[cabfpub] Two CAA questions

philliph at comodo.com philliph at comodo.com
Wed Aug 2 15:40:06 MST 2017 

> On Aug 2, 2017, at 6:23 PM, Kirk Hall via Public <public at cabforum.org> wrote:
> 
> I have two CAA questions from our technical group.  I am posting here to see what others think.  Do we need to make any changes to BR 3.2.2.8 (created under Ballot 187)?  Thanks for any feedback.
>  
> QUESTION 1
>  
> Subject: CAA ballot and handling of REFUSED status response from authoritative name servers
>  
> Suppose we have a domain "demo-k2k.com <http://demo-k2k.com/>" that have NS records pointing to "ns1.demo-k2k.com <http://ns1.demo-k2k.com/>" and ns2.demo-k2k.com <http://ns2.demo-k2k.com/> as the authoritative name servers. When we query "ns1.demo-k2k.com <http://ns1.demo-k2k.com/>" for the CAA records for "demo-k2k.com <http://demo-k2k.com/>", it returns a status of REFUSED. This may be due to a misconfiguration or the restricted access may be intentional.
>  
> We now have a scenario where the record lookup for "demo-k2k.com <http://demo-k2k.com/>" has failed.
>  
> According to ballot 187, CAs are permitted to treat a record lookup failure as permission to issue if:
>  
> 1.       the failure is outside the CA’s infrastructure;
> 2.       the lookup has been retried at least once; and
> 3.       the domain’s zone does not have a DNSSEC validation chain to the ICANN root.
>  
> Condition #1 is satisfied, the failure is outside the CA’s infrastructure.
> We can satisfy Condition #2 by retrying – we get the same REFUSED status in the response.
>  
> Because of the "and" clause in above ballot excerpt, we must also satisfy condition #3 if we want to treat the lookup failure as permission to issue.
> We cannot, however, determine whether the "domain’s zone does not have a DNSSEC validation chain to the ICANN root" because the domain's zone authoritative name servers are refusing to answer our DNS queries.
>  
> This scenario is encountered often enough in the real world that it would prevent many certificates from being issued if ballot 187 is followed.
>  
> One potential solution is to allow CA's to treat REFUSED status responses from authoritative name servers as permission to issue.

​The problem with doing this is that it opens up a downgrade attack.

We know if the zone is DNSSEC signed or not (NSEC3 in the parent zone). REFUSED + DNSSEC should mean no certificate. ​If you turn on DNSSEC and much it up, then you are going to be in for a world of hurt anyways. That is what DNSSEC is for.


> QUESTION 2
>  
> Subject: Handling CAA record with single character in it
>  
> We have found a CAA record that consists only of a semi-colon “;”  So the field is not empty, but also does not designate any known CAs.
>  
> Our team assumes this effectively blocks all CAs from issuing to this domain.  Do others agree?
> 

Yes. The original intention was that a completely empty record should prevent issue. That may well be harder to enter in the config file of course. 

There are many domains that are bought and simply parked. They are not in use so why would someone be getting a certificate for them?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170802/42fba767/attachment.html>

More information about the Public mailing list