For a little more context, the idea is that we can speed up the CAA check for all customers while working with those who have DNSSEC to make sure they aren't killing performance. If there's a way to group them easily into buckets (timeout + quick does DNSSEC exist check), working on improving the experience for that particular set of customers is easier. That bucket can then be improved later.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Jeremy Rowley via dev-security-policy Sent: Monday, September 11, 2017 2:56 PM To: Nick Lamb <tialara...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: CAA Certificate Problem Report I think that's the opposite of what I'm saying. CAs don't need to do DNSSEC provided 1) they don't want to issue certs where DNSSEC is implemented and 2) the CAA record check times out, and 3) there is a way to check if DNSSEC is present without doing the entire chain validation. #3 is what I'm not sure of. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Nick Lamb via dev-security-policy Sent: Monday, September 11, 2017 2:52 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CAA Certificate Problem Report On Monday, 11 September 2017 18:33:24 UTC+1, Jeremy Rowley wrote: > That's the entire corpus of information related to DNSSEC in the BRs. Under 4 > and 5, we successfully returned a DNS record. The lookup didn’t fail so the > sentence "the domain's zone does not have a DNSSEC validation chain to the > ICANN root" doesn't apply. There is no need to check the DNSSEC validation > chain in this case. Mmm. So your belief is that you're not actually required to do DNSSEC here at all? If Honest Achmed is asked to issue for example.com, he can do a plain (non DNSSEC) lookup, receive a spoofed "0 answers" for CAA on example.com, and issue on that basis, never needing to investigate whether example.com has DNSSEC enabled (it does), let alone whether the CAA response was properly signed ? I guess if that's the common interpretation of this document at least it'd be good to understand which CAs are vulnerable in this way. Of course, even if you know this it's pointless to exclude them using CAA, they'll accept a spoofed answer... _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy