IETF Logo Mail Archive

Re: [DNSOP] Error handling in CAA

Tony Finch <dot@dotat.at> Thu, 23 November 2017 13:26 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDA9C12426E for <dnsop@ietfa.amsl.com>; Thu, 23 Nov 2017 05:26:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m2B6c29qSwgW for <dnsop@ietfa.amsl.com>; Thu, 23 Nov 2017 05:26:00 -0800 (PST)
Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 166FA120046 for <dnsop@ietf.org>; Thu, 23 Nov 2017 05:26:00 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:57424) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1eHrVt-000iJv-1N (Exim 4.89) for dnsop@ietf.org (return-path <dot@dotat.at>); Thu, 23 Nov 2017 13:25:57 +0000
Date: Thu, 23 Nov 2017 13:25:57 +0000
From: Tony Finch <dot@dotat.at>
To: dnsop WG <dnsop@ietf.org>
In-Reply-To: <20171122213011.GU3322@mournblade.imrryr.org>
Message-ID: <alpine.DEB.2.11.1711231117150.4416@grey.csi.cam.ac.uk>
References: <3e958c19-016f-b413-78c5-4fd3c7c41daa@eff.org> <20171118211000.GR3322@mournblade.imrryr.org> <alpine.DEB.2.11.1711201256440.32058@grey.csi.cam.ac.uk> <20171121205403.GT3322@mournblade.imrryr.org> <alpine.DEB.2.11.1711221205030.4416@grey.csi.cam.ac.uk> <20171122213011.GU3322@mournblade.imrryr.org>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rUrqal6VqEBK7N1C7wtEd0irSkY>
Subject: Re: [DNSOP] Error handling in CAA
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Nov 2017 13:26:02 -0000

Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:

> A private sub-domain should return NXDomain on the public side of
> the Internet,

Maaaaaybe. That (mostly) requires that DNS servers support views.

Obviously in practice, private zones and views are often used together,
but DNS purists have also argued that that you don't need views to have
private zones (and that is how private.cam.ac.uk was set up).

But purism has disadvantages: REFUSED queries to private domains from the
public Internet cause retries and traffic amplification so there are
non-CAA-related advantages to having a public NXDOMAIN view.

Even so, I know that at least one CA has received enough complaints from
customers with REFUSED private domains that they have already updated
their implementation to permit certificates in unresolvable zones that
lack DNSSEC. It worked before CAA and I don't think there's any particular
advantage to breaking it.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Faeroes, Southeast Iceland: Northerly backing northwesterly gale 8 to storm
10. Very rough or high, occasionally very high in north. Squally wintry
showers. Moderate or poor.

v2.23.0 | Report a Bug | By Email