On Fri 2022-01-21 11:56:04 -0500, Viktor Dukhovni wrote: >> On 21 Jan 2022, at 9:48 am, Daniel Kahn Gillmor <d...@fifthhorseman.net> >> wrote: > >> Do you think that DNSSEC should be soft-fail for CAA checks, or should >> we urge the CAs to be more strict here? Perhaps that would be another >> recommendation. > > CAA lookups must not softfail. This needs to be the case whether the > domain is signed or not. For signed domains this means that validation > of the response (positive or denial of existence) must succeed. Bogus > replies, lame delegations, timeouts, REFUSED, SERVFAIL, ... need to all > be hard errors (for signed and unsigned domains alike).
fwiw, Let's Encrypt's ACME-compliant CA implementation "boulder" apparently does not softfail for CAA validation: https://github.com/letsencrypt/boulder/issues/5903#issuecomment-1018932892 So there's at least one piece of good news in this thread. --dkg
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
