[cabfpub] CAA look up failures and retry logic

Doug Beattie doug.beattie at globalsign.com
Tue Oct 3 09:01:43 MST 2017

The BR requirement for retrying failed lookups is ambiguous and we'd like to receive some clarification, and eventually a ballot to help clarify the BRs.

The BRs stay this:
CAs are permitted to treat a record lookup failure as permission to issue if:

-          the failure is outside the CA's infrastructure;

-          the lookup has been retried at least once; and

-          the domain's zone does not have a DNSSEC validation chain to the ICANN root.

RFC 6844  Errata 5065 says this:

-          If CAA(X) is not empty, R(X) = CAA (X), otherwise

-          If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =       CAA(A(X)), otherwise

-          If X is not a top-level domain, then R(X) = R(P(X)), otherwise

-          R(X) is empty.

The BRs say if a lookup has been retried at least once that is permission to issue. Does this mean doing

-          a full CAA lookup, or

-          re-doing one failed CAA(X) look-up, or

-          redoing every CAA(X) lookup that failed in the course of doing a full CAA validation?

If we follow the RFC processing logic and we encounter one failed lookup (e.g., SERVFAIL on shop.example.com), then we retry and it fails again, then do we exit the CAA checking and issue because the BRs say we may issue if we retry the lookup, which we just did?  Reading the specs this seems to be permitted (we did "a" retry for a failed lookup), common logic says no.

Another interpretation is that we do the full RFC CAA validation series of "look ups", and if it fails anywhere along the lines, we do another full CAA validation set of "look ups", and if that fails we issue.  Probably not realistic.

The most likely interpretation is that we retry each failed CAA(X) lookup, then proceed with the RFC processing logic to completion.  In this model any one or more specific DNS lookup may fail (and retry failed) the CA has permission to issue.  In fact, every DNS lookup could fail and that would be permission to issue as well (assuming DNSSEC didn't block it)

Can we agree that the BR statement "lookup has been retried at least once" means retrying each CAA(X) lookup that failed while performing the CAA validation algorithm specified in RFC 6844  Errata 5065?

Look up failure means Timeout (with arbitrarily short timeout period since none is specified), SERVFAIL, REFUSED and NXDOMAIN (and maybe more DNS RCODES, but these are the obvious ones)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171003/2d7b5359/attachment-0001.html>

More information about the Public mailing list