On 25/04/2018 18:01, Quirin Scheitle wrote:
Hi Jakob,
As someone who has actually /removed/ DNSSEC from some domains after it
caused serious ripling failures, the brokenness of DNSSEC does not come
from how often DNSSEC fails to validate valid requests but from how
easily DNSSEC can crash a domain, making it too risky to deploy.
Requiring DNSSEC validation for processing of CAA records *does not* mean that
domains need to deploy DNSSEC.
This is not about whether or not domains should deploy DNSSEC.
Domains are are their own right to decide whether or not they see DNSSEC fit
for their environment.
We are saying that those domains having decided to deploy DNSSEC should get the
additional benefits that DNSSEC provides.
Thanks, your wording was a bit vague.
I fully agree that CAs should do DNSSEC checking for when resolving any
DNSSEC protected CAA records, and I think they should also do that for
all other DNSSEC protected DNS records used in validation, including
customer DNS records (e.g. for ACME DNS validation), indirectly used
customer DNS records (e.g. A records for tested web servers, MX+A
records of tested mail servers) and non-customer DNS records (e.g. DNS
records of whois servers, DNS records for downloading any 3rd party
blocklists).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
