On Mon, 8 Feb 2021 13:40:05 -0500 Andrew Ayer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> The BRs permit CAs to bypass CAA checking for a domain if "the CA or > an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) > of the domain's DNS." Hmm. Would this exemption be less dangerous for a CA which is the Registry for the TLD ? I can see that there are a set of potential problems that can happen where an entity mistakenly believes they are the DNS Operator when they in fact are not, because there's a difference between configuring your DNS servers to answer (I can tell mine to answer for google.com) and having the authority to answer, but it seems like it's pretty clear that either you are the registry for some TLD or you aren't, and so that confusion ought not to arise in this case. The existence of the exemption doesn't mean you need to take advantage of it of course, it may be that any organisation large enough to possess a CA and a Registry function today thinks it would prefer to use public methods and not try to short-cut internally anyway, in which case my thought doesn't matter. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy