Closing the loop on this, here is where I think we landed:
Is this acceptable?
A domain owner SHOULD sign their DNS zone using DNSSEC {{RFC9364}} to
protect Validation Records against DNS spoofing attacks, including from
on-path attackers.
Application Service Providers MUST use a trusted DNSSEC validating resolver
to verify Validation Records they have requested to be deployed. When the
AD bit ({{RFC4035}} Section 3.2.3) is not set in DNS responses for
Validation Records, Application Service Providers SHOULD take additional
steps to reduce an attacker's ability to complete a challenge by spoofing
DNS:
* Application Service Prociders SHOULD attempt to query and confirm the
Validation Record by matching responses from multiple DNS resolvers on
unpredictable geographically diverse IP addresses
* Application Service Providers MAY perform multiple queries spread out
over a longer time period to reduce the chance of receiving spoofed DNS
answers.
Also in
https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/188
Best, Erik
On Mon, Jul 21, 2025 at 10:21 AM Henry Birge-Lee <[email protected]>
wrote:
> HI all,
>
> Being the author of the ballot that recently passed requiring DNSSEC
> validation of all DCV for web PKI CAs (
> https://github.com/cabforum/servercert/pull/579 ) I do strongly support
> this type of language and thing it would help the Internet Draft.
>
> I largely agree DNSSEC validation should be a MUST statement while DNSSEC
> signing is best left as a SHOULD.
>
> I also like the recommended precautions if the AD bit is not set.
>
> In general I am excited about the idea of recursive to authoritative
> Do[HQT] (I have a reference to that in another I-D I am working on
> https://datatracker.ietf.org/doc/draft-ietf-lamps-caa-security/ ).
> However, I do not think it should replace any DNSSEC mandate as the
> security properties are different. It could be nice to mention as a SHOULD,
> but I would advise against having it interact at all with the mandate
> to validate DNSSEC.
>
> Best,
> Henry
>
>
>
> On Mon, Jul 21, 2025 at 9:10 AM Jim Reid <[email protected]> wrote:
>
>>
>>
>> > On 21 Jul 2025, at 13:58, Erik Nygren <[email protected]> wrote:
>> >
>> > DNSSEC signing of zones remains a SHOULD.
>>
>> +1
>>
>> IMO using an encrypted channel (Do[HQT]) might well be "good enough".
>>
>> _______________________________________________
>> DNSOP mailing list -- [email protected]
>> To unsubscribe send an email to [email protected]
>>
>
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
