-
-
Notifications
You must be signed in to change notification settings - Fork 607
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VA/RVA: Add metadata necessary for the MPIC ballot #7732
Conversation
e9a14d8
to
dba1629
Compare
@beautifulentropy, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The logging requirements are in Section 5.4.1 (emphasis added):
The CA SHALL record at least the following events:
- Subscriber Certificate lifecycle management events, including:
vii. Multi-Perspective Issuance Corroboration attempts from each Network Perspective, minimally recording the following information:
- a. an identifier that uniquely identifies the Network Perspective used;
- b. the attempted domain name and/or IP address; and
- c. the result of the attempt (e.g., "domain validation pass/fail", "CAA permission/prohibition").
viii. Multi-Perspective Issuance Corroboration quorum results for each attempted domain name or IP address represented in a Certificate request (i.e., "3/4" which should be interpreted as "Three (3) out of four (4) attempted Network Perspectives corroborated the determinations made by the Primary Network Perspective).
The location requirements are in Section 3.2.2.9 (emphasis added):
A Network Perspective MAY use a recursive DNS resolver that is NOT co-located with the Network Perspective. However, the DNS resolver used by the Network Perspective MUST fall within the same Regional Internet Registry service region as the Network Perspective relying upon it. Furthermore, for any pair of DNS resolvers used on a Multi-Perspective Issuance Corroboration attempt, the straight-line distance between the two States, Provinces, or Countries the DNS resolvers reside in MUST be at least 500 km. The location of a DNS resolver is determined by the point where unencapsulated outbound DNS queries are typically first handed off to the network infrastructure providing Internet connectivity to that DNS resolver.
So I think both Matthew and I have previously misunderstood the actual requirements here (or maybe I'm misunderstanding them now! Please double check me!). I think we need to have a name (like "Cluster" here) which "uniquely identifies the Network Perspective used". I don't think we need to configure or log an RIR -- instead, we just need to make sure that all of our deployed regions are at least 500km apart.
edit: I take it all back -- there's another requirement I had forgotten about (emphasis added):
Effective March 15, 2026, the CA MUST implement Multi-Perspective Issuance Corroboration using at least three (3) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table and if the remote Network Perspectives that do corroborate the determinations made by the Primary Network Perspective do not fall within the service regions of at least two (2) distinct Regional Internet Registries.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we update the VA to log this information (if it is set) immediately? Otherwise these config fields are just dead code for the time being.
d265f83
to
c21dc24
Compare
dddd60c
to
592d62a
Compare
592d62a
to
ccbc415
Compare
ccbc415
to
1a367ba
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Perspective
andRIR
fields to the remote-va configurationva.PrimaryPerspective
Perspective
for non-Primary Perspectives, per the MPIC requirements in section 5.4.1 (2) vii of the BRs. Also log the RIR for posterity.ValidationResult
RPC fieldsPerspective
andRir
, which are not currently used but will be required for corroboration in boulder-va should explicitly record the quorum met for the issuance (eg, 5/6 or 6/6) #7616Fixes #7613
Part of #7615
Part of #7616