[DNSOP] Error handling in CAA
Jacob Hoffman-Andrews <jsha@eff.org> Fri, 17 November 2017 20:49 UTC
Return-Path: <jsha@eff.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D83B12426E for <dnsop@ietfa.amsl.com>; Fri, 17 Nov 2017 12:49:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aq0G2Zja6nFL for <dnsop@ietfa.amsl.com>; Fri, 17 Nov 2017 12:49:57 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3EA31200B9 for <dnsop@ietf.org>; Fri, 17 Nov 2017 12:49:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:Subject:From:To; bh=6XNWdzplusv56wp+gXqOA1J8DTcyBwTmd/i8H598uig=; b=5AFdWiwJ9FR6Pw5AlRiAoenYiU3SlRtIps7CD7Pq45ByiGE2PqywmEhD8WMcK08cce3bcaUNnXls1KHDUiHg7PjiQMtYYi6i8vc1GO4BGlAKz1zaJW21OEpSw8ewGfyDaUTuYOrz+Tp4f2adMmNB57B6c7VAnfaOrcdHXUhtgxw=;
Received: ; Fri, 17 Nov 2017 12:49:30 -0800
To: dnsop WG <dnsop@ietf.org>, Phillip Hallam-Baker <phill@hallambaker.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <3e958c19-016f-b413-78c5-4fd3c7c41daa@eff.org>
Date: Fri, 17 Nov 2017 12:49:33 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sS7FnuQKMHTEhsrlyjnoXq2rP5o>
Subject: [DNSOP] Error handling in CAA
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 20:49:59 -0000
In the SPASM group, we are refining CAA (RFC 6844) based on the changes that were needed in order to get it passed at the CA/Browser Forum. There's one sticky bit in particular I'd like input on. Here's the current language in the BRs: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.4.pdf > CAs are permitted to treat a record lookup failure as permission to issue > if: > - the failure is outside the CA's infrastructure; > - the lookup has been retried at least once; and > - the domain's zone does not have a DNSSEC validation chain to the > ICANN root. It would be nice if we could provide more solid language for a future BR update, or possibly for a CAA update. The goal here is to work around the issue that a small but significant number of domains return errors when asked for CAA ((I'd guesstimate 1%?). CAs would like to be able to assume there is no CAA record present for those domains and issue anyhow. However, if you're using a standard recursive resolver inside your own infrastructure, and you get a SERVFAIL, how do you distinguish whether that was a DNSSEC validation failure or another type? I realize the extended-error draft will help enormously with that, but I'm looking for a solution that can be deployed before that is done. One idea: Run two recursive resolvers, one validating and one not. If you get an error from both, it's a network error; if you get an error from the validating one and success from the non-validating one, it's a DNSSEC error and you should refuse issuance. A second issue: How does one determine automatically whether a failure is "outside a CA's infrastructure?" This was inserted as a bit of a handwave to get the ballot passed, but it would be nice if we could formalize this concept, or declare that it's unenforceable. Thanks, Jacob
- [DNSOP] Error handling in CAA Jacob Hoffman-Andrews
- Re: [DNSOP] Error handling in CAA Mark Andrews
- Re: [DNSOP] Error handling in CAA Viktor Dukhovni
- Re: [DNSOP] Error handling in CAA Tony Finch
- Re: [DNSOP] Error handling in CAA Viktor Dukhovni
- Re: [DNSOP] Error handling in CAA Phillip Hallam-Baker
- Re: [DNSOP] Error handling in CAA Tony Finch
- Re: [DNSOP] Error handling in CAA Viktor Dukhovni
- Re: [DNSOP] Error handling in CAA Tony Finch