[cabf_validation] Definition of Domain Contact

[Doug Beattie]

The definition of Domain Contact (per definition in the BRs) contains 3 different ways to get the info (Who-is, SOA and direct contact with Registrar) :

The Domain Name Registrant, technical contact, or administrative contract (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base Domain Name or in a DNS SOA record, or as obtained through direct contact with the Domain Name Registrar.

For SOA, DNS uses the RNAME (Responsible Person) field   This is a special format where the "@" character is replaced with a period character and the email address ends with a period.  So the email address "admin at example.com" would be formatted as "admin.example.com."

Method 2 permits sending an email to Domain Contact (which includes SOA RNAME), but that method also later says this which rules out using the SOA record: The CA MAY send the email, fax, SMS, or postal mail identified under this section to more than one recipient provided that every recipient is identified by the Domain Name Registrar as representing the Domain Name Registrant for every FQDN being verified using the email...

If a SOA RNAME should be permitted for domain validation, then we need to fix the method 2 to support it.  If we don't want to use RNAME for Doman validation, then maybe we should change the definition of Domain Contact.

Should SOA RNAME be permitted for domain validation?

Doug

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 11561 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180514/065aaa67/attachment.bin>