[cabfpub] Two CAA questions

[Gervase Markham]

On 02/08/17 23:40, philliph--- via Public wrote:
>> We cannot, however, determine whether the "domain’s zone does not have
>> a DNSSEC validation chain to the ICANN root" because the domain's zone
>> authoritative name servers are refusing to answer our DNS queries.
>>  
>> This scenario is encountered often enough in the real world that it
>> would prevent many certificates from being issued if ballot 187 is
>> followed.

Is anyone able to explain why this scenario is at all common? Why would
the authoritative nameservers for a domain refuse to answer queries, if
the owner of the domain wanted the domain to work at all?

>> One potential solution is to allow CA's to treat REFUSED status
>> responses from authoritative name servers as permission to issue.
> 
> ​The problem with doing this is that it opens up a downgrade attack.

As PHB says, this doesn't sound like the right route.

> We know if the zone is DNSSEC signed or not (NSEC3 in the parent zone).
> REFUSED + DNSSEC should mean no certificate. ​If you turn on DNSSEC and
> much it up, then you are going to be in for a world of hurt anyways.
> That is what DNSSEC is for.

So you can determine whether the parent zone is DNSSEC-signed or not
without needing a response from the authoritative nameserver for the
domain itself? Do I have this right: if the parent zone is not signed,
clearly the domain itself won't be signed. But if the parent zone it
signed, you can't tell if the domain itself is signed or not without the
authoritative nameserver telling you.

Is that right?

Oh, and yes, an empty record means "no-one can issue".

Gerv