On Mon, Feb 8, 2021 at 1:40 PM Andrew Ayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> The BRs permit CAs to bypass CAA checking for a domain if "the CA or > an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) > of the domain's DNS." > > Much like the forbidden "any other method" of domain validation, the DNS > operator exception is perilously under-specified. It doesn't say how > to determine who the DNS operator of a domain is, when to check, or for > how long this information can be cached. Since the source of truth for a > domain's DNS operator is the NS record in the parent zone, I believe the > correct answer is to check at issuance time by doing a recursive lookup > from the root zone until the relevant NS record is found, and caching > for no longer than the NS record's TTL. Unfortunately, resolvers do > not typically provide an implementation of this algorithm, so CAs would > have to implement it themselves. Considering that CAs are not generally > DNS experts and there are several almost-correct-but-subtly-wrong ways > to implement it, I have little faith that CAs will implement this > check correctly. My experience having implemented both a CAA lookup > algorithm and an algorithm to determine a domain's DNS operator is that > it's actually easier to implement CAA, as all the nasty DNS details can > be handled by the resolver. This leads me to conclude that the only CAs > who think they are saving effort by relying on the DNS operator exception > are doing so incorrectly and insecurely. Thanks, Andrew, for raising this. This does seem something that should be looked to be phased out / forbidden. We've seen similar concerns raised related to BygoneSSL [1], with respect to Cloud Providers (incorrectly) believing they are the domain operator (e.g. customer account configured, but DNS now points elsewhere) [1] https://insecure.design/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy