DNS Certification Authority Authorization (CAA) Resource Record
draft-ietf-lamps-rfc6844bis-07

Note: This ballot was opened for revision 06 and is now closed.

Roman Danyliw Yes

Ignas Bagdonas No Objection

Deborah Brungard No Objection

Alissa Cooper No Objection

Comment (2019-05-28 for -06)
Please respond to the Gen-ART review.

Benjamin Kaduk No Objection

Comment (2019-05-27 for -06)
[updating to note that some of the content from Section 5.7 of
draft-ietf-acme-caa may be worth mentioning in the security considerations
of this  document]

Thanks for this helpful update!

Section 2.2

I'm not entirely sure why we're going "backwards" from referencing STD13
to referencing RFCs 1034 and 1035 individually (in the definition of
"Domain Name System").

Section 3

   RelevantCAASet(domain):
     for domain is not ".":
       if CAA(domain) is not Empty:
         return CAA(domain)
       domain = Parent(domain)
     return Empty

It would be nice to get an explicit note about whether this is intended
to be pseudocode, Python code, etc..  Specifically, the "for domain is
not '.'" syntax seems like it might be a more natural fit for a "while"
construct.

Section 4.3

   issuewild properties MUST be ignored when processing a request for a
   Domain Name (that is, not a Wildcard Domain Name).

I don't wish to revisit well-trodden ground (as I suspect this is), but
note that the provided defitinions in Section 2.2 don't seem to exclude
Wildcard Domain Names from being Domain Names, so that "that is" in the
quoted text is not accurate.  (In particular, note that the Wildcard
Domain Name definition says that it is "a Domain Name consisting of
[...]".)

Section 4.5

   The critical flag is intended to permit future versions of CAA to
   introduce new semantics that MUST be understood for correct
   processing of the record, preventing conforming CAs that do not
   recognize the new semantics from issuing certificates for the
   indicated Domain Names.

It's not clear to me that the normative "MUST" is best, here.  (Is
anyone's behavior being constrained by this statement?)

Section 5.1

              An Issuer MUST NOT issue certificates if doing so would
   conflict with the Relevant RRSet, irrespective of whether the
   corresponding DNS records are signed.

I recognize that this is already the security considerations section,
but this requirement introduces its own security considerations, namely
that in cases where CAA responses received by the Issuer can be spoofed,
there is an opportunity for denial of service.  Section 5.4 does not
seem to address this additional consideration relating to spoofing.
Section 5.5 perhaps touches on it, but merely talks about "introduction"
of a CAA RR, which may or may not imply the possibility of spoofing to
an arbitrary reader.

   Use of DNSSEC allows an Issuer to acquire and archive a proof that
   they were authorized to issue certificates for the Domain Name.
   Verification of such archives MAY be an audit requirement to verify
   CAA record processing compliance.  Publication of such archives MAY
   be a transparency requirement to verify CAA record processing
   compliance.

Neither of these "MAY"s seem to be constraining the parties involved in
this specification, which makes me wonder if they are more appropriate
as ordinary "may"s.

Section 5.4

            Data cached by third parties MUST NOT be relied on but MAY
   be used to support additional anti-spoofing or anti-suppression
   controls.

Is "relied on" meant to imply "relied on as the sole source of DNS CAA
information"?

Section 8

Should the registration of the 'CAA' RRtype also be updated to refer to
[this document]?

Suresh Krishnan No Objection

Warren Kumari No Objection

Mirja Kühlewind No Objection

Barry Leiba No Objection

Comment (2019-05-28 for -06)
— Section 4.1 —

   Tag Length: A single octet containing an unsigned integer specifying
   the tag length in octets.  The tag length MUST be at least 1 and
   SHOULD be no more than 15.

What happens if it’s more than 15?  What’s the interoperability issue, and how would an implementor decide what to do with this requirement?

   Tags MAY contain US-ASCII characters 'a' through 'z', 'A' through
   'Z', and the numbers 0 through 9.  Tags SHOULD NOT contain any other
   characters.  Matching of tags is case insensitive.

Why “SHOULD NOT”, rather than “MUST NOT”?  Why might my implementation need to use other characters, and what are the interoperability consequences of doing so?

— Section 4.1.1 —

   Tag: Is a non-zero sequence of US-ASCII letters and numbers in lower
   case.

Make it “non-zero-length”.

-- Section 4.4 —

   The iodef Property Tag takes a URL as its Property Value.  The URL
   scheme type determines the method used for reporting:

I presume that *only* the specified schemes (mailto, http, https) are allowed; it would help to be explicit about that, lest someone get ideas to use sip or some such.

— Section 5.6 —

   In practice, such an attack would be of minimal effect since any
   competent competitor that found itself unable to issue certificates
   due to lack of support for a Property marked critical SHOULD
   investigate the cause and report the reason to the customer.  The
   customer will thus discover that they had been deceived.

This doesn’t strike me as a BCP 14 “SHOULD”, but a normal English “should”.

Alvaro Retana No Objection

Martin Vigoureux No Objection

Éric Vyncke No Objection

Comment (2019-05-20 for -06)
Thank you all for the work put into this document. I appreciate the section 7 about the differences with RFC 6844.

== COMMENTS ==

-- Section 2.2 --

"Domain Name: The label assigned to a node in the Domain Name System." AFAIK RFC 1034 defines it differently "The domain name of a node is the list of the labels on the path from the node to the root of the tree" Or are we talking about different "domain names" ?

"Wildcard domain name": it would be interesting to define not only the syntax but also the semantic do those wildcard domain names.

-- Section 3 --

While I am not a security expert, a TLD could add a CAA forcing all its FQDN to either use the CA defined in the TLD CAA RRset or add a per FQDN CAA (which may raise the bar for small not-so-managed domains which otherwise could have used a cheap and easy CA such as letsencrypt). Is it really good to climb the DNS tree up to the TLD? Just curious.

== NITS ==

-- Section 3 --

I would have preferred a recursive definition rather than an interative algorithm but this is a matter of taste ;-)

Magnus Westerlund No Objection