SERVFAIL and the DNSSEC requirements

[Martijn Katerbarg]

All,

I’m wondering what this group’s interpretation is on the current DNSSEC language. Specifically:

Effective March 15th, 2026: DNSSEC-validation errors observed by the Primary Network Perspective (e.g., SERVFAIL) MUST NOT be treated as permission to issue.

I wonder if this language is scoping the extent of "MUST NOT be treated as permission to issue.” To a much larger scale than just DNSSEC failures. 

Yes, a DNSSEC verification failure may return a SERVFAIL, depending on how the lookup is performed. But the specific callout of the “SERVFAIL” example, calls into question if CAs need to treat any SERVFAIL response as "MUST NOT be treated as permission to issue.”, including domain names which are not DNSSEC-signed, which suddenly would incorporate lame delegations and other DNS issues at the domain name's name servers. 

What are the thoughts of this group, does this need to be further clarified? 

Regards,

Martijn

[Roman Fischer]

Hi Martjin,

 

My interpretation is that the statement is part of the section 3.2.2.8.1 DNSSEC Validation of CAA Records, and thus only applies to CAA lookups.

 

Rgds
Roman

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SA1PR17MB65035AD833994C0FF4AF784FE363A%40SA1PR17MB6503.namprd17.prod.outlook.com.