Re: [DNSOP] Error handling in CAA
Tony Finch <dot@dotat.at> Thu, 23 November 2017 13:26 UTC
Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDA9C12426E for <dnsop@ietfa.amsl.com>; Thu, 23 Nov 2017 05:26:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m2B6c29qSwgW for <dnsop@ietfa.amsl.com>; Thu, 23 Nov 2017 05:26:00 -0800 (PST)
Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 166FA120046 for <dnsop@ietf.org>; Thu, 23 Nov 2017 05:26:00 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:57424) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1eHrVt-000iJv-1N (Exim 4.89) for dnsop@ietf.org (return-path <dot@dotat.at>); Thu, 23 Nov 2017 13:25:57 +0000
Date: Thu, 23 Nov 2017 13:25:57 +0000
From: Tony Finch <dot@dotat.at>
To: dnsop WG <dnsop@ietf.org>
In-Reply-To: <20171122213011.GU3322@mournblade.imrryr.org>
Message-ID: <alpine.DEB.2.11.1711231117150.4416@grey.csi.cam.ac.uk>
References: <3e958c19-016f-b413-78c5-4fd3c7c41daa@eff.org> <20171118211000.GR3322@mournblade.imrryr.org> <alpine.DEB.2.11.1711201256440.32058@grey.csi.cam.ac.uk> <20171121205403.GT3322@mournblade.imrryr.org> <alpine.DEB.2.11.1711221205030.4416@grey.csi.cam.ac.uk> <20171122213011.GU3322@mournblade.imrryr.org>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rUrqal6VqEBK7N1C7wtEd0irSkY>
Subject: Re: [DNSOP] Error handling in CAA
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Nov 2017 13:26:02 -0000
Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > A private sub-domain should return NXDomain on the public side of > the Internet, Maaaaaybe. That (mostly) requires that DNS servers support views. Obviously in practice, private zones and views are often used together, but DNS purists have also argued that that you don't need views to have private zones (and that is how private.cam.ac.uk was set up). But purism has disadvantages: REFUSED queries to private domains from the public Internet cause retries and traffic amplification so there are non-CAA-related advantages to having a public NXDOMAIN view. Even so, I know that at least one CA has received enough complaints from customers with REFUSED private domains that they have already updated their implementation to permit certificates in unresolvable zones that lack DNSSEC. It worked before CAA and I don't think there's any particular advantage to breaking it. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode Faeroes, Southeast Iceland: Northerly backing northwesterly gale 8 to storm 10. Very rough or high, occasionally very high in north. Squally wintry showers. Moderate or poor.
- [DNSOP] Error handling in CAA Jacob Hoffman-Andrews
- Re: [DNSOP] Error handling in CAA Mark Andrews
- Re: [DNSOP] Error handling in CAA Viktor Dukhovni
- Re: [DNSOP] Error handling in CAA Tony Finch
- Re: [DNSOP] Error handling in CAA Viktor Dukhovni
- Re: [DNSOP] Error handling in CAA Phillip Hallam-Baker
- Re: [DNSOP] Error handling in CAA Tony Finch
- Re: [DNSOP] Error handling in CAA Viktor Dukhovni
- Re: [DNSOP] Error handling in CAA Tony Finch