Provide any public guidance that the IESG would find useful
in selecting the IANA Experts for these new registries.

  No new IANA registries are needed.


(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

  ABNF is used.  It was checked with Bill's ABNF Parser (BAP).
2018-11-04
02 Russ Housley Responsible AD changed to Eric Rescorla
2018-11-04
02 Russ Housley IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up
2018-11-04
02 Russ Housley IESG state changed to Publication Requested
2018-11-04
02 Russ Housley IESG process started in state Publication Requested
2018-11-04
02 Russ Housley Intended Status changed to Proposed Standard from None
2018-11-04
02 Russ Housley Changed document writeup
2018-11-04
02 Russ Housley IETF WG state changed to WG Consensus: Waiting for Write-Up from WG Document
2018-11-04
02 Russ Housley Changed consensus to Yes from Unknown
2018-11-04
02 Russ Housley Notification list changed to Russ Housley <housley@vigilsec.com>
2018-11-04
02 Russ Housley Document shepherd changed to Russ Housley
2018-11-04
02 Jacob Hoffman-Andrews New version available: draft-ietf-lamps-rfc6844bis-02.txt
2018-11-04
02 (System) New version approved
2018-11-04
02 (System) Request for posting confirmation emailed to previous authors: Jacob Hoffman-Andrews , Phillip Hallam-Baker , Rob Stradling
2018-11-04
02 Jacob Hoffman-Andrews Uploaded new revision
2018-10-10
01 Jacob Hoffman-Andrews New version available: draft-ietf-lamps-rfc6844bis-01.txt
2018-10-10
01 (System) New version approved
2018-10-10
01 (System) Request for posting confirmation emailed to previous authors: Jacob Hoffman-Andrews , Phillip Hallam-Baker , Rob Stradling
2018-10-10
01 Jacob Hoffman-Andrews Uploaded new revision
2018-08-20
00 Cindy Morgan This document now replaces draft-hoffman-andrews-caa-simplification instead of None
2018-07-15
00 Russ Housley Added to session: IETF-102: lamps  Thu-1550
2018-05-31
00 Jacob Hoffman-Andrews New version available: draft-ietf-lamps-rfc6844bis-00.txt
2018-05-31
00 (System) WG -00 approved
2018-05-30
00 Jacob Hoffman-Andrews Set submitter to "Jacob Hoffman-Andrews ", replaces to (none) and sent approval email to group chairs: lamps-chairs@ietf.org
2018-05-30
00 Jacob Hoffman-Andrews Uploaded new revision