DNS CAA record type for dns_get_record implementation and tests #2272
Conversation
|
I'm stuck progressing this - the subscriptions page is broken, so I can't subscribe to internals@ in order to move this on. Do you know who can fix that?
|
|
(sidenote: you should be able to subscribe by sending a mail to php-internals-subscribe@lists....) |
|
Looks like subscriptions are working now, thanks for the tips. |
|
I spoke too soon - though the subscriptions page doesn't give an error any more, it doesn't send me a confirmation message. Sending to |
|
Tried the subscribe page again, it looks up to me now ? |
|
The page is up, and says it is ok if you submit a request, but nothing is actually sent. listserv addresses don't respond either. |
|
@Synchro our systems seem to be working (re internals), have you had any luck yet ? |
|
It's giving the same error I posted above again now. Tried both my normal and gmail addresses. |
|
@Synchro the spam filters are temporarily disabled, it may be worth having another go ? |
|
Had another go - still giving that error. It would be odd for this to be affected by spam filters - it's an outbound, system-generated message, not normally the kind of thing you'd filter. |
|
Still down 😢 |
|
While the ML issue still needs to be fixed ... I don't think this change requires an RFC or even internals discussion. This is just adding support for a standardized DNS record type we did not previously handle. Someone just needs to review and test this and it should be good to go. |
|
Well that's good to hear, @nikic! While it works for me, and the tests run OK, it could definitely use a review as I know very little about PHP internals. It would also be better to get it to run the tests against a PHP domain rather than google, but that obviously requires that the domain have a reliable CAA record, though it could just be made up of course. I can write docs to go with it too. |
|
I'm not entirely convinced it is a standard record at all, I don't see a way to create one in google domains. In addition this says it is ignored by some CA's, including very popular ones. Since we obviously don't know why it's not widely used, I think a discussion is in order: If this is destined to be ignored, or superseded by something else, we might be wasting time adding support for it. Opinions are incoming ... I seem to be wrong ;) |
|
Summarising a discussion from elsewhere:
|
|
Very happy to be wrong about that ... I wanted a discussion and got one, of sorts ... so 👍 from me ... Can someone do some testing, possibly design a test, possibly poke someone at systems to add a record to a machine we control ... would feel better about merging if it has a test in our suite, but someone saying they have tested it on their own network will suffice. |
|
(thanks @DaveRandom - I was busy writing this when you posted, but I'll post anyway...) It's been around for 3 years and it's definitely a standard - RFC6844. It's one of those things that you can't start using until your tools support it, and given the number of control-panel type apps written in PHP, it would be useful in PHP. It's designed specifically to avoid certificate mis-issuance problems like this and this. It provides a partial alternative to HPKP, which is difficult, risky, and limited to HTTP - CAA also applies to email and many other protocols that can use TLS. Support for it is growing - it was just added to Qualys' SSL Labs test suite, letsencrypt added it, most major DNS servers have added support. Major CAs have announced support for it (they were part of the standards body that defined it) including Actalis, ANF, Buypass, Chunghwa Telecom, Comodo, DigiCert, Disig, Entrust, GlobalSign, GoDaddy, Google, Logius PKIoverheid, Microsoft, Mozilla, Opentrust, Opera, SECOM Trust Systems, SSC, Symantec, Thawte, Trend Micro, Trustis, TWCA, WoSign, etc. |
|
While working on this, I found that Pear's Net_DNS2 package had support for CAA, though I was apparently the first to ever use it, since it was broken! |
|
Since there is a test, although using external servers, and since I've tested, and since CI passed, and since you've been waiting two weeks for action that could have taken a day, I've merged. Thanks, sorry about the wait ;) |
|
Thank you! My first php-src contrib! I'll see about docs to go with it now. |
|
If you do the docs change on edit.php.net and ping me on this thread, I'll merge that for you |
|
@Synchro found it, merged, thanks ;) |
|
@Synchro Please also add an entry to the changelog lower on the page. |
|
It looks like my earlier edit was accepted, thanks. I've added a changelog entry - I don't know what version this will go into, so I took a guess at 7.2.0 - or would it be rolled into 7.1.x? |
|
It will be in 7.0.16+ |
|
OK, that's done. Thanks everyone for helping out on this. |
|
Committed changelog, thanks :) |
For https://bugs.php.net/bug.php?id=73850
RFC to follow!