RFC Errata


Errata Search
 
Source of RFC  
Summary Table Full Records

RFC 6844, "DNS Certification Authority Authorization (CAA) Resource Record", January 2013

Note: This RFC has been obsoleted by RFC 8659

Source of RFC: pkix (sec)

Errata ID: 5065
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Phillip Hallam-Baker
Date Reported: 2017-07-10
Held for Document Update by: EKR
Date Held: 2017-08-22

Section 4 says: 

   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
      R(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

It should say:

   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record chain specified at the label X.
 
   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise
 
   o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
      CAA(A(X)), otherwise
 
   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise
 
   o  R(X) is empty.
 
  Thus, when a search at node X returns a CNAME record, the CA will
  follow the CNAME record chain to its target. If the target label 
  contains a CAA record, it is returned.

  ?O?therwise, the CA continues the search at
  the parent of node X.
 
  Note that the search does not include the parent of a target of a
  CNAME record (except when the CNAME points back to its own path).
 
  To prevent resource exhaustion attacks, CAs SHOULD limit the length of
  CNAME chains that are accepted. However CAs MUST process CNAME
  chains that contain 8 or fewer CNAME records.

Notes:

This is the updated errata to replace the ones previously deleted. It has been reviewed by all the parties concerned. Since this is a breaking change, this will have to go to hold for document update. The LAMPS working group is currently considering a more radical re-working of the CAA discovery scheme as a work item for its new charter.

I will be in Prague to discuss...

Report New Errata



Advanced Search