Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > On Fri, Nov 17, 2017 at 12:49:33PM -0800, Jacob Hoffman-Andrews wrote:
This is a topic of operational interest to me :-) I previously posted about CAA checks and private domains at: https://lists.dns-oarc.net/pipermail/dns-operations/2017-September/016752.html Our CA has updated their implementation to issue certs if (I am told) "a lookup error is returned (like a SERVFAIL from an internal DNS server) AND the domain does not have a valid DNSSEC signature (or a parent domain does not have valid DNSSEC)." I hope that by "valid DNSSEC signature" they actually mean signed DS RRset, but I have not tested their new behaviour. We have worked around this problem by making a public empty view for our private subdomain, so the fix comes a bit too late to help us. (And it turns out there are other advantages to our workaround.) The other entertaining CAA checking bug was due to checkers getting in loops when CNAMEs closer to the root point at subdomains of themselves - https://twitter.com/fanf/status/915936787171807237 Viktor's message has lots of sound advice, though I have one correction: > This language really should have been much more clear. In particular, > the last item warrants clarification. It is critical that the CA > determine the lack of a validation chain in a robust manner. The > simplest approach: > > * Request the SOA record of the domain. If this lookup fails, > (ServFail, Timeout, ...) stop, the domain's DNSSEC status is > unknown. No, you need to lookup the domain's DS records to determine its DNSSEC status. Apart from that I agree with Viktor's points. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Fair Isle, Faeroes: Northeast veering east 4 or 5, occasionally 6 later. Moderate or rough. Wintry showers, rain later. Good occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
