On 13/09/17 23:57, Matthew Hardeman wrote: > This is especially the case for CAA records, which have an explicit security > function: controlling, at a minimum, who may issue publicly trusted > certificates for a given FQDN.
I'd be interested in your engagement on my brief threat modelling; it seems to me that DNSSEC only adds value in the scenario where an attacker has some control of CA Foo's issuance process, but not enough to override the CAA check internally, but it also has enough control of the network (either at the target, or at the CA) to spoof DNS responses to defeat CAA. That seems on the surface like a rare scenario. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy