VA/RVA: Add metadata necessary for the MPIC ballot #7732
Conversation
beautifulentropy
force-pushed
the
config-mpic-metadata
branch
from
e9a14d8
to
dba1629
Compare
|
@beautifulentropy, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values. |
beautifulentropy
changed the title
beautifulentropy
requested review from
a team and
aarongable
and removed request for
a team
There was a problem hiding this comment.
The logging requirements are in Section 5.4.1 (emphasis added):
The CA SHALL record at least the following events:
- Subscriber Certificate lifecycle management events, including:
vii. Multi-Perspective Issuance Corroboration attempts from each Network Perspective, minimally recording the following information:
- a. an identifier that uniquely identifies the Network Perspective used;
- b. the attempted domain name and/or IP address; and
- c. the result of the attempt (e.g., "domain validation pass/fail", "CAA permission/prohibition").
viii. Multi-Perspective Issuance Corroboration quorum results for each attempted domain name or IP address represented in a Certificate request (i.e., "3/4" which should be interpreted as "Three (3) out of four (4) attempted Network Perspectives corroborated the determinations made by the Primary Network Perspective).
The location requirements are in Section 3.2.2.9 (emphasis added):
A Network Perspective MAY use a recursive DNS resolver that is NOT co-located with the Network Perspective. However, the DNS resolver used by the Network Perspective MUST fall within the same Regional Internet Registry service region as the Network Perspective relying upon it. Furthermore, for any pair of DNS resolvers used on a Multi-Perspective Issuance Corroboration attempt, the straight-line distance between the two States, Provinces, or Countries the DNS resolvers reside in MUST be at least 500 km. The location of a DNS resolver is determined by the point where unencapsulated outbound DNS queries are typically first handed off to the network infrastructure providing Internet connectivity to that DNS resolver.
So I think both Matthew and I have previously misunderstood the actual requirements here (or maybe I'm misunderstanding them now! Please double check me!). I think we need to have a name (like "Cluster" here) which "uniquely identifies the Network Perspective used". I don't think we need to configure or log an RIR -- instead, we just need to make sure that all of our deployed regions are at least 500km apart.
edit: I take it all back -- there's another requirement I had forgotten about (emphasis added):
Effective March 15, 2026, the CA MUST implement Multi-Perspective Issuance Corroboration using at least three (3) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table and if the remote Network Perspectives that do corroborate the determinations made by the Primary Network Perspective do not fall within the service regions of at least two (2) distinct Regional Internet Registries.
beautifulentropy
force-pushed
the
config-mpic-metadata
branch
2 times, most recently
from
d265f83
to
c21dc24
Compare
beautifulentropy
changed the title
beautifulentropy
force-pushed
the
config-mpic-metadata
branch
4 times, most recently
from
dddd60c
to
592d62a
Compare
beautifulentropy
force-pushed
the
config-mpic-metadata
branch
from
592d62a
to
ccbc415
Compare
beautifulentropy
force-pushed
the
config-mpic-metadata
branch
from
ccbc415
to
1a367ba
Compare
PerspectiveandRIRfields to the remote-va configurationva.PrimaryPerspectivePerspectivefor non-Primary Perspectives, per the MPIC requirements in section 5.4.1 (2) vii of the BRs. Also log the RIR for posterity.ValidationResultRPC fieldsPerspectiveandRir, which are not currently used but will be required for corroboration in boulder-va should explicitly record the quorum met for the issuance (eg, 5/6 or 6/6) #7616Fixes #7613
Part of #7615
Part of #7616