[cabfpub] CAA, DNSSEC and NXDOMAIN

Doug Beattie doug.beattie at globalsign.com
Fri Oct 6 18:43:38 UTC 2017

I understand the need to reject CAA lookups if there is DNSSEC on the zone and if you run into timeout/SERVFAIL/etc  errors at any level in the RFC 6844 processing (www.example.com or example.com).  Hopefully everyone has interpreted look up failure and DNSSEC this way.

NSEC/NSEC3 records are returned only alongside NXDOMAIN responses for a signed zone - they provide authenticated denial of existence, essentially a "signed NXDOMAIN" response. Is this considered a failure or not?  I think this should not preclude issuance to that domain, but wanted to get consensus.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171006/f92d7279/attachment-0002.html>

More information about the Public mailing list