On 25/04/2018 17:06, Quirin Scheitle wrote:
On 25. Apr 2018, at 16:11, Matthew Hardeman via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
With the right combination of DNSSEC validation, CAA records as utilized today,
[…]
Hi all,
I have advertised making DNSSEC validation mandatory for CAA before, bot have
not been met by enthusiasm.
Main concerns were that there would be too many validation errors, or that
DNSSEC is broken in general. (cf. related twitter “conversation” including
Matthew and me [A]).
I agree that requiring DNSSEC validation for CAA would be an important first
step to provide domain owners strong assurance of at least the CAA step.
Later, CAA can be extended to control more details about the issuance process
[I have laid out couple in [B]].
Requiring DNSSEC validation for processing of CAA records *does not* mean that
domains need to deploy DNSSEC.
It means that those domains that deploy DNSSEC (through a DS record at the
parent zone) must deploy it correctly to pass CAA processing and hence obtain a
certificate.
In other words, those domains deciding to deploy DNSSEC will be guaranteed its
benefits.
Various facts indicate that the number of broken DNSSEC deployments is small:
[1] Let’sEncrypt apparently validates DNSSEC for validation
[2] Major public resolvers return SERVFAIL on broken DNSSEC setups (I
know of 8.8.8.8, and assume quad9, quad1 as well)
[3] A corpus of recent scientific studies that reports validation
errors far below 1% of signed domains [B,C,D]
[1] and [2] suggest that conducting DNSSEC validation does not cause harm at a
large scale, hence the broken domains found by scientific studies [3] might
actually not even be in use.
As someone who has actually /removed/ DNSSEC from some domains after it
caused serious ripling failures, the brokenness of DNSSEC does not come
from how often DNSSEC fails to validate valid requests but from how
easily DNSSEC can crash a domain, making it too risky to deploy.
Specifically:
1. DNSSEC treats expired signatures as mandatory failure even if no
non-expired signatures exist. Thus if the domain holder forgets to
renew signatures, the entire domain crashes. Such forgetfulness is
more likely to occur in non-active periods, where the domain holder
isn't (for example) ordering new certificates.
2. There is no system in place (e.g. at registrars) to notify domain
holders that their DNSSEC signatures are about to expire. Thus the
first they might learn of it is when something breaks badly. This is
in contrast to e.g. expiring paid certificates, where CAs are often
happy to send out reminders to renew.
3. If the DNSSEC private keys are stored in a secure offline system,
each renewal of signatures by those keys require at least one manual
intervention (transporting the signature from the off-line system to
something online). This increases the risk of situation 1 happening.
4. Therefore, for any domain holder that values uptime, use of DNSSEC is
often a non-option, just like some other "recent" security standards
that are similarly unforgiving.
5. Denying CAA protection to those who cannot (in practice) deploy
DNSSEC only makes security worse, not better.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy