[cabfpub] DNSSEC validation for CAA record lookup failure

[Peter Bowen]

> On Sep 14, 2017, at 10:02 AM, Geoff Keating via Public <public at cabforum.org> wrote:
> 
> At the moment the BRs say:
> 
> CAs are permitted to treat a record lookup failure as permission to issue if:
> 
> the failure is outside the CA's infrastructure;
> 
> the lookup has been retried at least once; and
> 
> the domain's zone does not have a DNSSEC validation chain to the ICANN root. 
> 
> I suggest replacing the last item with “the record being looked up is classified as ‘Insecure’ under RFC 4035 section 4.3, as amended.”
> 
> The most common case of this will be that the record being looked up is a CAA record for, say, example.com <http://example.com/>; the .com servers have been contacted successfully, producing authenticated NS records for example.com <http://example.com/>, but the example.com <http://example.com/> name servers cannot be contacted; and the .com servers have provided authenticated denial of existence for a DS record for example.com <http://example.com/>.  This is covered in RFC 4035 section 5.2, “If the validator authenticates an NSEC RRset that proves that no DS RRset is present for this zone, then there is no authentication path leading from the parent to the child.”

Geoff,

This covers the “affirmatively insecure” case — that is a signed response affirmatively indicates there are no DS records for a given name but there are NS records for the same name.

However many of the cases are not as clear, especially in the face of NSEC3 with opt-out.  What if there is a DS record but the child zone returns an answer that is covered in an opt-out gap?  What if the delegation without DS is covered in opt-out?  Are these both affirmatively insecure?

Also, take a look at https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1439 <https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1439>  There is discussion there that highlights another challenge: what happens in error cases.  How should CAs handle a case where they are trying to get data for beta.shop.example.com <http://beta.shop.example.com/>, example.com <http://example.com/> has a DS record in the com zone, but there are no DNSKEY records for example.com <http://example.com/> in the example.com <http://example.com/> zone?  We don’t know if shop.example.com <http://shop.example.com/> is insecure or secure.

Thanks,
Peter



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170914/e946d4f7/attachment-0001.html>