[cabfpub] CAA, DNSSEC and NXDOMAIN
doug.beattie at globalsign.com
Fri Oct 6 11:43:38 MST 2017
I understand the need to reject CAA lookups if there is DNSSEC on the zone and if you run into timeout/SERVFAIL/etc errors at any level in the RFC 6844 processing (www.example.com or example.com). Hopefully everyone has interpreted look up failure and DNSSEC this way.
NSEC/NSEC3 records are returned only alongside NXDOMAIN responses for a signed zone - they provide authenticated denial of existence, essentially a "signed NXDOMAIN" response. Is this considered a failure or not? I think this should not preclude issuance to that domain, but wanted to get consensus.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public