[cabfpub] CAA, DNSSEC and NXDOMAIN

Doug Beattie doug.beattie at globalsign.com
Fri Oct 6 11:43:38 MST 2017


I understand the need to reject CAA lookups if there is DNSSEC on the zone and if you run into timeout/SERVFAIL/etc  errors at any level in the RFC 6844 processing (www.example.com or example.com).  Hopefully everyone has interpreted look up failure and DNSSEC this way.

NSEC/NSEC3 records are returned only alongside NXDOMAIN responses for a signed zone - they provide authenticated denial of existence, essentially a "signed NXDOMAIN" response. Is this considered a failure or not?  I think this should not preclude issuance to that domain, but wanted to get consensus.

Doug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171006/f92d7279/attachment.html>


More information about the Public mailing list