[cabfpub] CAA look up failures and retry logic

Doug Beattie doug.beattie at globalsign.com
Wed Oct 4 09:52:44 UTC 2017


 

 

From: geoffk at apple.com [mailto:geoffk at apple.com] 
Sent: Tuesday, October 3, 2017 10:07 PM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] CAA look up failures and retry logic

 

 





On Oct 4, 2017, at 12:01 AM, Doug Beattie via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:





The BRs say if a lookup has been retried at least once that is permission to issue. Does this mean doing

-          a full CAA lookup, or 

-          re-doing one failed CAA(X) look-up, or 

-          redoing every CAA(X) lookup that failed in the course of doing a full CAA validation?

 

If we follow the RFC processing logic and we encounter one failed lookup (e.g., SERVFAIL on  <http://shop.example.com/> shop.example.com), then we retry and it fails again, then do we exit the CAA checking and issue because the BRs say we may issue if we retry the lookup, which we just did?  Reading the specs this seems to be permitted (we did “a” retry for a failed lookup), common logic says no.

 

That’s an interesting point.  We could treat a (second) failure as meaning:

- Assume there is no CAA record here, continue with the algorithm, and maybe find a lower CAA record which denies issuance

- Assume there is a CAA record here which specifically allows issuance.

 

I believe the current wording is the second, not the first.  I think considering we’re just getting started with mandatory CAA, it’s OK to have this rule at the moment.  Switching to the first rule might be a way to tighten things once we’ve gotten some experience.

We run into a lot of failures when looking up the full host name for CAA records, but then we find CAA records at the Top Level Domain (where most domain administrators put them).  If I’m understanding your comments, I’m not sure your second option is good in these cases because the failure would permit issuance without looking harder for a CAA record, but this is a good discussion point.  Anyone else have a comment?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171004/df7d56a7/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5662 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171004/df7d56a7/attachment-0003.p7s>


More information about the Public mailing list