Hi Jakob, > As someone who has actually /removed/ DNSSEC from some domains after it > caused serious ripling failures, the brokenness of DNSSEC does not come > from how often DNSSEC fails to validate valid requests but from how > easily DNSSEC can crash a domain, making it too risky to deploy. > Requiring DNSSEC validation for processing of CAA records *does not* mean > that domains need to deploy DNSSEC.
This is not about whether or not domains should deploy DNSSEC. Domains are are their own right to decide whether or not they see DNSSEC fit for their environment. We are saying that those domains having decided to deploy DNSSEC should get the additional benefits that DNSSEC provides. >> Requiring DNSSEC validation for processing of CAA records *does not* mean >> that domains need to deploy DNSSEC. > > 5. Denying CAA protection to those who cannot (in practice) deploy > DNSSEC only makes security worse, not better. > I don’t know how to say this any more clearly. CAA protection would still exist for all domains. Those domains that have decided to deploy DNSSEC would get the additional benefits that DNSSEC provides. Kind regards Quirin _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy