Re: [cabfpub] Checking CAA oneself

2016-09-24 Thread Peter Bowen 

> On Sep 22, 2016, at 8:40 AM, Gervase Markham  wrote:
> 
> On 22/09/16 16:03, J.C. Jones wrote:
>> Pretty sure I got this from you at some point. :)
>> 
>> dig +short -t TYPE257 "$@" | perl -nE '@x = split(); say map(chr, map { hex 
>> } ($x[2] =~ m/../g ))'
> 
> Thanks everyone! And in return, here's an improved version which can
> deal with longer entries, like Comodo's:
> 
> dig +short -t TYPE257 "$@" | perl -nE '@x = split(); splice(@x, 0, 2);
> say map(chr, map { hex } (join("", @x) =~ m/../g ))'
> 
> It seems depressingly few domains deploy CAA, having checked a selection
> of famous ones. Perhaps we need more publicity for it.

Keep in mind that the CAA spec is far more complicated than a single query.  
See https://tools.ietf.org/html/rfc6844#section-4 for the algorithm to 
determine which queries need to happen for a given name.

Thanks,
Peter
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Checking CAA oneself

2016-09-23 Thread Gervase Markham 
On 22/09/16 22:02, Ryan Sleevi wrote:
> Customers don't receive value in CAA until (all) CAs are obligated to
> check & respect it. However, if we get there, it becomes a vital and
> valuable security feature.

Coming to a conclusion on that discussion (whatever we decide to do)
should indeed be the first step. We were discussing whether to mandate
"soft" CAA (i.e. elevated risk when issuing against), "hard" CAA (i.e.
not permitted to issue against), or "mixed" CAA ("soft" is the default,
but site can choose "hard" via some marker in their CAA record).

Gerv
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Checking CAA oneself

2016-09-22 Thread phill...@comodo.com 
I think that we have a problem in Internet security generally similar to that 
of 802.11b vs WiFi. There is a specification but implementations of the 
specification vary and are not always up to date.

Perhaps we could create a checklist for various parties for implementing 
PKI-2017 or whatever. Giving concrete steps for what has to be implemented. 



> On Sep 22, 2016, at 5:02 PM, Ryan Sleevi  wrote:
> 
> 
> 
> On Thu, Sep 22, 2016 at 9:55 AM, Erwann Abalea  > wrote:
> We also need more support from DNS servers.
> 
> I think we'll constantly be in this chicken-and-egg problem until the CA/B 
> Forum takes action.
> 
> Customers don't receive value in CAA until (all) CAs are obligated to check & 
> respect it. However, if we get there, it becomes a vital and valuable 
> security feature.
>  
> For my domains, I host everything on the « Cloud », and register my domain 
> names on Gandi, who is also my DNS service, with a nice web UI.
> I wanted to add a CAA record for testing, but Gandi doesn’t support that. 
> Amazon Route 53 doesn’t either. I looked for some documentation about 
> Cloudflare DNS, dyn.com  Managed DNS, GoDaddy, Microsoft 
> Azure, EasyDNS, none of them seem to support CAA.
> 
> That's unfortunate, but luckily we've got members in both Microsoft and 
> GoDaddy who might be able to poke their product teams, and we know CloudFlare 
> is generally responsive to security feature improvements.
>  
> The only positive finding is that Google Cloud DNS supports CAA records with 
> an easy to use UI.
> 
> I'll be sure to pass this on to the team that implemented this =)
>  
> The fact that we still have to use « -t TYPE257 » on dig or host command or 
> the equivalent « set type=TYPE257 » on nslookup to manually perform this 
> query is not encouraging.
> 
> Encouraging in what sense? There's naturally an ecosystem issue, but the need 
> to use -t TYPE257 on older versions of dig/host doesn't preclude you from 
> taking advantage of the security benefits, if CAs were willing or required to 
> respect it. 
> 
> ___
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public

___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Checking CAA oneself

2016-09-22 Thread Erwann Abalea 
We also need more support from DNS servers.

For my domains, I host everything on the « Cloud », and register my domain 
names on Gandi, who is also my DNS service, with a nice web UI.
I wanted to add a CAA record for testing, but Gandi doesn’t support that. 
Amazon Route 53 doesn’t either. I looked for some documentation about 
Cloudflare DNS, dyn.com Managed DNS, GoDaddy, Microsoft Azure, EasyDNS, none of 
them seem to support CAA.
The only positive finding is that Google Cloud DNS supports CAA records with an 
easy to use UI.

I don’t want to have several dedicated machines with up to date 
Bind/NSD/whatever and a complicated config, just to be protected from erroneous 
DV certificates automatically delivered.

The fact that we still have to use « -t TYPE257 » on dig or host command or the 
equivalent « set type=TYPE257 » on nslookup to manually perform this query is 
not encouraging.

Cordialement,
Erwann Abalea

> Le 22 sept. 2016 à 17:40, Gervase Markham  a écrit :
> 
> On 22/09/16 16:03, J.C. Jones wrote:
>> Pretty sure I got this from you at some point. :)
>> 
>> dig +short -t TYPE257 "$@" | perl -nE '@x = split(); say map(chr, map { hex 
>> } ($x[2] =~ m/../g ))'
> 
> Thanks everyone! And in return, here's an improved version which can
> deal with longer entries, like Comodo's:
> 
> dig +short -t TYPE257 "$@" | perl -nE '@x = split(); splice(@x, 0, 2);
> say map(chr, map { hex } (join("", @x) =~ m/../g ))'
> 
> It seems depressingly few domains deploy CAA, having checked a selection
> of famous ones. Perhaps we need more publicity for it.
> 
> Gerv
> ___
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 

___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Checking CAA oneself

2016-09-22 Thread Gervase Markham 
On 22/09/16 16:03, J.C. Jones wrote:
> Pretty sure I got this from you at some point. :)
> 
> dig +short -t TYPE257 "$@" | perl -nE '@x = split(); say map(chr, map { hex } 
> ($x[2] =~ m/../g ))'

Thanks everyone! And in return, here's an improved version which can
deal with longer entries, like Comodo's:

dig +short -t TYPE257 "$@" | perl -nE '@x = split(); splice(@x, 0, 2);
say map(chr, map { hex } (join("", @x) =~ m/../g ))'

It seems depressingly few domains deploy CAA, having checked a selection
of famous ones. Perhaps we need more publicity for it.

Gerv
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Checking CAA oneself

2016-09-22 Thread Andrew Ayer 
On Thu, 22 Sep 2016 15:59:38 +0100
Gervase Markham  wrote:

> Hi everyone,
> 
> Sorry if this is a bit lazy of me, but does anyone have either or
> both of:
> 
> * A command-line one-liner; or
> * A web page tool
> 
> for checking the CAA record of a domain? I'm sure I used to have a
> one-liner which even decoded the encoding, but I can't find it now.
> And lots of the online DNS tools don't seem to understand CAA.

If you have a new enough version of BIND, you can just use host or dig
like any other record type:

host -t CAA google.com
dig google.com CAA

If that doesn't work, dns.google.com supports CAA:

https://dns.google.com/query?name=google.com&type=CAA

Regards,
Andrew
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Checking CAA oneself

2016-09-22 Thread J.C. Jones 
Gerv,

Pretty sure I got this from you at some point. :)

dig +short -t TYPE257 "$@" | perl -nE '@x = split(); say map(chr, map
{ hex } ($x[2] =~ m/../g ))'


J.C.


On Thu, Sep 22, 2016 at 3:59 PM, Gervase Markham  wrote:

> Hi everyone,
>
> Sorry if this is a bit lazy of me, but does anyone have either or both of:
>
> * A command-line one-liner; or
> * A web page tool
>
> for checking the CAA record of a domain? I'm sure I used to have a
> one-liner which even decoded the encoding, but I can't find it now. And
> lots of the online DNS tools don't seem to understand CAA.
>
> Thanks :-)
>
> Gerv
>
> ___
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public