<div dir="ltr">I just received a question from an auditor who was seeking clarification of this ballot, which may be the opportunity to improve some of the language.<div><br></div><div>The question is as follows:</div><div><br></div><div><div>"CAA checking is optional if the domain's DNS is operated by the CA or an Affiliate of the CA."</div><div> </div><div>This could be due to my lack of fully understanding DNS terminologies, but by the above, do you interpret it to mean (a) A CA that also controls the DNS record of a domain, or (b) A CA that also operates the DNS server used by the domain.</div><div> </div><div>Here is a scenario if it helps explain my question better:</div><div> </div><div>I buy a domain from say Example CA, and manage my DNS records through Example CA’s DNS service. Will Example CA have to check the CAA record before issuing a certificate to my domain or is CAA optional for them since they also operate the DNS server?</div><div>I interpret “operate DNS” as below (<a href="https://tools.ietf.org/html/rfc7719">https://tools.ietf.org/html/rfc7719</a>)</div><div> </div><div> DNS operator: An entity responsible for running DNS servers. For a</div><div> zone's authoritative servers, the registrant may act as their own</div><div> DNS operator, or their registrar may do it on their behalf, or</div><div> they may use a third-party operator. For some zones, the registry</div><div> function is performed by the DNS operator plus other entities who</div><div> decide about the allowed contents of the zone</div></div><div><br></div><div><br></div><div><br></div><div><br></div><div>I believe this question is highlighting whether "operate" represents being the authoritative name servers versus practical demonstration of control. Alternatively, we might pose the question as "Does demonstration of control of _a_ record equivocate to demonstration of control of the CAA record", if I understand the question correctly.</div><div><br></div><div>My belief and support is that the intent of "operated by the CA or an Affiliate of the CA" was to match the terminology from RFC 7719, which would specifically mean the interpetation (b), and the answer to the hypothetical question is "No, demonstration of control of a record is not sufficient, demonstration of operation of the authoritative name servers is"</div><div><br></div><div>Is that consistent with the intent Gerv? If so, does that look like something you see as easy to correct? I'm wondering whether introducing RFC 7719 as the normative dependency might provide better clarity to this question. </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 23, 2017 at 10:17 AM, Gervase Markham via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 23/02/17 10:15, Dimitris Zacharopoulos wrote:<br>
> So, all three conditions MUST apply at the same time. Perhaps you might<br>
> want to make this more explicit by either adding "and" at the end of the<br>
> first bullet or by changing the sentence before the three bullets, to<br>
> state that all tree conditions must apply.<br>
<br>
</span>AIUI, the usual convention in English is to put a single "and" (or "or")<br>
at the end of the last-but-one bullet in a list, as I have in this case.<br>
<div class="HOEnZb"><div class="h5"><br>
Gerv<br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
</div></div></blockquote></div><br></div>