On 25/04/2018 17:06, Quirin Scheitle wrote:
On 25. Apr 2018, at 16:11, Matthew Hardeman via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: With the right combination of DNSSEC validation, CAA records as utilized today, […]Hi all, I have advertised making DNSSEC validation mandatory for CAA before, bot have not been met by enthusiasm. Main concerns were that there would be too many validation errors, or that DNSSEC is broken in general. (cf. related twitter “conversation” including Matthew and me [A]). I agree that requiring DNSSEC validation for CAA would be an important first step to provide domain owners strong assurance of at least the CAA step. Later, CAA can be extended to control more details about the issuance process [I have laid out couple in [B]]. Requiring DNSSEC validation for processing of CAA records *does not* mean that domains need to deploy DNSSEC. It means that those domains that deploy DNSSEC (through a DS record at the parent zone) must deploy it correctly to pass CAA processing and hence obtain a certificate. In other words, those domains deciding to deploy DNSSEC will be guaranteed its benefits. Various facts indicate that the number of broken DNSSEC deployments is small: [1] Let’sEncrypt apparently validates DNSSEC for validation [2] Major public resolvers return SERVFAIL on broken DNSSEC setups (I know of 8.8.8.8, and assume quad9, quad1 as well) [3] A corpus of recent scientific studies that reports validation errors far below 1% of signed domains [B,C,D] [1] and [2] suggest that conducting DNSSEC validation does not cause harm at a large scale, hence the broken domains found by scientific studies [3] might actually not even be in use.
As someone who has actually /removed/ DNSSEC from some domains after it caused serious ripling failures, the brokenness of DNSSEC does not come from how often DNSSEC fails to validate valid requests but from how easily DNSSEC can crash a domain, making it too risky to deploy. Specifically: 1. DNSSEC treats expired signatures as mandatory failure even if no non-expired signatures exist. Thus if the domain holder forgets to renew signatures, the entire domain crashes. Such forgetfulness is more likely to occur in non-active periods, where the domain holder isn't (for example) ordering new certificates. 2. There is no system in place (e.g. at registrars) to notify domain holders that their DNSSEC signatures are about to expire. Thus the first they might learn of it is when something breaks badly. This is in contrast to e.g. expiring paid certificates, where CAs are often happy to send out reminders to renew. 3. If the DNSSEC private keys are stored in a secure offline system, each renewal of signatures by those keys require at least one manual intervention (transporting the signature from the off-line system to something online). This increases the risk of situation 1 happening. 4. Therefore, for any domain holder that values uptime, use of DNSSEC is often a non-option, just like some other "recent" security standards that are similarly unforgiving. 5. Denying CAA protection to those who cannot (in practice) deploy DNSSEC only makes security worse, not better. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
