[cabfpub] CAA, DNSSEC and NXDOMAIN
Doug Beattie
doug.beattie at globalsign.com
Fri Oct 6 18:43:38 UTC 2017
I understand the need to reject CAA lookups if there is DNSSEC on the zone and if you run into timeout/SERVFAIL/etc errors at any level in the RFC 6844 processing (www.example.com or example.com). Hopefully everyone has interpreted look up failure and DNSSEC this way.
NSEC/NSEC3 records are returned only alongside NXDOMAIN responses for a signed zone - they provide authenticated denial of existence, essentially a "signed NXDOMAIN" response. Is this considered a failure or not? I think this should not preclude issuance to that domain, but wanted to get consensus.
Doug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171006/f92d7279/attachment.html>
More information about the Public
mailing list