Way to enforce DNSSEC validation


#1

Thanks to this nice piece of research this topic can be talked about again: https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf

Would it be somehow possible to enforce certificates only to be issued when the domain is DNSSEC protected?

I was also thinking that it would be really nice if that status is also written into the certificate itself some day, I mean, we have CT status that’s embedded with Expect-CT, why shouldn’t there be embedded DNSSEC status and Expect-CDNSSEC? This would also mean that browsers don’t have to spend time validating DNSSEC but can enjoy the security benefits (to a certain extent).


#2

I think it should be set the first time certificate is issued for a domain using a flag passed to certbot, with Let’s Encrypt remembering to only accept DNS records from this domain if they are signed, unless an opt-out record is found (for example if the domain is about to be sold or transferred). Obviously, such record should be signed for it to be effective.


#3

This breaks in the case where the previous owner (for whatever reason) didn’t create whatever opt-out record would be needed. Domains expire, people forget about them. New owners shouldn’t have to jump through hoops to get a cert for the thing they just purchased. They just update the NS records at the registrar and are on their merry way.


#4

Expiration should reset DNSSEC requirement.


#5

Then Let’s Encrypt would require access to domain registration information…


#6

New owners have to jump trough hoops if they want to get rid of HSTS preloading as well. IMHO domain expiration needs improvement rather than features being deferred because of it.


#7

HTTP validation is a huge showstopper for me since my reverse proxy cannot be trusted. A way of forcing DNS would be helpful.

For instance, LE could honor IN CAA 0 issue dns.letsencrypt.org + compat TXT for CAA-less DNS hosts could imply that only DNS validation would be permitted by LE.


#8

Let’s Encrypt wants to deploy the CAA validationmethods extension, but it’s been held up by issues with the CAA standard.


#9

Just noticed this, apparently it’s live in staging now, so will see how that goes.