The BRs permit CAs to bypass CAA checking for a domain if "the CA or an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) of the domain's DNS."
Much like the forbidden "any other method" of domain validation, the DNS operator exception is perilously under-specified. It doesn't say how to determine who the DNS operator of a domain is, when to check, or for how long this information can be cached. Since the source of truth for a domain's DNS operator is the NS record in the parent zone, I believe the correct answer is to check at issuance time by doing a recursive lookup from the root zone until the relevant NS record is found, and caching for no longer than the NS record's TTL. Unfortunately, resolvers do not typically provide an implementation of this algorithm, so CAs would have to implement it themselves. Considering that CAs are not generally DNS experts and there are several almost-correct-but-subtly-wrong ways to implement it, I have little faith that CAs will implement this check correctly. My experience having implemented both a CAA lookup algorithm and an algorithm to determine a domain's DNS operator is that it's actually easier to implement CAA, as all the nasty DNS details can be handled by the resolver. This leads me to conclude that the only CAs who think they are saving effort by relying on the DNS operator exception are doing so incorrectly and insecurely. A manifestation of my concerns is this incident involving Microsoft PKI Services: https://bugzilla.mozilla.org/show_bug.cgi?id=1670337 Until last month, Microsoft was not checking CAA, but instead relying on the DNS operator exception. Despite this, they misissued certificates for both a nonexistent domain and a domain for which they were not the DNS operator, demonstrating that they had not correctly implemented the exception. Although Microsoft is now checking CAA for routine issuances, they are retaining the DNS operator exception for "one off" issuances, and the process they intend to use involves manually using the websites https://dns.google.com/ and https://toolbox.googleapps.com/apps/dig/, which is both a forbidden use of Delegated Third Parties, and probably not correct because these tools don't allow you to make non-recursive requests directly to authoritative servers as required by the above algorithm. Considering the under-specification of the DNS operator exception and the risk of CAs being enticed by the apparent but false simplicity of the exception, I think Mozilla should ban the use of the DNS operator exception just as it banned "any other method" of domain validation. At the very least, it deserves a mention on the list of Problematic Practices. Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy