> On Aug 2, 2017, at 6:23 PM, Kirk Hall via Public <[email protected]> wrote:
>
> I have two CAA questions from our technical group. I am posting here to see
> what others think. Do we need to make any changes to BR 3.2.2.8 (created
> under Ballot 187)? Thanks for any feedback.
>
> QUESTION 1
>
> Subject: CAA ballot and handling of REFUSED status response from
> authoritative name servers
>
> Suppose we have a domain "demo-k2k.com <http://demo-k2k.com/>" that have NS
> records pointing to "ns1.demo-k2k.com <http://ns1.demo-k2k.com/>" and
> ns2.demo-k2k.com <http://ns2.demo-k2k.com/> as the authoritative name
> servers. When we query "ns1.demo-k2k.com <http://ns1.demo-k2k.com/>" for the
> CAA records for "demo-k2k.com <http://demo-k2k.com/>", it returns a status of
> REFUSED. This may be due to a misconfiguration or the restricted access may
> be intentional.
>
> We now have a scenario where the record lookup for "demo-k2k.com
> <http://demo-k2k.com/>" has failed.
>
> According to ballot 187, CAs are permitted to treat a record lookup failure
> as permission to issue if:
>
> 1. the failure is outside the CA’s infrastructure;
> 2. the lookup has been retried at least once; and
> 3. the domain’s zone does not have a DNSSEC validation chain to the
> ICANN root.
>
> Condition #1 is satisfied, the failure is outside the CA’s infrastructure.
> We can satisfy Condition #2 by retrying – we get the same REFUSED status in
> the response.
>
> Because of the "and" clause in above ballot excerpt, we must also satisfy
> condition #3 if we want to treat the lookup failure as permission to issue.
> We cannot, however, determine whether the "domain’s zone does not have a
> DNSSEC validation chain to the ICANN root" because the domain's zone
> authoritative name servers are refusing to answer our DNS queries.
>
> This scenario is encountered often enough in the real world that it would
> prevent many certificates from being issued if ballot 187 is followed.
>
> One potential solution is to allow CA's to treat REFUSED status responses
> from authoritative name servers as permission to issue.
The problem with doing this is that it opens up a downgrade attack.
We know if the zone is DNSSEC signed or not (NSEC3 in the parent zone). REFUSED
+ DNSSEC should mean no certificate. If you turn on DNSSEC and much it up,
then you are going to be in for a world of hurt anyways. That is what DNSSEC is
for.
> QUESTION 2
>
> Subject: Handling CAA record with single character in it
>
> We have found a CAA record that consists only of a semi-colon “;” So the
> field is not empty, but also does not designate any known CAs.
>
> Our team assumes this effectively blocks all CAs from issuing to this domain.
> Do others agree?
>
Yes. The original intention was that a completely empty record should prevent
issue. That may well be harder to enter in the config file of course.
There are many domains that are bought and simply parked. They are not in use
so why would someone be getting a certificate for them?
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
