> On 25. Apr 2018, at 16:11, Matthew Hardeman via dev-security-policy
> <dev-security-policy@lists.mozilla.org> wrote:
>
> With the right combination of DNSSEC validation, CAA records as utilized
> today, […]
Hi all,
I have advertised making DNSSEC validation mandatory for CAA before, bot have
not been met by enthusiasm.
Main concerns were that there would be too many validation errors, or that
DNSSEC is broken in general. (cf. related twitter “conversation” including
Matthew and me [A]).
I agree that requiring DNSSEC validation for CAA would be an important first
step to provide domain owners strong assurance of at least the CAA step.
Later, CAA can be extended to control more details about the issuance process
[I have laid out couple in [B]].
Requiring DNSSEC validation for processing of CAA records *does not* mean that
domains need to deploy DNSSEC.
It means that those domains that deploy DNSSEC (through a DS record at the
parent zone) must deploy it correctly to pass CAA processing and hence obtain a
certificate.
In other words, those domains deciding to deploy DNSSEC will be guaranteed its
benefits.
Various facts indicate that the number of broken DNSSEC deployments is small:
[1] Let’sEncrypt apparently validates DNSSEC for validation
[2] Major public resolvers return SERVFAIL on broken DNSSEC setups (I
know of 8.8.8.8, and assume quad9, quad1 as well)
[3] A corpus of recent scientific studies that reports validation
errors far below 1% of signed domains [B,C,D]
[1] and [2] suggest that conducting DNSSEC validation does not cause harm at a
large scale, hence the broken domains found by scientific studies [3] might
actually not even be in use.
Kind regards
Quirin
[A] https://twitter.com/_quirins/status/988885865245085696?s=11
[B] https://caastudy.github.io
[C] https://www.usenix.org/node/203653
[D]
https://www.semanticscholar.org/paper/Economic-Incentives-on-DNSSEC-Deployment%3A-Time-to-Le-Rijswijk-Deij/8a0cd805e9cafc4198da4120823686042a024420
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
