[cabfpub] Continuing the discussion on CAA

Jacob Hoffman-Andrews jsha at letsencrypt.org
Wed Oct 26 12:06:04 MST 2016


On Tue, Oct 25, 2016 at 11:52 PM, Jeremy Rowley via Public <
public at cabforum.org> wrote:
> Basically, I’d like a way for the domain owner to opt-out of CAA checks
for performance reasons, which I think resolves the concerns you raised.

The performance problems may not be as bad as you think, with automation
and parallelization. For instance, Let's Encrypt recently issued over a
million certificates on a single day, with full CAA checking, and did not
find CAA to be a performance bottleneck.

I realize that may seem at odds with my earlier statement, so I'll quote it
here and add detail:

On Tue, Oct 18, 2016 at 11:26 AM, Jacob Hoffman-Andrews <
jsha at letsencrypt.org> wrote:
> Let's Encrypt checks CAA at validation time rather than issuance time,
because DNS checks are slow and unreliable. Doing the check at validation
time allowed us to consolidate the external-facing parts of our process
into a single component, and monitor the performance of that component with
the knowledge that it is affected by factors outside our control.

Specifically, I mean that most of our internal RPCs complete in under a
second, and are monitored for such. However, validation requests are
allowed much longer because of variability in remote services. Also, it's
normal for some fraction of validation requests to timeout because some
fraction of our customers have misconfigured servers. That said, for a
given customer who has a correctly configured DNS responder, DNS lookups,
including CAA, are typically not a bad bottleneck.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161026/ef1c6f46/attachment.html>


More information about the Public mailing list