--- 1/draft-ietf-lamps-rfc6844bis-00.txt 2018-10-10 16:13:19.377981800 -0700 +++ 2/draft-ietf-lamps-rfc6844bis-01.txt 2018-10-10 16:13:19.417982776 -0700 @@ -1,20 +1,20 @@ Network Working Group P. Hallam-Baker Internet-Draft R. Stradling Obsoletes: RFC 6844 (if approved) Comodo Group, Inc Intended status: Standards Track J. Hoffman-Andrews -Expires: December 1, 2018 Let's Encrypt - May 30, 2018 +Expires: April 13, 2019 Let's Encrypt + October 10, 2018 DNS Certification Authority Authorization (CAA) Resource Record - draft-ietf-lamps-rfc6844bis-00 + draft-ietf-lamps-rfc6844bis-01 Abstract The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA Resource Records allow a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue. This document defines the syntax of the CAA record and rules for processing CAA records by certificate issuers. @@ -27,21 +27,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 1, 2018. + This Internet-Draft will expire on April 13, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -62,32 +62,32 @@ 4.1. Use of DNS Security . . . . . . . . . . . . . . . . . . . 8 5. Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.1.1. Canonical Presentation Format . . . . . . . . . . . . 10 5.2. CAA issue Property . . . . . . . . . . . . . . . . . . . 10 5.3. CAA issuewild Property . . . . . . . . . . . . . . . . . 12 5.4. CAA iodef Property . . . . . . . . . . . . . . . . . . . 12 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 6.1. Non-Compliance by Certification Authority . . . . . . . . 13 6.2. Mis-Issue by Authorized Certification Authority . . . . . 13 - 6.3. Suppression or Spoofing of CAA Records . . . . . . . . . 13 + 6.3. Suppression or Spoofing of CAA Records . . . . . . . . . 14 6.4. Denial of Service . . . . . . . . . . . . . . . . . . . . 14 6.5. Abuse of the Critical Flag . . . . . . . . . . . . . . . 14 7. Deployment Considerations . . . . . . . . . . . . . . . . . . 14 - 7.1. Blocked Queries or Responses . . . . . . . . . . . . . . 14 + 7.1. Blocked Queries or Responses . . . . . . . . . . . . . . 15 7.2. Rejected Queries and Malformed Responses . . . . . . . . 15 7.3. Delegation to Private Nameservers . . . . . . . . . . . . 15 7.4. Bogus DNSSEC Responses . . . . . . . . . . . . . . . . . 15 - 8. Differences versus RFC6844 . . . . . . . . . . . . . . . . . 15 + 8. Differences versus RFC6844 . . . . . . . . . . . . . . . . . 16 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 9.1. Certification Authority Restriction Flags . . . . . . . . 16 - 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 + 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 11. Normative References . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 1. Introduction The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of @@ -462,61 +462,70 @@ 5.2. CAA issue Property The issue property tag is used to request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers. The CAA issue property value has the following sub-syntax (specified in ABNF as per [RFC5234]). - issuevalue = *WSP [domain] *WSP [";" *WSP [parameters] *WSP] + issuevalue = *WSP [domain *WSP] [";" *WSP [parameters *WSP]] - domain = label *("." label) label = (ALPHA / DIGIT) *( *("-") (ALPHA - / DIGIT)) + domain = label *("." label) + label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT)) parameters = (parameter *WSP ";" *WSP parameters) / parameter - parameter = tag *WSP "=" *WSP value tag = (ALPHA / DIGIT) *( *("-") - (ALPHA / DIGIT)) value = *(%x21-3A / %x3C-7E) + parameter = tag *WSP "=" *WSP value + tag = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT)) + value = *(%x21-3A / %x3C-7E) For consistency with other aspects of DNS administration, domain name values are specified in letter-digit-hyphen Label (LDH-Label) form. A CAA record with an issue parameter tag that does not specify a domain name is a request that certificate issuers perform CAA issue restriction processing for the corresponding domain without granting authorization to any certificate issuer. This form of issue restriction would be appropriate to specify that no certificates are to be issued for the domain in question. - For example, the following CAA record set requests that no + For example, the following CAA resource record set requests that no certificates be issued for the domain 'nocerts.example.com' by any certificate issuer. nocerts.example.com CAA 0 issue ";" A CAA record with an issue parameter tag that specifies a domain name is a request that certificate issuers perform CAA issue restriction processing for the corresponding domain and grants authorization to the certificate issuer specified by the domain name. For example, the following CAA record set requests that no certificates be issued for the domain 'certs.example.com' by any certificate issuer other than the example.net certificate issuer. certs.example.com CAA 0 issue "example.net" CAA authorizations are additive; thus, the result of specifying both the empty issuer and a specified issuer is the same as specifying just the specified issuer alone. + An issue property tag where the issuevalue does not match the ABNF + grammar MUST be treated the same as one specifying the empty issuer. + + For example, the following malformed CAA resource record set forbids + issuance: + + malformed.example.com CAA 0 issue "%%%%%" + A non-empty CAA record set that contains no issue property tags is authorization to any certificate issuer to issue for the corresponding domain, provided that it is a non-wildcard domain, and no records in the CAA record set otherwise prohibit issuance. An issuer MAY choose to specify issuer-parameters that further constrain the issue of certificates by that issuer, for example, specifying that certificates are to be subject to specific validation polices, billed to certain accounts, or issued under specific trust anchors. @@ -714,22 +722,23 @@ customers' domains. This document specifies a simplified processing algorithm that only performs tree climbing on the domain being processed, and leaves processing of CNAMEs and DNAMEs up to the CA's recursive resolver. This document also includes a "Deployment Considerations" section detailing experience gained with practical deployment of CAA enforcement amount CAs in the WebPKI. This document clarifies the ABNF grammar for issue and issuewild tags - and resolves some inconsistencies with the document text. It also - allows hyphens in property names. + and resolves some inconsistencies with the document text. In + particular, it specifies that parameters are separated with hyphens. + It also allows hyphens in property names. This document also clarifies processing of a CAA RRset that is not empty, but contains no issue or issuewild tags. 9. IANA Considerations This document has no IANA actions. 9.1. Certification Authority Restriction Flags