> I don't think this opinion is in conflict with the suggestion that we > required > DNSSEC validation on CAA records when (however rarely) it is deployed. I > added this as https://github.com/mozilla/pkipolicy/issues/133
One of the things that could help quite a bit is to only require DNSSEC validation when DNSSEC is deployed CORRECTLY, as opposed to some partial or broken deployment. It's generally broken or incomplete DNSSEC deployments that cause all the problems. Getting the rules for this right might be complicated, though. -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
