> On 25. Apr 2018, at 16:11, Matthew Hardeman via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > With the right combination of DNSSEC validation, CAA records as utilized > today, […]
Hi all, I have advertised making DNSSEC validation mandatory for CAA before, bot have not been met by enthusiasm. Main concerns were that there would be too many validation errors, or that DNSSEC is broken in general. (cf. related twitter “conversation” including Matthew and me [A]). I agree that requiring DNSSEC validation for CAA would be an important first step to provide domain owners strong assurance of at least the CAA step. Later, CAA can be extended to control more details about the issuance process [I have laid out couple in [B]]. Requiring DNSSEC validation for processing of CAA records *does not* mean that domains need to deploy DNSSEC. It means that those domains that deploy DNSSEC (through a DS record at the parent zone) must deploy it correctly to pass CAA processing and hence obtain a certificate. In other words, those domains deciding to deploy DNSSEC will be guaranteed its benefits. Various facts indicate that the number of broken DNSSEC deployments is small: [1] Let’sEncrypt apparently validates DNSSEC for validation [2] Major public resolvers return SERVFAIL on broken DNSSEC setups (I know of 8.8.8.8, and assume quad9, quad1 as well) [3] A corpus of recent scientific studies that reports validation errors far below 1% of signed domains [B,C,D] [1] and [2] suggest that conducting DNSSEC validation does not cause harm at a large scale, hence the broken domains found by scientific studies [3] might actually not even be in use. Kind regards Quirin [A] https://twitter.com/_quirins/status/988885865245085696?s=11 [B] https://caastudy.github.io [C] https://www.usenix.org/node/203653 [D] https://www.semanticscholar.org/paper/Economic-Incentives-on-DNSSEC-Deployment%3A-Time-to-Le-Rijswijk-Deij/8a0cd805e9cafc4198da4120823686042a024420 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy