On Monday, 11 September 2017 18:33:24 UTC+1, Jeremy Rowley wrote: > That's the entire corpus of information related to DNSSEC in the BRs. Under 4 > and 5, we successfully returned a DNS record. The lookup didn’t fail so the > sentence "the domain's zone does not have a DNSSEC validation chain to the > ICANN root" doesn't apply. There is no need to check the DNSSEC validation > chain in this case.
Mmm. So your belief is that you're not actually required to do DNSSEC here at all? If Honest Achmed is asked to issue for example.com, he can do a plain (non DNSSEC) lookup, receive a spoofed "0 answers" for CAA on example.com, and issue on that basis, never needing to investigate whether example.com has DNSSEC enabled (it does), let alone whether the CAA response was properly signed ? I guess if that's the common interpretation of this document at least it'd be good to understand which CAs are vulnerable in this way. Of course, even if you know this it's pointless to exclude them using CAA, they'll accept a spoofed answer... _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy