Re: [DNSOP] Error handling in CAA
Tony Finch <dot@dotat.at> Mon, 20 November 2017 13:10 UTC
Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B044812783A for <dnsop@ietfa.amsl.com>; Mon, 20 Nov 2017 05:10:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6n-LsrgyPD_y for <dnsop@ietfa.amsl.com>; Mon, 20 Nov 2017 05:10:47 -0800 (PST)
Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7648812702E for <dnsop@ietf.org>; Mon, 20 Nov 2017 05:10:47 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:39570) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1eGlqW-000bpm-04 (Exim 4.89) (return-path <dot@dotat.at>); Mon, 20 Nov 2017 13:10:44 +0000
Date: Mon, 20 Nov 2017 13:10:43 +0000
From: Tony Finch <dot@dotat.at>
To: Jacob Hoffman-Andrews <jsha@eff.org>, dnsop WG <dnsop@ietf.org>
In-Reply-To: <20171118211000.GR3322@mournblade.imrryr.org>
Message-ID: <alpine.DEB.2.11.1711201256440.32058@grey.csi.cam.ac.uk>
References: <3e958c19-016f-b413-78c5-4fd3c7c41daa@eff.org> <20171118211000.GR3322@mournblade.imrryr.org>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Oh9sjjUGqHHcy4IP8tZ0c0x2bFY>
Subject: Re: [DNSOP] Error handling in CAA
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Nov 2017 13:10:50 -0000
Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Fri, Nov 17, 2017 at 12:49:33PM -0800, Jacob Hoffman-Andrews wrote: This is a topic of operational interest to me :-) I previously posted about CAA checks and private domains at: https://lists.dns-oarc.net/pipermail/dns-operations/2017-September/016752.html Our CA has updated their implementation to issue certs if (I am told) "a lookup error is returned (like a SERVFAIL from an internal DNS server) AND the domain does not have a valid DNSSEC signature (or a parent domain does not have valid DNSSEC)." I hope that by "valid DNSSEC signature" they actually mean signed DS RRset, but I have not tested their new behaviour. We have worked around this problem by making a public empty view for our private subdomain, so the fix comes a bit too late to help us. (And it turns out there are other advantages to our workaround.) The other entertaining CAA checking bug was due to checkers getting in loops when CNAMEs closer to the root point at subdomains of themselves - https://twitter.com/fanf/status/915936787171807237 Viktor's message has lots of sound advice, though I have one correction: > This language really should have been much more clear. In particular, > the last item warrants clarification. It is critical that the CA > determine the lack of a validation chain in a robust manner. The > simplest approach: > > * Request the SOA record of the domain. If this lookup fails, > (ServFail, Timeout, ...) stop, the domain's DNSSEC status is > unknown. No, you need to lookup the domain's DS records to determine its DNSSEC status. Apart from that I agree with Viktor's points. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode Fair Isle, Faeroes: Northeast veering east 4 or 5, occasionally 6 later. Moderate or rough. Wintry showers, rain later. Good occasionally poor.
- [DNSOP] Error handling in CAA Jacob Hoffman-Andrews
- Re: [DNSOP] Error handling in CAA Mark Andrews
- Re: [DNSOP] Error handling in CAA Viktor Dukhovni
- Re: [DNSOP] Error handling in CAA Tony Finch
- Re: [DNSOP] Error handling in CAA Viktor Dukhovni
- Re: [DNSOP] Error handling in CAA Phillip Hallam-Baker
- Re: [DNSOP] Error handling in CAA Tony Finch
- Re: [DNSOP] Error handling in CAA Viktor Dukhovni
- Re: [DNSOP] Error handling in CAA Tony Finch