Implement CAA about boulder HOT 10 CLOSED

The native net package doesn't provide any methods for looking up CAA records (as far as I can tell) so it'd probably be a good idea to use something like miekg/dns which provides a much more granular DNS interface from which we could build methods to verify RRSIG records against zone DNSKEY records (an example of how this works can be found in the sectionCheck method here). These methods could also then be used to check DNSSEC when validating the _acme-challenge.example.com TXT records...?

I put together a dirty example of how to decode the record (based on RFC6844 and RFC3597) once retrieved using miekg/dns but have left out any DNSSEC checks. I'd be more than happy to take a crack at writing up some of this DNS stuff up if no one else wants to!

from boulder.

Soooo, I had a go at putting together all the stuff needed to query CAA sets based on RFC6844, I'm super duper tired now though, so I'll leave a link to what I've written to far (with lots of comments) here and hopefully see @jsha or @jcjones tomorrow on irc sometime tomorrow...

from boulder.

I agree that we should do this, but it is only a requirement / blocker if it is required by the CPS. As of right now, that's not the case. So I'm re-tagging as "enhancement".

from boulder.

Agreed that it's not a blocker.

from boulder.

Roland - do you have an ETA for your new CAA pull request?

from boulder.

I should be done with it by the end of this week if not sooner.

On Tue, May 26, 2015 at 11:32 PM Josh Aas [email protected] wrote:

Roland - do you have an ETA for your new CAA pull request?

—
Reply to this email directly or view it on GitHub
#55 (comment).

from boulder.

Great! BTW, I think JC and I talked to you about this on IRC, but just in case: The resolver software we will use in prod already does the DNSSEC validation (and recursive resolution) for us, so we just need the part that parses CAA records. I think I may have initially misled you on implementing DNSSEC, sorry about that.

from boulder.

Oh awesome, that makes this 90% simpler. Time to start pruning my additions!

from boulder.

I have confirmed that this is not required by CPS. Moving out to Defer, since this is a pretty big patch.

from boulder.

I did ask that it be included in the CPS, but no one has commented back on my post one way or the other. https://groups.google.com/a/letsencrypt.org/forum/#!topic/ca-dev/P-aEwXykFNg

from boulder.