Re: The CAA DNS Operator Exception Is Problematic
On Wed, Feb 10, 2021 at 02:21:53AM +, Nick Lamb via dev-security-policy wrote: > On Mon, 8 Feb 2021 13:40:05 -0500 > Andrew Ayer via dev-security-policy > wrote: > > > The BRs permit CAs to bypass CAA checking for a domain if "the CA or > > an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) > > of the domain's DNS." > > Hmm. Would this exemption be less dangerous for a CA which is the > Registry for the TLD ? I understand this would remove one way to shoot yourself in the foot. > [...], but it seems like it's pretty clear > that either you are the registry for some TLD or you aren't, and so > that confusion ought not to arise in this case. The argument is that theoretically this could work, but in practice people get this wrong. Examples were given that confusion in fact happens. -- pozdrawiam / best regards Wojtek Porczyk Graphene / Invisible Things Lab I do not fear computers, I fear lack of them. -- Isaac Asimov signature.asc Description: PGP signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: The CAA DNS Operator Exception Is Problematic
On Tue, Feb 9, 2021 at 9:22 PM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Mon, 8 Feb 2021 13:40:05 -0500 > Andrew Ayer via dev-security-policy > wrote: > > > The BRs permit CAs to bypass CAA checking for a domain if "the CA or > > an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) > > of the domain's DNS." > > Hmm. Would this exemption be less dangerous for a CA which is the > Registry for the TLD ? Potentially, but that’s not the use case for why this exists. Recall that Registry != Registrar here, and even then, the Operator may be distinct from either of those two. The use case argued was not limited to “just” gTLDs. > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: The CAA DNS Operator Exception Is Problematic
On Mon, 8 Feb 2021 13:40:05 -0500 Andrew Ayer via dev-security-policy wrote: > The BRs permit CAs to bypass CAA checking for a domain if "the CA or > an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) > of the domain's DNS." Hmm. Would this exemption be less dangerous for a CA which is the Registry for the TLD ? I can see that there are a set of potential problems that can happen where an entity mistakenly believes they are the DNS Operator when they in fact are not, because there's a difference between configuring your DNS servers to answer (I can tell mine to answer for google.com) and having the authority to answer, but it seems like it's pretty clear that either you are the registry for some TLD or you aren't, and so that confusion ought not to arise in this case. The existence of the exemption doesn't mean you need to take advantage of it of course, it may be that any organisation large enough to possess a CA and a Registry function today thinks it would prefer to use public methods and not try to short-cut internally anyway, in which case my thought doesn't matter. Nick. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: The CAA DNS Operator Exception Is Problematic
On Mon, Feb 8, 2021 at 1:40 PM Andrew Ayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The BRs permit CAs to bypass CAA checking for a domain if "the CA or > an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) > of the domain's DNS." > > Much like the forbidden "any other method" of domain validation, the DNS > operator exception is perilously under-specified. It doesn't say how > to determine who the DNS operator of a domain is, when to check, or for > how long this information can be cached. Since the source of truth for a > domain's DNS operator is the NS record in the parent zone, I believe the > correct answer is to check at issuance time by doing a recursive lookup > from the root zone until the relevant NS record is found, and caching > for no longer than the NS record's TTL. Unfortunately, resolvers do > not typically provide an implementation of this algorithm, so CAs would > have to implement it themselves. Considering that CAs are not generally > DNS experts and there are several almost-correct-but-subtly-wrong ways > to implement it, I have little faith that CAs will implement this > check correctly. My experience having implemented both a CAA lookup > algorithm and an algorithm to determine a domain's DNS operator is that > it's actually easier to implement CAA, as all the nasty DNS details can > be handled by the resolver. This leads me to conclude that the only CAs > who think they are saving effort by relying on the DNS operator exception > are doing so incorrectly and insecurely. Thanks, Andrew, for raising this. This does seem something that should be looked to be phased out / forbidden. We've seen similar concerns raised related to BygoneSSL [1], with respect to Cloud Providers (incorrectly) believing they are the domain operator (e.g. customer account configured, but DNS now points elsewhere) [1] https://insecure.design/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy