On Fri, Jan 21, 2022 at 01:30:38PM -0500, Ryan Sleevi wrote:
> > > Do you think that DNSSEC should be soft-fail for CAA checks, or should
> > > we urge the CAs to be more strict here? Perhaps that would be another
> > > recommendation.
> >
> > CAA lookups must not softfail. This needs to be the case whether the
> > domain is signed or not. For signed domains this means that validation
> > of the response (positive or denial of existence) must succeed. Bogus
> > replies, lame delegations, timeouts, REFUSED, SERVFAIL, ... need to all
> > be hard errors (for signed and unsigned domains alike).
>
> Yes, and OCSP lookups must not softfail either, in order for them to be
> useful.
>From where I sit, issuance is a much more critical process than
revocation, and sloppy practices should not be acceptable. Postfix does
not ignore DNS lookup errors, and the sky has not fallen. I don't see
why a CA should be at liberty to do so.
If some domain has broken DNS preventing certificate issuance, then they
need to fix that first. Both the nameservers and the CA can be expected
to be on a better than hotel captive portal network, where DNS is
sufficiently reliable to return a valid answer, or be attended to if
there's a problem.
If CA/B Forum CAs are ignoring CAA lookup errors then the WebPKI is even
weaker than I thought it was.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
