[cabfpub] Ballot 187 - Make CAA Checking Mandatory
Gervase Markham
gerv at mozilla.org
Thu Feb 23 17:46:51 UTC 2017
On 23/02/17 09:36, Dimitris Zacharopoulos wrote:
> "CAA checking is optional for certificates issued by a Technically
> Constrained Subordinate CA in line with Section 7.1.5, where the lack of
> CAA checking is an explicit contractual provision in the contract with
> the Applicant".
I'm happy to accept that as a friendly amendment, if it brings the
language of this ballot into line with the excellent work you have been
doing on clarifying language elsewhere.
> I am also not sure how "the domain's zone does not have a DNSSEC
> validation chain to the ICANN root" comes into play.
If a site is using DNSSEC to secure its validation records, it is not
acceptable for a DNS lookup failure to "fail open". If they are not
using DNSSEC, it is under certain conditions (see below).
> I guess my ignorant questions is, what happens if a domain does
> not use DNSSEC (which applies for most domains out there) that chain to
> an ICANN root? CAA fails and automatically grants permission for issuance?
It's like the ballot says - if a domain is not using DNSSEC, CAs may
treat a lookup failure as permission to issue as long as the failure is
not their fault and they've retried the lookup at least once.
Gerv
More information about the Public
mailing list