[cabf_validation] Using dedicated DNS resolvers for domain validation
Doug Beattie
doug.beattie at globalsign.com
Mon Jul 15 12:47:44 UTC 2024
During the last VWG call we had a good technical discussion on security concerns related to DNS resolvers being used for multiple purposes. There was agreement that CAs need to use a dedicated DNS resolver for domain validation even if we didn’t reach agreement on being permitted to use a third party resolver.
I’m curious what the scope of “domain validation” means in this regard. Can CAs use the same resolver for CAA, posting certificates to CT logs, doing who-is or RDAP queries, and if not, then maybe we should list more specifically what we mean by “Dedicated resolver for Domain Validation” when it comes to this locked down resolver topic?
Doug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 32161 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240715/d14f70bc/attachment-0001.bin>
More information about the Validation
mailing list