| draft-ietf-lamps-rfc6844bis-00.txt | draft-ietf-lamps-rfc6844bis-01.txt | |||
|---|---|---|---|---|
| Network Working Group P. Hallam-Baker | Network Working Group P. Hallam-Baker | |||
| Internet-Draft R. Stradling | Internet-Draft R. Stradling | |||
| Obsoletes: RFC 6844 (if approved) Comodo Group, Inc | Obsoletes: RFC 6844 (if approved) Comodo Group, Inc | |||
| Intended status: Standards Track J. Hoffman-Andrews | Intended status: Standards Track J. Hoffman-Andrews | |||
| Expires: December 1, 2018 Let's Encrypt | Expires: April 13, 2019 Let's Encrypt | |||
| May 30, 2018 | October 10, 2018 | |||
| DNS Certification Authority Authorization (CAA) Resource Record | DNS Certification Authority Authorization (CAA) Resource Record | |||
| draft-ietf-lamps-rfc6844bis-00 | draft-ietf-lamps-rfc6844bis-01 | |||
| Abstract | Abstract | |||
| The Certification Authority Authorization (CAA) DNS Resource Record | The Certification Authority Authorization (CAA) DNS Resource Record | |||
| allows a DNS domain name holder to specify one or more Certification | allows a DNS domain name holder to specify one or more Certification | |||
| Authorities (CAs) authorized to issue certificates for that domain. | Authorities (CAs) authorized to issue certificates for that domain. | |||
| CAA Resource Records allow a public Certification Authority to | CAA Resource Records allow a public Certification Authority to | |||
| implement additional controls to reduce the risk of unintended | implement additional controls to reduce the risk of unintended | |||
| certificate mis-issue. This document defines the syntax of the CAA | certificate mis-issue. This document defines the syntax of the CAA | |||
| record and rules for processing CAA records by certificate issuers. | record and rules for processing CAA records by certificate issuers. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 1, 2018. | This Internet-Draft will expire on April 13, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 27 ¶ | skipping to change at page 2, line 27 ¶ | |||
| 4.1. Use of DNS Security . . . . . . . . . . . . . . . . . . . 8 | 4.1. Use of DNS Security . . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 5. Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 5.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.1.1. Canonical Presentation Format . . . . . . . . . . . . 10 | 5.1.1. Canonical Presentation Format . . . . . . . . . . . . 10 | |||
| 5.2. CAA issue Property . . . . . . . . . . . . . . . . . . . 10 | 5.2. CAA issue Property . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.3. CAA issuewild Property . . . . . . . . . . . . . . . . . 12 | 5.3. CAA issuewild Property . . . . . . . . . . . . . . . . . 12 | |||
| 5.4. CAA iodef Property . . . . . . . . . . . . . . . . . . . 12 | 5.4. CAA iodef Property . . . . . . . . . . . . . . . . . . . 12 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 6.1. Non-Compliance by Certification Authority . . . . . . . . 13 | 6.1. Non-Compliance by Certification Authority . . . . . . . . 13 | |||
| 6.2. Mis-Issue by Authorized Certification Authority . . . . . 13 | 6.2. Mis-Issue by Authorized Certification Authority . . . . . 13 | |||
| 6.3. Suppression or Spoofing of CAA Records . . . . . . . . . 13 | 6.3. Suppression or Spoofing of CAA Records . . . . . . . . . 14 | |||
| 6.4. Denial of Service . . . . . . . . . . . . . . . . . . . . 14 | 6.4. Denial of Service . . . . . . . . . . . . . . . . . . . . 14 | |||
| 6.5. Abuse of the Critical Flag . . . . . . . . . . . . . . . 14 | 6.5. Abuse of the Critical Flag . . . . . . . . . . . . . . . 14 | |||
| 7. Deployment Considerations . . . . . . . . . . . . . . . . . . 14 | 7. Deployment Considerations . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1. Blocked Queries or Responses . . . . . . . . . . . . . . 14 | 7.1. Blocked Queries or Responses . . . . . . . . . . . . . . 15 | |||
| 7.2. Rejected Queries and Malformed Responses . . . . . . . . 15 | 7.2. Rejected Queries and Malformed Responses . . . . . . . . 15 | |||
| 7.3. Delegation to Private Nameservers . . . . . . . . . . . . 15 | 7.3. Delegation to Private Nameservers . . . . . . . . . . . . 15 | |||
| 7.4. Bogus DNSSEC Responses . . . . . . . . . . . . . . . . . 15 | 7.4. Bogus DNSSEC Responses . . . . . . . . . . . . . . . . . 15 | |||
| 8. Differences versus RFC6844 . . . . . . . . . . . . . . . . . 15 | 8. Differences versus RFC6844 . . . . . . . . . . . . . . . . . 16 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 9.1. Certification Authority Restriction Flags . . . . . . . . 16 | 9.1. Certification Authority Restriction Flags . . . . . . . . 16 | |||
| 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 | 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 11. Normative References . . . . . . . . . . . . . . . . . . . . 17 | 11. Normative References . . . . . . . . . . . . . . . . . . . . 17 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 1. Introduction | 1. Introduction | |||
| The Certification Authority Authorization (CAA) DNS Resource Record | The Certification Authority Authorization (CAA) DNS Resource Record | |||
| allows a DNS domain name holder to specify the Certification | allows a DNS domain name holder to specify the Certification | |||
| Authorities (CAs) authorized to issue certificates for that domain. | Authorities (CAs) authorized to issue certificates for that domain. | |||
| Publication of CAA Resource Records allows a public Certification | Publication of CAA Resource Records allows a public Certification | |||
| Authority to implement additional controls to reduce the risk of | Authority to implement additional controls to reduce the risk of | |||
| skipping to change at page 11, line 8 ¶ | skipping to change at page 11, line 8 ¶ | |||
| 5.2. CAA issue Property | 5.2. CAA issue Property | |||
| The issue property tag is used to request that certificate issuers | The issue property tag is used to request that certificate issuers | |||
| perform CAA issue restriction processing for the domain and to grant | perform CAA issue restriction processing for the domain and to grant | |||
| authorization to specific certificate issuers. | authorization to specific certificate issuers. | |||
| The CAA issue property value has the following sub-syntax (specified | The CAA issue property value has the following sub-syntax (specified | |||
| in ABNF as per [RFC5234]). | in ABNF as per [RFC5234]). | |||
| issuevalue = *WSP [domain] *WSP [";" *WSP [parameters] *WSP] | issuevalue = *WSP [domain *WSP] [";" *WSP [parameters *WSP]] | |||
| domain = label *("." label) label = (ALPHA / DIGIT) *( *("-") (ALPHA | domain = label *("." label) | |||
| / DIGIT)) | label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT)) | |||
| parameters = (parameter *WSP ";" *WSP parameters) / parameter | parameters = (parameter *WSP ";" *WSP parameters) / parameter | |||
| parameter = tag *WSP "=" *WSP value tag = (ALPHA / DIGIT) *( *("-") | parameter = tag *WSP "=" *WSP value | |||
| (ALPHA / DIGIT)) value = *(%x21-3A / %x3C-7E) | tag = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT)) | |||
| value = *(%x21-3A / %x3C-7E) | ||||
| For consistency with other aspects of DNS administration, domain name | For consistency with other aspects of DNS administration, domain name | |||
| values are specified in letter-digit-hyphen Label (LDH-Label) form. | values are specified in letter-digit-hyphen Label (LDH-Label) form. | |||
| A CAA record with an issue parameter tag that does not specify a | A CAA record with an issue parameter tag that does not specify a | |||
| domain name is a request that certificate issuers perform CAA issue | domain name is a request that certificate issuers perform CAA issue | |||
| restriction processing for the corresponding domain without granting | restriction processing for the corresponding domain without granting | |||
| authorization to any certificate issuer. | authorization to any certificate issuer. | |||
| This form of issue restriction would be appropriate to specify that | This form of issue restriction would be appropriate to specify that | |||
| no certificates are to be issued for the domain in question. | no certificates are to be issued for the domain in question. | |||
| For example, the following CAA record set requests that no | For example, the following CAA resource record set requests that no | |||
| certificates be issued for the domain 'nocerts.example.com' by any | certificates be issued for the domain 'nocerts.example.com' by any | |||
| certificate issuer. | certificate issuer. | |||
| nocerts.example.com CAA 0 issue ";" | nocerts.example.com CAA 0 issue ";" | |||
| A CAA record with an issue parameter tag that specifies a domain name | A CAA record with an issue parameter tag that specifies a domain name | |||
| is a request that certificate issuers perform CAA issue restriction | is a request that certificate issuers perform CAA issue restriction | |||
| processing for the corresponding domain and grants authorization to | processing for the corresponding domain and grants authorization to | |||
| the certificate issuer specified by the domain name. | the certificate issuer specified by the domain name. | |||
| For example, the following CAA record set requests that no | For example, the following CAA record set requests that no | |||
| certificates be issued for the domain 'certs.example.com' by any | certificates be issued for the domain 'certs.example.com' by any | |||
| certificate issuer other than the example.net certificate issuer. | certificate issuer other than the example.net certificate issuer. | |||
| certs.example.com CAA 0 issue "example.net" | certs.example.com CAA 0 issue "example.net" | |||
| CAA authorizations are additive; thus, the result of specifying both | CAA authorizations are additive; thus, the result of specifying both | |||
| the empty issuer and a specified issuer is the same as specifying | the empty issuer and a specified issuer is the same as specifying | |||
| just the specified issuer alone. | just the specified issuer alone. | |||
| An issue property tag where the issuevalue does not match the ABNF | ||||
| grammar MUST be treated the same as one specifying the empty issuer. | ||||
| For example, the following malformed CAA resource record set forbids | ||||
| issuance: | ||||
| malformed.example.com CAA 0 issue "%%%%%" | ||||
| A non-empty CAA record set that contains no issue property tags is | A non-empty CAA record set that contains no issue property tags is | |||
| authorization to any certificate issuer to issue for the | authorization to any certificate issuer to issue for the | |||
| corresponding domain, provided that it is a non-wildcard domain, and | corresponding domain, provided that it is a non-wildcard domain, and | |||
| no records in the CAA record set otherwise prohibit issuance. | no records in the CAA record set otherwise prohibit issuance. | |||
| An issuer MAY choose to specify issuer-parameters that further | An issuer MAY choose to specify issuer-parameters that further | |||
| constrain the issue of certificates by that issuer, for example, | constrain the issue of certificates by that issuer, for example, | |||
| specifying that certificates are to be subject to specific validation | specifying that certificates are to be subject to specific validation | |||
| polices, billed to certain accounts, or issued under specific trust | polices, billed to certain accounts, or issued under specific trust | |||
| anchors. | anchors. | |||
| skipping to change at page 16, line 19 ¶ | skipping to change at page 16, line 31 ¶ | |||
| customers' domains. This document specifies a simplified processing | customers' domains. This document specifies a simplified processing | |||
| algorithm that only performs tree climbing on the domain being | algorithm that only performs tree climbing on the domain being | |||
| processed, and leaves processing of CNAMEs and DNAMEs up to the CA's | processed, and leaves processing of CNAMEs and DNAMEs up to the CA's | |||
| recursive resolver. | recursive resolver. | |||
| This document also includes a "Deployment Considerations" section | This document also includes a "Deployment Considerations" section | |||
| detailing experience gained with practical deployment of CAA | detailing experience gained with practical deployment of CAA | |||
| enforcement amount CAs in the WebPKI. | enforcement amount CAs in the WebPKI. | |||
| This document clarifies the ABNF grammar for issue and issuewild tags | This document clarifies the ABNF grammar for issue and issuewild tags | |||
| and resolves some inconsistencies with the document text. It also | and resolves some inconsistencies with the document text. In | |||
| allows hyphens in property names. | particular, it specifies that parameters are separated with hyphens. | |||
| It also allows hyphens in property names. | ||||
| This document also clarifies processing of a CAA RRset that is not | This document also clarifies processing of a CAA RRset that is not | |||
| empty, but contains no issue or issuewild tags. | empty, but contains no issue or issuewild tags. | |||
| 9. IANA Considerations | 9. IANA Considerations | |||
| This document has no IANA actions. | This document has no IANA actions. | |||
| 9.1. Certification Authority Restriction Flags | 9.1. Certification Authority Restriction Flags | |||
| End of changes. 13 change blocks. | ||||
| 16 lines changed or deleted | 26 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||