> On Nov 23, 2017, at 11:13 AM, dnsop-requ...@ietf.org wrote:
>
> Even so, I know that at least one CA has received enough complaints from
> customers with REFUSED private domains that they have already updated
> their implementation to permit certificates in unresolvable zones that
> lack DNSSEC. It worked before CAA and I don't think there's any particular
> advantage to breaking it.
Supporting private domains that (really) fail to resolve makes things
more complicated and perhaps needlessly so. Perhaps the onus should
be on the operators of the zones in question to make appropriate
changes.
In the mean time, if REFUSED and the like also need to be supported,
then the SOA lookup strategy can be modified to walk up the tree in
the face of (real) lookup errors, to conclude that a subdomain is
insecure once an ancestor domain is found insecure.
It is unfortunate that we routinely jump through hoops to work-around
poor practices by others, and keep finding more ways to do so as time
goes by. Is it a good idea to enshrine such a private domains hack
as standard practice? Or can we grow some spine and require domains
that want certificates (say starting January 2019) to not fail public
DNS lookups? That is, perhaps the present work-arounds should have
a sunset date.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
