Viktor Dukhovni wrote:
> A private sub-domain should return NXDomain on the public side of
> the Internet,
Maybe. That (mostly) requires that DNS servers support views.
Obviously in practice, private zones and views are often used together,
but DNS purists have also argued that that you don
On Wed, Nov 22, 2017 at 12:09:51PM +, Tony Finch wrote:
> > If the SOA lookup fails, then the domain is severely broken
>
> No, it might just be private.
We are not using the same (mine is correct :-) definition of failure.
An NXDomain reply is not a lookup failure. The security status of
t
Viktor Dukhovni wrote:
>
> > No, you need to lookup the domain's DS records to determine its DNSSEC
> > status.
>
> Actually, I chose my recommendation of SOA lookup after some thought
> and with care. A domain may have no DS records, and yet be signed
> because it is not a (delegated) zone apex
On Tue, Nov 21, 2017 at 3:54 PM, Viktor Dukhovni wrote:
> On Mon, Nov 20, 2017 at 01:10:43PM +, Tony Finch wrote:
>
>> Viktor's message has lots of sound advice, though I have one correction:
>>
>> > This language really should have been much more clear. In particular,
>> > the last item warr
On Mon, Nov 20, 2017 at 01:10:43PM +, Tony Finch wrote:
> Viktor's message has lots of sound advice, though I have one correction:
>
> > This language really should have been much more clear. In particular,
> > the last item warrants clarification. It is critical that the CA
> > determine t
Viktor Dukhovni wrote:
> On Fri, Nov 17, 2017 at 12:49:33PM -0800, Jacob Hoffman-Andrews wrote:
This is a topic of operational interest to me :-)
I previously posted about CAA checks and private domains at:
https://lists.dns-oarc.net/pipermail/dns-operations/2017-September/016752.html
Our CA ha
On Fri, Nov 17, 2017 at 12:49:33PM -0800, Jacob Hoffman-Andrews wrote:
> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.4.pdf
>
> > CAs are permitted to treat a record lookup failure as permission to issue
> > if:
> > - the failure is outside the CA's infrastructure;
> > - the lo
The only real way to determine if a lookup failure in internally or not is to
query the authoritative servers for the zone directly.
The simple fix is to charge $1000 extra if the CAA lookup fails due to the
authoritative servers for the zone failing to support lookups for the CAA
record or for th
In the SPASM group, we are refining CAA (RFC 6844) based on the changes
that were needed in order to get it passed at the CA/Browser Forum.
There's one sticky bit in particular I'd like input on. Here's the
current language in the BRs:
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.
