[cabfpub] Two CAA questions

Kirk Hall Kirk.Hall at entrustdatacard.com
Wed Aug 2 22:23:55 UTC 2017 

I have two CAA questions from our technical group.  I am posting here to see what others think.  Do we need to make any changes to BR 3.2.2.8 (created under Ballot 187)?  Thanks for any feedback.

QUESTION 1

Subject: CAA ballot and handling of REFUSED status response from authoritative name servers

Suppose we have a domain "demo-k2k.com" that have NS records pointing to "ns1.demo-k2k.com" and ns2.demo-k2k.com as the authoritative name servers. When we query "ns1.demo-k2k.com" for the CAA records for "demo-k2k.com", it returns a status of REFUSED. This may be due to a misconfiguration or the restricted access may be intentional.

We now have a scenario where the record lookup for "demo-k2k.com" has failed.

According to ballot 187, CAs are permitted to treat a record lookup failure as permission to issue if:


1.       the failure is outside the CA's infrastructure;

2.       the lookup has been retried at least once; and

3.       the domain's zone does not have a DNSSEC validation chain to the ICANN root.

Condition #1 is satisfied, the failure is outside the CA's infrastructure.
We can satisfy Condition #2 by retrying - we get the same REFUSED status in the response.

Because of the "and" clause in above ballot excerpt, we must also satisfy condition #3 if we want to treat the lookup failure as permission to issue.
We cannot, however, determine whether the "domain's zone does not have a DNSSEC validation chain to the ICANN root" because the domain's zone authoritative name servers are refusing to answer our DNS queries.

This scenario is encountered often enough in the real world that it would prevent many certificates from being issued if ballot 187 is followed.

One potential solution is to allow CA's to treat REFUSED status responses from authoritative name servers as permission to issue.

QUESTION 2

Subject: Handling CAA record with single character in it

We have found a CAA record that consists only of a semi-colon ";"  So the field is not empty, but also does not designate any known CAs.

Our team assumes this effectively blocks all CAs from issuing to this domain.  Do others agree?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170802/6bf0e4a3/attachment-0002.html>

More information about the Public mailing list