[cabfpub] CAA look up failures and retry logic

Geoff Keating geoffk at apple.com
Tue Oct 3 19:06:44 MST 2017



> On Oct 4, 2017, at 12:01 AM, Doug Beattie via Public <public at cabforum.org> wrote:

> The BRs say if a lookup has been retried at least once that is permission to issue. Does this mean doing
> -          a full CAA lookup, or 
> -          re-doing one failed CAA(X) look-up, or 
> -          redoing every CAA(X) lookup that failed in the course of doing a full CAA validation?
>  
> If we follow the RFC processing logic and we encounter one failed lookup (e.g., SERVFAIL on shop.example.com <http://shop.example.com/>), then we retry and it fails again, then do we exit the CAA checking and issue because the BRs say we may issue if we retry the lookup, which we just did?  Reading the specs this seems to be permitted (we did “a” retry for a failed lookup), common logic says no.

That’s an interesting point.  We could treat a (second) failure as meaning:
- Assume there is no CAA record here, continue with the algorithm, and maybe find a lower CAA record which denies issuance
- Assume there is a CAA record here which specifically allows issuance.

I believe the current wording is the second, not the first.  I think considering we’re just getting started with mandatory CAA, it’s OK to have this rule at the moment.  Switching to the first rule might be a way to tighten things once we’ve gotten some experience.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171004/cfac19ac/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20171004/cfac19ac/attachment-0001.p7s>


More information about the Public mailing list