On Mon, 30 Apr 2018, Tim Hollebeek via dev-security-policy wrote:
I don't think this opinion is in conflict with the suggestion that we
required
DNSSEC validation on CAA records when (however rarely) it is deployed. I
added this as https://github.com/mozilla/pkipolicy/issues/133
One of the things that could help quite a bit is to only require DNSSEC
validation
when DNSSEC is deployed CORRECTLY, as opposed to some partial or broken
deployment. It's generally broken or incomplete DNSSEC deployments that
cause all the problems.
Getting the rules for this right might be complicated, though.
It's also wrong. You can't soft-fail on that and you don't want to be in
the business of trying to figure out what is a sysadmin failure and what
is an actual attack.
The only somehwat valid soft-fail could come from recently expired
RRSIGs, but validating DNS resolvers like unbound already build in a
margin of a few hours, and I think you should not to anything special
during CAA verification other then using a validating resolver.
Paul
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
