[cabfpub] CAA, DNSSEC and NXDOMAIN

Ryan Sleevi sleevi at google.com
Mon Oct 9 08:47:37 MST 2017


I believe your interpretation is correct - it is an authoritative positive
response of non-existence (meaning not a failure)

On Fri, Oct 6, 2017 at 2:43 PM, Doug Beattie via Public <public at cabforum.org
> wrote:

>
>
> I understand the need to reject CAA lookups if there is DNSSEC on the zone
> and if you run into timeout/SERVFAIL/etc  errors at any level in the RFC
> 6844 processing (www.example.com or example.com).  Hopefully everyone has
> interpreted look up failure and DNSSEC this way.
>
>
>
> NSEC/NSEC3 records are returned only alongside NXDOMAIN responses for a
> signed zone – they provide authenticated denial of existence, essentially a
> “signed NXDOMAIN” response. Is this considered a failure or not?  I think
> this should not preclude issuance to that domain, but wanted to get
> consensus.
>
>
>
> Doug
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171009/d23157ba/attachment.html>


More information about the Public mailing list