[Cryptography] letsencrypt.org
Viktor Dukhovni
cryptography at dukhovni.org
Sat Sep 16 23:45:26 EDT 2017
> On Sep 16, 2017, at 12:31 PM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
>
>> I tried to suggest at a recent IETF meeting that CAs should
>> use DNSSEC-validating resolvers when querying CAA records,
>> to reduce this MiTM risk, but got rather strange pushback
>> from PHB on behalf of Comodo. FWIW, Let's Encrypt does in
>> fact do validated DNS resolution.
>
> You were unclear then.
Sorry about that, I'm relieved to infer from the below that there's
in fact no disagreement.
> The specification makes clear that CAs are required to perform DNSSEC
> validation if a zone is signed.
Which is all I was trying to ask for.
> However a zone is not required to have DNSSEC to publish a CAA
> record.
I agree that should not be a requirement. Glad we can put that
misunderstanding behind us.
--
Viktor.
More information about the cryptography
mailing list