On 11/09/17 22:28, Jeremy Rowley wrote: > I would support that. I can't recall why it's in there.
As the drafter of the section :-), my intent was to make it so that if a site owner were concerned about the possibility that their CAA record or DNS could be spoofed, they could use DNSSEC to solve the problem. I agree that there is an implicit assumption in this requirement, that it is possible to efficiently determine the presence or absence of what we might call "attempted DNSSEC" for a particular domain. (That's not the same thing as "correct, valid, properly-signed, whatever DNSSEC.) If that assumption is not true, we may have to reconsider. I also seem to recall that the intent was not to require that CAs do proper DNSSEC lookups for all CAA requests as long as they were happy to fail closed in the presence of DNSSEC. This again has the above implicit assumption baked into it. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
