[cabfpub] Ballot 187 - Make CAA Checking Mandatory

Dimitris Zacharopoulos jimmy at it.auth.gr
Thu Feb 23 18:15:19 UTC 2017

On 23/2/2017 7:46 μμ, Gervase Markham wrote:
> On 23/02/17 09:36, Dimitris Zacharopoulos wrote:
>> "CAA checking is optional for certificates issued by a Technically
>> Constrained Subordinate CA in line with Section 7.1.5, where the lack of
>> CAA checking is an explicit contractual provision in the contract with
>> the Applicant".
> I'm happy to accept that as a friendly amendment, if it brings the
> language of this ballot into line with the excellent work you have been
> doing on clarifying language elsewhere.

Thank you for that :)

>> I am also not sure how "the domain's zone does not have a DNSSEC
>> validation chain to the ICANN root" comes into play. 
> If a site is using DNSSEC to secure its validation records, it is not
> acceptable for a DNS lookup failure to "fail open". If they are not
> using DNSSEC, it is under certain conditions (see below).
>> I guess my ignorant questions is, what happens if a domain does
>> not use DNSSEC (which applies for most domains out there) that chain to
>> an ICANN root? CAA fails and automatically grants permission for issuance?
> It's like the ballot says - if a domain is not using DNSSEC, CAs may
> treat a lookup failure as permission to issue as long as the failure is
> not their fault and they've retried the lookup at least once.

So, all three conditions MUST apply at the same time. Perhaps you might
want to make this more explicit by either adding "and" at the end of the
first bullet or by changing the sentence before the three bullets, to
state that all tree conditions must apply.


> Gerv

More information about the Public mailing list