What about the cases we discussed where there is DNSSEC, but only for a subtree? Or do you consider that "not DNSSEC" ?
-Tim > -----Original Message----- > From: Paul Wouters [mailto:p...@nohats.ca] > Sent: Monday, April 30, 2018 11:07 AM > To: Tim Hollebeek <tim.holleb...@digicert.com> > Cc: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> > Subject: RE: "multiple perspective validations" - AW: Regional BGP hijack of > Amazon DNS infrastructure > > On Mon, 30 Apr 2018, Tim Hollebeek via dev-security-policy wrote: > > >> I don't think this opinion is in conflict with the suggestion that we > >> required DNSSEC validation on CAA records when (however rarely) it is > >> deployed. I added this as > >> https://github.com/mozilla/pkipolicy/issues/133 > > > > One of the things that could help quite a bit is to only require > > DNSSEC validation when DNSSEC is deployed CORRECTLY, as opposed to > > some partial or broken deployment. It's generally broken or > > incomplete DNSSEC deployments that cause all the problems. > > > > Getting the rules for this right might be complicated, though. > > It's also wrong. You can't soft-fail on that and you don't want to be in the > business of trying to figure out what is a sysadmin failure and what is an actual > attack. > > The only somehwat valid soft-fail could come from recently expired RRSIGs, but > validating DNS resolvers like unbound already build in a margin of a few hours, > and I think you should not to anything special during CAA verification other > then using a validating resolver. > > Paul
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy