On Wed, Feb 27, 2019 at 9:04 AM Nick Lamb <[email protected]> wrote: > > It does feel as though ARPA should consider adding a CAA record to > in-addr.arpa and similar hierarchies that don't want certificates, > denying all CAs, as a defence in depth measure. >
Unless I significantly misunderstand CAA, this mechanism would not necessarily be effective. The normal mode of operation is that at the in-addr.arpa zone delegates sub zones, for example 199.in-addr.arpa to the relevant RIR via an NS record. Further, the relevant RIR would delegate sub zones of that zone via NS records to an IP space holder, for example 88.99.199.in-addr.arpa would have NS records configured on the RIR name servers which would refer to the authoritative DNS servers serving the IP space holder for 199.99.88.0/24. As such, superseding CAA records which would allow issuance could be added back into those hierarchies by the DNS admins of those zones. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
