[cabfpub] CAA Exceptions listed in Ballot 187

Ryan Sleevi sleevi at google.com
Thu May 25 15:52:37 UTC 2017

On Thu, May 25, 2017 at 11:43 AM, Doug Beattie via Public <
public at cabforum.org> wrote:
> 3) CAA checking is optional if the CA or an Affiliate of the CA is the DNS
> Operator (as defined in RFC 7719) of the domain's DNS.
> From RFC 7719: DNS operator:  An entity responsible for running DNS
> servers.  For a       zone's authoritative servers, the registrant may act
> as their own DNS operator, or their registrar may do it on their behalf, or
> they may use a third-party operator.  For some zones, the registry function
> is performed by the DNS operator plus other entities who decide about the
> allowed contents of the zone.
> I'm not clear what this means: "the CA is the DNS Operator of the domain's
> DNS".  We all run DNS servers in our data centers, and this does not state
> that this must be the Authoritative DNS server, so in what cases does this
> exception apply?  I'm assuming the CA needs to "own" the domains in
> question, but how does that fall out of this requirement?

The expectation was with respect to the authoritative zone,  as that is the
only context it is used in 7719.

That is, the CA does _not_ need to own the domains in question, but does
need to operate the authoritative server for the zones in question.

While there are number of members I could draw an example from, I'll use
Google. Google DNS runs authoritative servers for customer domains. Because
of this, Google Trust Services could skip CAA checking for those customers.

Similarly, Microsoft runs authoritative name servers for their own domains
- thus, they are the DNS operator - and as such, can skip CAA checking for
their own domains.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170525/768c870c/attachment-0003.html>

More information about the Public mailing list