Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require DNSSEC validation for CAA records when the domain is DNSSEC enabled #352

Open
CBonnell opened this issue Mar 31, 2022 · 2 comments
Open

Require DNSSEC validation for CAA records when the domain is DNSSEC enabled #352

CBonnell opened this issue Mar 31, 2022 · 2 comments
Labels
validation-sc

Comments

@CBonnell
Copy link
Member

Consider removing exceptions for DNSSEC failures on CAA lookup, and fail-closed instead.
@CBonnell CBonnell moved this to Backlog in Validation Aug 1, 2022
@CBonnell
Copy link
Member Author

CBonnell commented Aug 1, 2022

This was discussed on the 2022-07-28 call.

There was a lack of interest in prioritizing this item.

@CBonnell
Copy link
Member Author

This was discussed again on the 2023-10-19 call. There was rough consensus that we should keep this in the backlog, as there may be some security value in requiring this. However, the MPIC/MPDV work may lessen any additional benefit derived from mandating DNSSEC verification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
validation-sc
Projects
Validation
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CBonnell