On Mon, Mar 13, 2017 at 02:00:40PM -0700, Jacob Hoffman-Andrews wrote:
> > by CA/B forum as a "recommendation", which meant that the constraint
> > was meaningless. Rumour has it that CAA will soon be a requirement,
> > so I've now published CAA records. The CAA check is/was easy to
> > make and crippling it by not making it a requirement was IMNSHO a
> > mistake.
>
> I think by this you mean that the CA/Browser Forum should have mandated
> CAA support in its Baseline Requirements, back when it first adopted CAA
> as "recommended." Is that right?
Yes.
> I think the analogous goal here is that you'd like the CA/Browser Forum
> to mandate use of a DNSSEC-validating recursive resolver during
> DNS-based validation procedures.
No, dragging the CA/B forum into this discussion (by way of analogy)
was perhaps a mistake. I am trying to say is that wiggle room to
not do DNSSEC ACME serves no purpose. ACME should *require* DNSSEC
resolvers in *ACME conformant CAs.
> That's great! However, I don't think mandating use of a DNSSEC-validating
> resolver in the ACME spec will achieve that goal, since the CA/Browser
> Forum is not planning to mandate use of the ACME spec.
Convincing non-ACME CAs that issue DV certs do use DNSSEC for DNS
challenges is a separate issue (windmill for my Quixotic battles)
and is out of scope for this group. So one thing at a time, I urge
the ACME WG to require DNSSEC for DNS challenges, so that security
of DNSSEC signed domains is not downgraded by ACME CAs negligently
running security-oblivious resolvers.
--
Viktor.
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
