On Wed, Apr 25, 2018 at 11:01 AM, Quirin Scheitle via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > > This is not about whether or not domains should deploy DNSSEC. > Domains are are their own right to decide whether or not they see DNSSEC > fit for their environment. > > We are saying that those domains having decided to deploy DNSSEC should > get the additional benefits that DNSSEC provides. > > I don’t know how to say this any more clearly. > CAA protection would still exist for all domains. > Those domains that have decided to deploy DNSSEC would get the additional > benefits that DNSSEC provides. > This really can not be overemphasized. No one is suggesting that domain holders be forced to implement DNSSEC. What is being suggested is that ALL CAs be forced to abide formal DNSSEC validation for those domains which have deployed DNSSEC as demonstrated by presence of DS records deployed on the domain's label at the TLD name servers. Regarding the likelihood of DNSSEC implementation causing problems when implemented, this is evidently a small enough problem that one of the largest (or maybe the largest) retail ISPs in the USA formally validates DNSSEC records on their customer facing recursive DNS servers. Comcast subscribers with default router/configuration will not resolve a DNS query on a domain with DNSSEC implemented and for which there exists a DNSSEC error of any critical sort. That alone should be sufficient support for the notion that DNSSEC can be deployed in a sufficiently stable manner that third parties may rely upon it where enabled. Furthermore, as was pointed out, Let's Encrypt and quite a number of other CAs are already enforcing DNSSEC validation on CAA queries. I suspect it's not a significant cause of failures. If we can just get CAA record checking to require DNSSEC validation and then make one further change -- allowing CAA to further restrict acceptable DV methods, domain holders will finally have a reasonable way to secure against other parties achieving certificate acquisition for their domain assets. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy