DNSSEC validation requirement clarification

53 views
Skip to first unread message

Rich Smith

unread,
Mar 27, 2026, 11:35:19 AM (11 days ago) Mar 27
to 'Corey Bonnell' via Validation Subcommittee (CA/B Forum)

Greetings and salutations,

As per discussion at the recent F2F in Houston, I'm working on a draft ballot to merge DNSSEC validation requirement into its own section (3.2.2.10) and clarify some of the language.  Pursuant to the effort, I have a question for the group.

 

In section 3.2.2.8.1 it states, "DNSSEC validation back to the IANA DNSSEC root trust anchor MAY be performed on all DNS queries associated with CAA record lookups performed by Remote Network Perspectives as part of Multi-Perspective Issuance Corroboration."  There was similar wording in 3.2.2.4 regarding DNSSEC validation on Remote Network Perspectives when performing DCV lookups, but it was removed by one of the follow-up ballots passed in January.  Is the current intent that DNSSEC validation be REQUIRED or OPTIONAL for DCV record lookups performed by Remote Network Perspectives?

 

Rich Smith

Director, Technical Compliance

M 1.718.724.9775

 

A picture containing drawing Description automatically generated

 

Henry Birge-Lee

unread,
Mar 27, 2026, 11:48:52 AM (11 days ago) Mar 27
to valid...@groups.cabforum.org
Hi Rich,

Thanks for your work on this. All DNSSEC validation by remote perspectives (including both CAA and DCV) should be OPTIONAL. This is the intent of the current ballot wording. This reduces the operational complexity and cost of MPIC while maintaining security standards.

I have several long discussions about threat modeling this topic, but essentially if the adversary has access to a cryptographic signature chain containing a malicious DNS record (which is required to fool the primary perspective's DNSSEC validation), because of the replay behavior of DNSSEC, the adversary can trivially play this same signature chain at the remote perspectives meaning their additional validation of the DNSSEC signature does not enhance security.

Best,
Henry

--
You received this message because you are subscribed to the Google Groups "Validation Subcommittee (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to validation+...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/validation/IA0PR14MB6414CF80A91AF650207ECEF9E357A%40IA0PR14MB6414.namprd14.prod.outlook.com.
Reply all
Reply to author
Forward
0 new messages