On Fri, Jan 21, 2022 at 11:56 AM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > Do you think that DNSSEC should be soft-fail for CAA checks, or should > > we urge the CAs to be more strict here? Perhaps that would be another > > recommendation. > > CAA lookups must not softfail. This needs to be the case whether the > domain is signed or not. For signed domains this means that validation > of the response (positive or denial of existence) must succeed. Bogus > replies, lame delegations, timeouts, REFUSED, SERVFAIL, ... need to all > be hard errors (for signed and unsigned domains alike). > Yes, and OCSP lookups must not softfail either, in order for them to be useful. Unfortunately, the real world is messy and complex, and the incentives for getting to such a system for CAA are, unfortunately, greatly misaligned - for CAs, but also for server operators and all the intermediaries along the line.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
