SERVFAIL and the DNSSEC requirements
37 views
Skip to first unread message
Martijn Katerbarg
Feb 11, 2026, 4:36:36 AM (yesterday) Feb 11
to 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum)
All,
I’m wondering what this group’s interpretation is on the current DNSSEC language. Specifically:
Effective March 15th, 2026: DNSSEC-validation errors observed by the Primary Network Perspective (e.g., SERVFAIL) MUST NOT be treated as permission to issue.
I wonder if this language is scoping the extent of "MUST NOT be treated as permission to issue.”
To a much larger scale than just DNSSEC failures.
Yes, a DNSSEC verification failure
may return a SERVFAIL, depending on how the lookup is performed. But the specific callout of the “SERVFAIL” example, calls into question if CAs need to treat
any SERVFAIL response as "MUST NOT be treated as permission to issue.”, including domain names which are not DNSSEC-signed, which suddenly would incorporate lame delegations and other DNS issues at the domain name's name servers.
What are the thoughts of this group, does this need to be further clarified?
Regards,
Martijn
Roman Fischer
Feb 11, 2026, 4:52:24 AM (yesterday) Feb 11
to server...@groups.cabforum.org
Hi Martjin,
My interpretation is that the statement is part of the section 3.2.2.8.1 DNSSEC Validation of CAA Records, and thus only applies to CAA lookups.
Rgds
Roman
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
servercert-w...@groups.cabforum.org.
To view this discussion visit
https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SA1PR17MB65035AD833994C0FF4AF784FE363A%40SA1PR17MB6503.namprd17.prod.outlook.com.
Jacob Hoffman-Andrews
2:17 PM (3 hours ago) 2:17 PM
to server...@groups.cabforum.org
The "MUST NOT be treated as permission to issue" language is in there because RFC 8659 treats the absence of a CAA record as permission to issue (that is, all CAs are authorized by all domains unless the domain states otherwise). That results in a needed clarification: SERVFAIL does not indicate the absence of a CAA record.
For other DNS queries made by the CA, a specific record must be present. For instance DNS Change validation, the CA needs to find a specific TXT record. For host-based validation, the CA needs to find an A or AAAA record. If the CA's recursive resolver returns SERVFAIL due to a misconfiguration or outage at the authoritative resolver, those TXT, A, or AAAA records aren't present, so validation fails. That's always been true, with or without DNSSEC.
For other DNS queries made by the CA, a specific record must be present. For instance DNS Change validation, the CA needs to find a specific TXT record. For host-based validation, the CA needs to find an A or AAAA record. If the CA's recursive resolver returns SERVFAIL due to a misconfiguration or outage at the authoritative resolver, those TXT, A, or AAAA records aren't present, so validation fails. That's always been true, with or without DNSSEC.
Reply all
Reply to author
Forward
0 new messages