> Certificate 3 contains a single DNS identifier for > refused.caatestsuite-dnssec.com > Attempts to query the CAA record for this DNS name result in a REFUSED DNS > response. Since there is a DNSSEC validation chain from this zone to the > ICANN root, CAs are not permitted to treat the lookup failure as permission > to issue. > > > Certificate 4 contains a single DNS identifier for > missing.caatestsuite-dnssec.com <http://missing.caatestsuite-dnssec.com> . > This DNS name has no CAA records, but the zone is missing RRSIG records. > Since there is a DNSSEC validation chain from this zone to the ICANN root, > the DNS lookup should fail and this failure cannot be treated by the CA as > permission to issue. > > Certificate 6 contains a single DNS identifier for > blackhole.caatestsuite-dnssec.com <http://blackhole.caatestsuite-dnssec.com> > . All DNS requests for this DNS name will be dropped, causing a lookup > failure. Since there is a DNSSEC validation chain from this zone to the > ICANN root, CAs are not permitted to treat the lookup failure as permission > to issue.
Based on my own queries, I do not believe the statement that there is "a DNSSEC validation chain from this zone to the ICANN root" is correct for these. All of these names have NS records in the parent zone, indicating they are zones themselves: refused.caatestsuite-dnssec.com. 60 IN NS nsrefused.caatestsuite-dnssec.com. blackhole.caatestsuite-dnssec.com. 60 IN NS nsblackhole.caatestsuite-dnssec.com. missing.caatestsuite-dnssec.com. 60 IN NS ns0.caatestsuite-dnssec.com. missing.caatestsuite-dnssec.com. 60 IN NS ns1.caatestsuite-dnssec.com. In all three of these cases, the "domain's zone does not have a DNSSEC validation chain to the ICANN root" -- I requested SOA, DNSKEY, NS, and CAA records types for each zone and in no case did I get a response that had a valid DNSSEC chain to the ICANN root. This leads me to believe these tests are incorrect and I agree with Jeremy's conclusion for these. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
