I think a reasonable approach is to consider a domain having deployed DNSSEC when there is a DS record at the parent zone (*).
Missing DS record => No DNSSEC. Existing DS record => Require valid DNSSEC signatures (*) More precisely, a chain of DS records through all the parent zones down to the currently evaluated DNS name. I.e., a subtree deploying DNSSEC without a proper chain to the ICANN root through parent zone DS records would be considered not deploying DNSSEC. Kind regards Quirin > On 30. Apr 2018, at 17:10, Tim Hollebeek via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > What about the cases we discussed where there is DNSSEC, but only for a > subtree? > Or do you consider that "not DNSSEC" ? > > -Tim > >> -----Original Message----- >> From: Paul Wouters [mailto:p...@nohats.ca] >> Sent: Monday, April 30, 2018 11:07 AM >> To: Tim Hollebeek <tim.holleb...@digicert.com> >> Cc: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org> >> Subject: RE: "multiple perspective validations" - AW: Regional BGP hijack > of >> Amazon DNS infrastructure >> >> On Mon, 30 Apr 2018, Tim Hollebeek via dev-security-policy wrote: >> >>>> I don't think this opinion is in conflict with the suggestion that we >>>> required DNSSEC validation on CAA records when (however rarely) it is >>>> deployed. I added this as >>>> https://github.com/mozilla/pkipolicy/issues/133 >>> >>> One of the things that could help quite a bit is to only require >>> DNSSEC validation when DNSSEC is deployed CORRECTLY, as opposed to >>> some partial or broken deployment. It's generally broken or >>> incomplete DNSSEC deployments that cause all the problems. >>> >>> Getting the rules for this right might be complicated, though. >> >> It's also wrong. You can't soft-fail on that and you don't want to be in > the >> business of trying to figure out what is a sysadmin failure and what is an > actual >> attack. >> >> The only somehwat valid soft-fail could come from recently expired RRSIGs, > but >> validating DNS resolvers like unbound already build in a margin of a few > hours, >> and I think you should not to anything special during CAA verification > other >> then using a validating resolver. >> >> Paul > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy