RFC 6844 – DNS Certification Authority Authorization (CAA) Resource Record

RFC 5844DNS Certification Authority Authorization (CAA) Resource Record; IETF; P. Hallam-Baker (Comodo), R. Stradling (Comodo); 2013-01.

Example

$ORIGIN example.com
 .       CAA 0 issue "ca.example.net; account=230123
 .       CAA 0 iodef "mailto:security@example.com"
 .       CAA 0 iodef "http://iodef.example.com/"
$ORIGIN example.com
.       CAA 0 issue "ca.example.net; policy=ev"
.       CAA 128 tbs "Unknown"

Note the value 128 is the bit zero as the order of the bits is big endian.

Flags

Issuer Critical
If set to ’1′, indicates that the corresponding property tag MUST be understood if the semantics of the CAA record are to be correctly interpreted by an issuer. Issuers MUST NOT issue certificates for a domain if the relevant CAA Resource Record set contains unknown property tags that have the Critical bit set.

Property Tags

issue Issuer Domain Name [; name=value ]*
The issue property entry authorizes the holder of the domain name <Issuer Domain Name> or a party acting under the explicit authority of the holder of that domain name to issue certificates for the domain in which the property is published.
issuewild Issuer Domain Name [; name=value ]*
The issuewild property entry authorizes the holder of the domain name Issuer Domain Name or a party acting under the explicit authority of the holder of that domain name to issue wildcard certificates for the domain in which the property is published.
iodef URL
Specifies a URL to which an issuer MAY report certificate issue requests that are inconsistent with the issuer’s Certification Practices or Certificate Policy, or that a Certificate Evaluator may use to report observation of a possible policy violation. The Incident Object Description Exchange Format (IODEF) format is used [RFC5070].

Notes

Note that according to the conventions set out in [RFC1035], bit 0 is the Most Significant Bit and bit 7 is the Least Significant Bit. Thus, the Flags value 1 means that bit 7 is set while a value of 128 means that bit 0 is set according to this convention.

Referenced

RFC5070
The Incident Object Description Exchange Format (IODEF)

Automatic Empty Zones (including RFC 1918 prefixes) transition between BIND v9.8 and BIND v9.9

References

Standards

  • RFC 1918Address Allocation for Private Internets, 1996-02.
  • RFC 4193Unique Local IPv6 Unicast Addresses, 2005-11.
  • RFC 5737IPv4 Address Blocks Reserved for Documentation, 2010-01.
  • RFC 6598IANA-Reserved IPv4 Prefix for Shared Address Space, 2012-04.

Interesting

The two zones pertaining to the unknown address and the localhost address of IPv6 are each considered individually and separately as a zone:

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA

To amplify, there is not a containing zone that is expected to hold both of these names

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA

 Exhibitions

As of BIND v9.9, the following empty zones may be produced:

10.IN-ADDR.ARPA
16.172.IN-ADDR.ARPA
17.172.IN-ADDR.ARPA
18.172.IN-ADDR.ARPA
19.172.IN-ADDR.ARPA
20.172.IN-ADDR.ARPA
21.172.IN-ADDR.ARPA
22.172.IN-ADDR.ARPA
23.172.IN-ADDR.ARPA
24.172.IN-ADDR.ARPA
25.172.IN-ADDR.ARPA
26.172.IN-ADDR.ARPA
27.172.IN-ADDR.ARPA
28.172.IN-ADDR.ARPA
29.172.IN-ADDR.ARPA
30.172.IN-ADDR.ARPA
31.172.IN-ADDR.ARPA
168.192.IN-ADDR.ARPA
100.51.198.IN-ADDR.ARPA
113.0.203.IN-ADDR.ARPA
8.B.D.0.1.0.0.2.IP6.ARPA

Earlier versions produced empty zones for the following:

0.IN-ADDR.ARPA
127.IN-ADDR.ARPA
254.169.IN-ADDR.ARPA
2.0.192.IN-ADDR.ARPA
100.51.198.IN-ADDR.ARPA
113.0.203.IN-ADDR.ARPA
255.255.255.255.IN-ADDR.ARPA
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
8.B.D.0.1.0.0.2.IP6.ARPA
D.F.IP6.ARPA
8.E.F.IP6.ARPA
9.E.F.IP6.ARPA
A.E.F.IP6.ARPA
B.E.F.IP6.ARPA

sendmail, still, intermittently, gives “host map: lookup ($domain): deferred”

Previously

sendmail gives “host map: lookup ($domain): deferred”, 2015-03-04.

Continuing

And yet it continues to happen intermittently

  • Has something to do with IPv6 vs IPv4
  • Once sendmail is in that state, it never recovers
    i.e.

    • the queue never clears
    • its growth is unbounded
  • the only remedies are manual intervention
    • sendmail -q (manually)
    • systemctl restart sendmail (manually)

Debug

$ sendmail -v -d8.32 -qIMessageID

Actualities

$ sudo sendmail -v -d8.32 -qIt85HF6hG025984
Running /var/spool/mqueue/t85HF6hG025984 (sequence 1 of 1)
dns_getcanonname(sender.example.com, trymx=1)
dns_getcanonname: trying sender.example.com. (AAAA)
	NO: errno=0, h_errno=4
dns_getcanonname: trying sender.example.com. (A)
	YES
dns_getcanonname: sender.example.com
dns_getcanonname(emerson.baker.org, trymx=1)
dns_getcanonname: trying emerson.baker.org. (AAAA)
	NO: errno=0, h_errno=4
dns_getcanonname: trying emerson.baker.org. (A)
	NO: errno=0, h_errno=4
dns_getcanonname: trying emerson.baker.org. (MX)
	YES
dns_getcanonname: emerson.baker.org
getmxrr(smart.mail.example.emerson.baker.org, droplocalhost=1)
getmxrr: res_search(smart.mail.example.emerson.baker.org) failed (errno=0, h_errno=4)
dns_getcanonname(smart.mail.example.emerson.baker.org, trymx=0)
dns_getcanonname: trying smart.mail.example.emerson.baker.org. (AAAA)
	NO: errno=0, h_errno=4
dns_getcanonname: trying smart.mail.example.emerson.baker.org. (A)
	YES
dns_getcanonname: smart.mail.example.emerson.baker.org
... Connecting to smart.mail.example.emerson.baker.org. via relay...
220 mta.emerson.baker.org ESMTP Sendmail 8.14.5/8.14.5; Thu, 10 Sep 2015 10:17:26 -0700
>>> EHLO sender.example.com
250-mta.emerson.baker.org Hello sender.example.emerson.baker.org [192.0.2.19], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
>>> STARTTLS
220 2.0.0 Ready to start TLS
>>> EHLO sender.example.com
250-mta.emerson.baker.org Hello sender.example.emerson.baker.org [192.0.2.19], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
>>> MAIL From: SIZE=845
250 2.1.0 ... Sender ok
>>> RCPT To:
>>> DATA
250 2.1.5 ... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 t8AHHQ0v004865 Message accepted for delivery
... Sent (t8AHHQ0v004865 Message accepted for delivery)
Closing connection to smart.mail.example.emerson.baker.org.
>>> QUIT
221 2.0.0 mta.emerson.baker.org closing connection

UNSOLVED: sendmail gives “host map: lookup ($domain): deferred”

tl;dr → ensure the AAAA, A and MX records are visilble and are compatible with host connectivity.

i.e. don’t publish AAAA (only) for an IPv4-connected host.

Diagnostic

$ mailq
/var/spool/mqueue (1 request)
-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
t22GuSUb006467 72 Mon Mar 2 08:56
(host map: lookup (SOMEHOST.emerson.baker.org): deferred)

Total requests: 1
$ host -t aaaa SOMEHOST.emerson.baker.org
SOMEHOST.emerson.baker.org has IPv6 address 2001:db8::99:1
SOMEHOST.emerson.baker.org has IPv6 address 2001:db8::88:1

Debug

sendmail -v -d8.32 -qImessageID

Background

<quote>Starting with Sendmail 8.12, Sendmail queries the following 3 DNS resource records in order:

  • AAAA
  • A
  • MX

Failures earlier in the series are treated as more serious than those later, as documented. In particular, it is unreasonable to have a host with only AAAA records published, but which is only connected via IPv4.

References

Via: backfill.

What does “RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA” mean? | ISC Knowledge Base

What does “RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA” mean?; ISC Knowledge Base; 2011-03-18, updated 2012-09-27; Top, Software Products, BIND9, FAQs

IPv4 per RFC 1918

  • 10.0.0.0/8
  • 169.254.0.0/16
  • 172.16.0.0/12
  • 192.168.0.0/16

IPv6 per RFC 4193

  • fc00::/7
    • fc00::/8 (unused)
    • fd00::/8 (locally assigned)

Mentioned

Create rDNS for fe80::/64 and ff02::/16 to make debug easier

Concept

Forward and reverse DNS for the link (link-local) addresses

  • Domain link. for unicast addresses within fe80::/64
  • Domain ndp.link. (NDP) for multicast addresses within ff02::/16

Do the best you can, the point here is to make tcpdump readable and your life managing EUI-64 and SLAAC-defined address substantially easier

Also Noted

tcpdump of ICMPv6 Router Advertisments; 2013-01-01.

Zones

$ host -t soa link.
link has SOA record ns0.emerson.dns.baker.org. hostmaster.emerson.baker.org. 19 28800 7200 604800 86400

$ host -t soa ndp.link.
ndp.link has SOA record ns0.emerson.dns.baker.org. hostmaster.emerson.baker.org. 4 28800 7200 604800 86400

$ host -t soa 2.0.f.f.ip6.arpa.
2.0.f.f.ip6.arpa has SOA record ns0.fd.ip6.arpa.emerson.dns.baker.org. hostmaster.baker.org. 68 3600 7200 604800 86400

$ host -t soa 0.8.e.f.ip6.arpa.
0.8.e.f.ip6.arpa has SOA record ns0.fd.ip6.arpa.emerson.dns.baker.org. hostmaster.baker.org. 68 3600 7200 604800 86400

Actualities

$ sudo tcpdump -i eth0 'ip6 && icmp6 && (ip6[40] == 135)' 
16:55:56.181501 IP6 lovelie.he.emerson.baker.org > rutabaga.ndp.link: ICMP6, neighbor solicitation, who has rutabaga.he.emerson.baker.org, length 32
16:55:57.418622 IP6 baggie.link > fishnet-effect.ndp.link: ICMP6, neighbor solicitation, who has fishnet-effect.he.emerson.baker.org, length 32
16:55:59.063757 IP6 wantowen.link > loosened.link: ICMP6, neighbor solicitation, who has loosened.link, length 32
16:55:59.911758 IP6 wantowen.link > baggie.link: ICMP6, neighbor solicitation, who has baggie.link, length 32
16:56:04.074817 IP6 loosened.link > wantowen.link: ICMP6, neighbor solicitation, who has wantowen.link, length 32
16:56:04.912787 IP6 baggie.link > wantowen.link: ICMP6, neighbor solicitation, who has wantowen.link, length 32
16:56:14.646033 IP6 waggie.link > wantowen.sanguine.emerson.baker.org: ICMP6, neighbor solicitation, who has wantowen.sanguine.emerson.baker.org, length 32
16:56:14.647737 IP6 dalliance.link > wantowen.sanguine.emerson.baker.org: ICMP6, neighbor solicitation, who has wantowen.sanguine.emerson.baker.org, length 32
16:56:14.648278 IP6 suffragette.link > wantowen.sanguine.emerson.baker.org: ICMP6, neighbor solicitation, who has wantowen.sanguine.emerson.baker.org, length 32
16:56:14.748757 IP6 frequented.link > wantowen.r1.t2.linode.emerson.baker.org: ICMP6, neighbor solicitation, who has wantowen.r1.t2.linode.emerson.baker.org, length 32
16:56:14.811537 IP6 baggie.link > loosened.ndp.link: ICMP6, neighbor solicitation, who has loosened.he.emerson.baker.org, length 32
16:56:19.590663 IP6 flying-pork.link > wantowen.sanguine.emerson.baker.org: ICMP6, neighbor solicitation, who has wantowen.sanguine.emerson.baker.org, length 32
16:56:19.655751 IP6 wantowen.link > dalliance.link: ICMP6, neighbor solicitation, who has dalliance.link, length 32
16:56:19.655771 IP6 wantowen.link > suffragette.link: ICMP6, neighbor solicitation, who has suffragette.link, length 32
16:56:21.645804 IP6 lovelie.link > wantowen.linode.emerson.baker.org: ICMP6, neighbor solicitation, who has wantowen.linode.emerson.baker.org, length 32
16:56:24.599803 IP6 wantowen.link > flying-pork.link: ICMP6, neighbor solicitation, who has flying-pork.link, length 32
16:56:24.663738 IP6 dalliance.link > wantowen.link: ICMP6, neighbor solicitation, who has wantowen.link, length 32
16:56:24.664269 IP6 suffragette.link > wantowen.link: ICMP6, neighbor solicitation, who has wantowen.link, length 32
16:56:26.396510 IP6 lovelie.he.emerson.baker.org > joubijou2.ndp.link: ICMP6, neighbor solicitation, who has joubijou2.he.emerson.baker.org, length 32
16:56:26.897687 IP6 lovelie.sonic.emerson.baker.org > joubijou2.ndp.link: ICMP6, neighbor solicitation, who has joubijou2.sonic.emerson.baker.org, length 32
16:56:29.606825 IP6 flying-pork.link > wantowen.link: ICMP6, neighbor solicitation, who has wantowen.link, length 32