Re: [DNSOP] Error handling in CAA

Viktor Dukhovni <> Tue, 21 November 2017 20:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 590EB129BCD for <>; Tue, 21 Nov 2017 12:54:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id y2mk32-z7UQm for <>; Tue, 21 Nov 2017 12:54:05 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E4D221270AC for <>; Tue, 21 Nov 2017 12:54:04 -0800 (PST)
Received: by (Postfix, from userid 1034) id 171E67A330A; Tue, 21 Nov 2017 20:54:04 +0000 (UTC)
Date: Tue, 21 Nov 2017 20:54:04 +0000
From: Viktor Dukhovni <>
To: dnsop WG <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <>
Subject: Re: [DNSOP] Error handling in CAA
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Nov 2017 20:54:06 -0000

On Mon, Nov 20, 2017 at 01:10:43PM +0000, Tony Finch wrote:

> Viktor's message has lots of sound advice, though I have one correction:
> > This language really should have been much more clear.  In particular,
> > the last item warrants clarification.  It is critical that the CA
> > determine the lack of a validation chain in a robust manner.  The
> > simplest approach:
> >
> >     * Request the SOA record of the domain.  If this lookup fails,
> >       (ServFail, Timeout, ...) stop, the domain's DNSSEC status is
> >       unknown.
> No, you need to lookup the domain's DS records to determine its DNSSEC
> status.

Actually, I chose my recommendation of SOA lookup after some thought
and with care.  A domain may have no DS records, and yet be signed
because it is not a (delegated) zone apex domain.  Furthermore, an
SOA query elicts data from the domain itself, not the parent, and
thus ensures that any published DS records up the tree yield working
signatures for records in the zone containing the domain.

If the SOA lookup fails, then the domain is severely broken beyond
just "stoopid" blocking of CAA and other "novel" RRtypes, and so
there is no reason for the CA to be "forgiving" of such errors.
(Not that I have much sympathy for domains where CAA lookups fail
but other lookups do not, they really should feel some pain to fix
their DNS).

So I stand by the advice to issue "SOA" queries, they are far
simpler to implement correctly (without having to chase DS records
up the tree, cross check them against NS records, ...) and they
yield more useful information, namely whether:

    * A domain has working "insecure" DNS
    * A domain has working "secure" DNS
    * A domains is broken, and needs attention before CAA status
      can be determined or ignored.