On Thu, 30 Nov 2017, Tim Hollebeek via dev-security-policy wrote:
[somewhat off topic, you can safely hit delete now]
So it turns out DNSSEC solves CAA problems for almost nobody, because almost nobody uses DNSSEC.
The only people who need to use CAA are the CA's. They can surely manage to fire up a validating DNS resolver. I'm sure there are more BR's that "almost nobody uses" because there is no need for everyone to use it but CA's. If you talk about domain holders not being able to run DNSSEC, that's a pretty lame excuse too, when we have many Registrars and Hosters who run millions of DNSSEC secured zones. I feel this argument is similar to "hosting your own email service is too hard". If it is, there are excellent commercial alternatives available.
And given the serious flaws both in DNSSEC itself and exiting DNSSEC implementations
For one, I'm not aware of "serious flaws in DNSSEC". As for wanting something to die because of bad implementations, can I suggest starting with ASN.1 and X.509, then move to crypto primitives and TLS ? :)
The presence of DNSSEC in the BR policy for handling DNS failures, in hindsight, was probably a mistake, and
Trusting unauthenticated data from the network should really be a no-op, from a princple point of view. Making any security decisions based on "some blob from the network that anyone could have modified without detecting" is just madness.
Right now, the only thing it is really accomplishing is preventing certificate issuance to customers whose DNS infrastructure is flaky, misconfigured, or unreliable.
Seems like the kind of people who should be given a certificate award for excellence :P
Longer term, DNS over HTTPS is probably a more useful path forward than DNSSEC for CAA, but unfortunately that is still in it's infancy.
Not really, because that only offers transport security and not data integrity. A compromised nameserver should not be able to fake the lack of CAA record for a domain that uses secure offline DNSSEC signing.
The problem DNSSEC checks for CAA was intended to solve was the fact that it is certainly possible that a well-resourced attacker can manipulate the DNS responses that the CA sees as part of its CAA checks. A better mitigation, perhaps, is for multiple parties to publicly attest in a verifiable way as to what the state of DNS was at/near the time of issuance with respect to the relevant CAA records.
Then why not simply cut out the DNS middle man, and give domains another way to advertise this information. What about RDAP ? What about an EPP "CA lock" similar to a "Registrar lock" ?
Of course, to avoid some of the extremely interesting experiences the industry has had with CAA
Maybe people should use proper dns libraries and not invent their own CNAME / DNAME handling :) Paul _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
