[cabfpub] Ballot 187 - Make CAA Checking Mandatory

Gervase Markham gerv at mozilla.org
Thu Feb 23 17:46:51 UTC 2017

On 23/02/17 09:36, Dimitris Zacharopoulos wrote:
> "CAA checking is optional for certificates issued by a Technically
> Constrained Subordinate CA in line with Section 7.1.5, where the lack of
> CAA checking is an explicit contractual provision in the contract with
> the Applicant".

I'm happy to accept that as a friendly amendment, if it brings the
language of this ballot into line with the excellent work you have been
doing on clarifying language elsewhere.

> I am also not sure how "the domain's zone does not have a DNSSEC
> validation chain to the ICANN root" comes into play. 

If a site is using DNSSEC to secure its validation records, it is not
acceptable for a DNS lookup failure to "fail open". If they are not
using DNSSEC, it is under certain conditions (see below).

> I guess my ignorant questions is, what happens if a domain does
> not use DNSSEC (which applies for most domains out there) that chain to
> an ICANN root? CAA fails and automatically grants permission for issuance?

It's like the ballot says - if a domain is not using DNSSEC, CAs may
treat a lookup failure as permission to issue as long as the failure is
not their fault and they've retried the lookup at least once.


More information about the Public mailing list