draft-ietf-lamps-rfc6844bis-00.txt   draft-ietf-lamps-rfc6844bis-01.txt 
Network Working Group P. Hallam-Baker Network Working Group P. Hallam-Baker
Internet-Draft R. Stradling Internet-Draft R. Stradling
Obsoletes: RFC 6844 (if approved) Comodo Group, Inc Obsoletes: RFC 6844 (if approved) Comodo Group, Inc
Intended status: Standards Track J. Hoffman-Andrews Intended status: Standards Track J. Hoffman-Andrews
Expires: December 1, 2018 Let's Encrypt Expires: April 13, 2019 Let's Encrypt
May 30, 2018 October 10, 2018
DNS Certification Authority Authorization (CAA) Resource Record DNS Certification Authority Authorization (CAA) Resource Record
draft-ietf-lamps-rfc6844bis-00 draft-ietf-lamps-rfc6844bis-01
Abstract Abstract
The Certification Authority Authorization (CAA) DNS Resource Record The Certification Authority Authorization (CAA) DNS Resource Record
allows a DNS domain name holder to specify one or more Certification allows a DNS domain name holder to specify one or more Certification
Authorities (CAs) authorized to issue certificates for that domain. Authorities (CAs) authorized to issue certificates for that domain.
CAA Resource Records allow a public Certification Authority to CAA Resource Records allow a public Certification Authority to
implement additional controls to reduce the risk of unintended implement additional controls to reduce the risk of unintended
certificate mis-issue. This document defines the syntax of the CAA certificate mis-issue. This document defines the syntax of the CAA
record and rules for processing CAA records by certificate issuers. record and rules for processing CAA records by certificate issuers.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 1, 2018. This Internet-Draft will expire on April 13, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 27 skipping to change at page 2, line 27
4.1. Use of DNS Security . . . . . . . . . . . . . . . . . . . 8 4.1. Use of DNS Security . . . . . . . . . . . . . . . . . . . 8
5. Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5. Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.1.1. Canonical Presentation Format . . . . . . . . . . . . 10 5.1.1. Canonical Presentation Format . . . . . . . . . . . . 10
5.2. CAA issue Property . . . . . . . . . . . . . . . . . . . 10 5.2. CAA issue Property . . . . . . . . . . . . . . . . . . . 10
5.3. CAA issuewild Property . . . . . . . . . . . . . . . . . 12 5.3. CAA issuewild Property . . . . . . . . . . . . . . . . . 12
5.4. CAA iodef Property . . . . . . . . . . . . . . . . . . . 12 5.4. CAA iodef Property . . . . . . . . . . . . . . . . . . . 12
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
6.1. Non-Compliance by Certification Authority . . . . . . . . 13 6.1. Non-Compliance by Certification Authority . . . . . . . . 13
6.2. Mis-Issue by Authorized Certification Authority . . . . . 13 6.2. Mis-Issue by Authorized Certification Authority . . . . . 13
6.3. Suppression or Spoofing of CAA Records . . . . . . . . . 13 6.3. Suppression or Spoofing of CAA Records . . . . . . . . . 14
6.4. Denial of Service . . . . . . . . . . . . . . . . . . . . 14 6.4. Denial of Service . . . . . . . . . . . . . . . . . . . . 14
6.5. Abuse of the Critical Flag . . . . . . . . . . . . . . . 14 6.5. Abuse of the Critical Flag . . . . . . . . . . . . . . . 14
7. Deployment Considerations . . . . . . . . . . . . . . . . . . 14 7. Deployment Considerations . . . . . . . . . . . . . . . . . . 14
7.1. Blocked Queries or Responses . . . . . . . . . . . . . . 14 7.1. Blocked Queries or Responses . . . . . . . . . . . . . . 15
7.2. Rejected Queries and Malformed Responses . . . . . . . . 15 7.2. Rejected Queries and Malformed Responses . . . . . . . . 15
7.3. Delegation to Private Nameservers . . . . . . . . . . . . 15 7.3. Delegation to Private Nameservers . . . . . . . . . . . . 15
7.4. Bogus DNSSEC Responses . . . . . . . . . . . . . . . . . 15 7.4. Bogus DNSSEC Responses . . . . . . . . . . . . . . . . . 15
8. Differences versus RFC6844 . . . . . . . . . . . . . . . . . 15 8. Differences versus RFC6844 . . . . . . . . . . . . . . . . . 16
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
9.1. Certification Authority Restriction Flags . . . . . . . . 16 9.1. Certification Authority Restriction Flags . . . . . . . . 16
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17
11. Normative References . . . . . . . . . . . . . . . . . . . . 17 11. Normative References . . . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
The Certification Authority Authorization (CAA) DNS Resource Record The Certification Authority Authorization (CAA) DNS Resource Record
allows a DNS domain name holder to specify the Certification allows a DNS domain name holder to specify the Certification
Authorities (CAs) authorized to issue certificates for that domain. Authorities (CAs) authorized to issue certificates for that domain.
Publication of CAA Resource Records allows a public Certification Publication of CAA Resource Records allows a public Certification
Authority to implement additional controls to reduce the risk of Authority to implement additional controls to reduce the risk of
skipping to change at page 11, line 8 skipping to change at page 11, line 8
5.2. CAA issue Property 5.2. CAA issue Property
The issue property tag is used to request that certificate issuers The issue property tag is used to request that certificate issuers
perform CAA issue restriction processing for the domain and to grant perform CAA issue restriction processing for the domain and to grant
authorization to specific certificate issuers. authorization to specific certificate issuers.
The CAA issue property value has the following sub-syntax (specified The CAA issue property value has the following sub-syntax (specified
in ABNF as per [RFC5234]). in ABNF as per [RFC5234]).
issuevalue = *WSP [domain] *WSP [";" *WSP [parameters] *WSP] issuevalue = *WSP [domain *WSP] [";" *WSP [parameters *WSP]]
domain = label *("." label) label = (ALPHA / DIGIT) *( *("-") (ALPHA domain = label *("." label)
/ DIGIT)) label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))
parameters = (parameter *WSP ";" *WSP parameters) / parameter parameters = (parameter *WSP ";" *WSP parameters) / parameter
parameter = tag *WSP "=" *WSP value tag = (ALPHA / DIGIT) *( *("-") parameter = tag *WSP "=" *WSP value
(ALPHA / DIGIT)) value = *(%x21-3A / %x3C-7E) tag = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))
value = *(%x21-3A / %x3C-7E)
For consistency with other aspects of DNS administration, domain name For consistency with other aspects of DNS administration, domain name
values are specified in letter-digit-hyphen Label (LDH-Label) form. values are specified in letter-digit-hyphen Label (LDH-Label) form.
A CAA record with an issue parameter tag that does not specify a A CAA record with an issue parameter tag that does not specify a
domain name is a request that certificate issuers perform CAA issue domain name is a request that certificate issuers perform CAA issue
restriction processing for the corresponding domain without granting restriction processing for the corresponding domain without granting
authorization to any certificate issuer. authorization to any certificate issuer.
This form of issue restriction would be appropriate to specify that This form of issue restriction would be appropriate to specify that
no certificates are to be issued for the domain in question. no certificates are to be issued for the domain in question.
For example, the following CAA record set requests that no For example, the following CAA resource record set requests that no
certificates be issued for the domain 'nocerts.example.com' by any certificates be issued for the domain 'nocerts.example.com' by any
certificate issuer. certificate issuer.
nocerts.example.com CAA 0 issue ";" nocerts.example.com CAA 0 issue ";"
A CAA record with an issue parameter tag that specifies a domain name A CAA record with an issue parameter tag that specifies a domain name
is a request that certificate issuers perform CAA issue restriction is a request that certificate issuers perform CAA issue restriction
processing for the corresponding domain and grants authorization to processing for the corresponding domain and grants authorization to
the certificate issuer specified by the domain name. the certificate issuer specified by the domain name.
For example, the following CAA record set requests that no For example, the following CAA record set requests that no
certificates be issued for the domain 'certs.example.com' by any certificates be issued for the domain 'certs.example.com' by any
certificate issuer other than the example.net certificate issuer. certificate issuer other than the example.net certificate issuer.
certs.example.com CAA 0 issue "example.net" certs.example.com CAA 0 issue "example.net"
CAA authorizations are additive; thus, the result of specifying both CAA authorizations are additive; thus, the result of specifying both
the empty issuer and a specified issuer is the same as specifying the empty issuer and a specified issuer is the same as specifying
just the specified issuer alone. just the specified issuer alone.
An issue property tag where the issuevalue does not match the ABNF
grammar MUST be treated the same as one specifying the empty issuer.
For example, the following malformed CAA resource record set forbids
issuance:
malformed.example.com CAA 0 issue "%%%%%"
A non-empty CAA record set that contains no issue property tags is A non-empty CAA record set that contains no issue property tags is
authorization to any certificate issuer to issue for the authorization to any certificate issuer to issue for the
corresponding domain, provided that it is a non-wildcard domain, and corresponding domain, provided that it is a non-wildcard domain, and
no records in the CAA record set otherwise prohibit issuance. no records in the CAA record set otherwise prohibit issuance.
An issuer MAY choose to specify issuer-parameters that further An issuer MAY choose to specify issuer-parameters that further
constrain the issue of certificates by that issuer, for example, constrain the issue of certificates by that issuer, for example,
specifying that certificates are to be subject to specific validation specifying that certificates are to be subject to specific validation
polices, billed to certain accounts, or issued under specific trust polices, billed to certain accounts, or issued under specific trust
anchors. anchors.
skipping to change at page 16, line 19 skipping to change at page 16, line 31
customers' domains. This document specifies a simplified processing customers' domains. This document specifies a simplified processing
algorithm that only performs tree climbing on the domain being algorithm that only performs tree climbing on the domain being
processed, and leaves processing of CNAMEs and DNAMEs up to the CA's processed, and leaves processing of CNAMEs and DNAMEs up to the CA's
recursive resolver. recursive resolver.
This document also includes a "Deployment Considerations" section This document also includes a "Deployment Considerations" section
detailing experience gained with practical deployment of CAA detailing experience gained with practical deployment of CAA
enforcement amount CAs in the WebPKI. enforcement amount CAs in the WebPKI.
This document clarifies the ABNF grammar for issue and issuewild tags This document clarifies the ABNF grammar for issue and issuewild tags
and resolves some inconsistencies with the document text. It also and resolves some inconsistencies with the document text. In
allows hyphens in property names. particular, it specifies that parameters are separated with hyphens.
It also allows hyphens in property names.
This document also clarifies processing of a CAA RRset that is not This document also clarifies processing of a CAA RRset that is not
empty, but contains no issue or issuewild tags. empty, but contains no issue or issuewild tags.
9. IANA Considerations 9. IANA Considerations
This document has no IANA actions. This document has no IANA actions.
9.1. Certification Authority Restriction Flags 9.1. Certification Authority Restriction Flags
 End of changes. 13 change blocks. 
16 lines changed or deleted 26 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/