On 02/08/17 23:40, philliph--- via Public wrote: >> We cannot, however, determine whether the "domain’s zone does not have >> a DNSSEC validation chain to the ICANN root" because the domain's zone >> authoritative name servers are refusing to answer our DNS queries. >> >> This scenario is encountered often enough in the real world that it >> would prevent many certificates from being issued if ballot 187 is >> followed.
Is anyone able to explain why this scenario is at all common? Why would the authoritative nameservers for a domain refuse to answer queries, if the owner of the domain wanted the domain to work at all? >> One potential solution is to allow CA's to treat REFUSED status >> responses from authoritative name servers as permission to issue. > > The problem with doing this is that it opens up a downgrade attack. As PHB says, this doesn't sound like the right route. > We know if the zone is DNSSEC signed or not (NSEC3 in the parent zone). > REFUSED + DNSSEC should mean no certificate. If you turn on DNSSEC and > much it up, then you are going to be in for a world of hurt anyways. > That is what DNSSEC is for. So you can determine whether the parent zone is DNSSEC-signed or not without needing a response from the authoritative nameserver for the domain itself? Do I have this right: if the parent zone is not signed, clearly the domain itself won't be signed. But if the parent zone it signed, you can't tell if the domain itself is signed or not without the authoritative nameserver telling you. Is that right? Oh, and yes, an empty record means "no-one can issue". Gerv _______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public