> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > In all three of these cases, the "domain's zone does not have a DNSSEC > validation chain to the ICANN root" -- I requested SOA, DNSKEY, NS, > and CAA records types for each zone and in no case did I get a > response that had a valid DNSSEC chain to the ICANN root.
This comes down to what exactly “does not have a valid DNSSEC chain” means. I had assumed that given the reference to DNSSEC in the BRs that the relevant DNSSEC RFCs were incorporated by reference via RFC 6844 and that DNSSEC validation is required. However, this is not entirely the case, using DNSSEC for CAA lookups is only RECOMMENDED in section 4.1 and explicitly “not required.” Which means this is all pretty pointless. The existence or non-existence of DNSSEC records doesn’t matter if there is no requirement to use them. Given this context, I think that your interpretation of this clause is not problematic since there is no requirement anywhere to use DNSSEC. I think this should probably be taken to the CAB Forum for a ballot to either: 1) purge this reference to DNSSEC from the BRs making it entirely optional instead of just having this pointless check; or 2) add a requirement to the BRs that DNSSEC validation be used from the ICANN root for CAA lookups and then tweak the relevant clause to only allow lookup failures if there is a valid non-existence proof of DNSSEC records in the chain that allows an insecure lookup. None of my comments in this thread should be interpreted as support for DNSSEC :) Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy