On Fri, Jan 21, 2022 at 01:30:38PM -0500, Ryan Sleevi wrote: > > > Do you think that DNSSEC should be soft-fail for CAA checks, or should > > > we urge the CAs to be more strict here? Perhaps that would be another > > > recommendation. > > > > CAA lookups must not softfail. This needs to be the case whether the > > domain is signed or not. For signed domains this means that validation > > of the response (positive or denial of existence) must succeed. Bogus > > replies, lame delegations, timeouts, REFUSED, SERVFAIL, ... need to all > > be hard errors (for signed and unsigned domains alike). > > Yes, and OCSP lookups must not softfail either, in order for them to be > useful.
>From where I sit, issuance is a much more critical process than revocation, and sloppy practices should not be acceptable. Postfix does not ignore DNS lookup errors, and the sky has not fallen. I don't see why a CA should be at liberty to do so. If some domain has broken DNS preventing certificate issuance, then they need to fix that first. Both the nameservers and the CA can be expected to be on a better than hotel captive portal network, where DNS is sufficiently reliable to return a valid answer, or be attended to if there's a problem. If CA/B Forum CAs are ignoring CAA lookup errors then the WebPKI is even weaker than I thought it was. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls