On Mon, Mar 13, 2017 at 02:00:40PM -0700, Jacob Hoffman-Andrews wrote: > > by CA/B forum as a "recommendation", which meant that the constraint > > was meaningless. Rumour has it that CAA will soon be a requirement, > > so I've now published CAA records. The CAA check is/was easy to > > make and crippling it by not making it a requirement was IMNSHO a > > mistake. > > I think by this you mean that the CA/Browser Forum should have mandated > CAA support in its Baseline Requirements, back when it first adopted CAA > as "recommended." Is that right?
Yes. > I think the analogous goal here is that you'd like the CA/Browser Forum > to mandate use of a DNSSEC-validating recursive resolver during > DNS-based validation procedures. No, dragging the CA/B forum into this discussion (by way of analogy) was perhaps a mistake. I am trying to say is that wiggle room to not do DNSSEC ACME serves no purpose. ACME should *require* DNSSEC resolvers in *ACME conformant CAs. > That's great! However, I don't think mandating use of a DNSSEC-validating > resolver in the ACME spec will achieve that goal, since the CA/Browser > Forum is not planning to mandate use of the ACME spec. Convincing non-ACME CAs that issue DV certs do use DNSSEC for DNS challenges is a separate issue (windmill for my Quixotic battles) and is out of scope for this group. So one thing at a time, I urge the ACME WG to require DNSSEC for DNS challenges, so that security of DNSSEC signed domains is not downgraded by ACME CAs negligently running security-oblivious resolvers. -- Viktor. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme