> On 21 Jan 2022, at 9:48 am, Daniel Kahn Gillmor <d...@fifthhorseman.net>
> wrote:
>
>> Without wanting to detract too much from the core question of the thread,
>> how does this address the routing gap? The adversary at the routing layer
>> just redirects the host being validated to control the key that way, and
>> simply interrupts the nameserver during the CAA check. In the threat model
>> you're concerned about (Web PKI), DNSSEC is soft-fail, particularly for CAA
>> checks.
>
> If DNSSEC is soft-fail for the CA verifying CAA checks, then i agree
> this is insufficient. The letsencrypt implementation is apparently at
> least logging the info about DNSSEC signatures.
>
> https://github.com/letsencrypt/boulder/issues/2700
>
> Do you think that DNSSEC should be soft-fail for CAA checks, or should
> we urge the CAs to be more strict here? Perhaps that would be another
> recommendation.
CAA lookups must not softfail. This needs to be the case whether the
domain is signed or not. For signed domains this means that validation
of the response (positive or denial of existence) must succeed. Bogus
replies, lame delegations, timeouts, REFUSED, SERVFAIL, ... need to all
be hard errors (for signed and unsigned domains alike).
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
