[cabfpub] CAA, DNSSEC and NXDOMAIN
4 views
Skip to first unread message
Doug Beattie
Oct 6, 2017, 2:43:38 PM10/6/17
to CA/Browser Forum Public Discussion List
I understand the need to reject CAA lookups if there is DNSSEC on the zone and if you run into timeout/SERVFAIL/etc errors at any level in the RFC 6844 processing (www.example.com or example.com). Hopefully everyone has interpreted look up failure and DNSSEC this way.
NSEC/NSEC3 records are returned only alongside NXDOMAIN responses for a signed zone – they provide authenticated denial of existence, essentially a “signed NXDOMAIN” response. Is this considered a failure or not? I think this should not preclude issuance to that domain, but wanted to get consensus.
Doug
Ryan Sleevi
Oct 9, 2017, 11:47:37 AM10/9/17
to Doug Beattie, CA/Browser Forum Public Discussion List
I believe your interpretation is correct - it is an authoritative positive response of non-existence (meaning not a failure)
_______________________________________________
Public mailing list
Pub...@cabforum.org
https://cabforum.org/mailman/listinfo/public
Reply all
Reply to author
Forward
0 new messages