[cabfpub] CAA look up failures and retry logic

Jacob Hoffman-Andrews jsha at letsencrypt.org
Wed Oct 4 20:16:31 UTC 2017


You make a good point. To reiterate the language from the BRs:

> CAs are permitted to treat a record lookup failure as permission to issue
if:
>  • the failure is outside the CA's infrastructure;
>  • the lookup has been retried at least once; and
>  • the domain's zone does not have a DNSSEC validation chain to the ICANN
root.

Specifically, this talks about a single record lookup failure, but allows
treating that as permission to issue. I think the behavior we'd really like
here is to treat a record lookup failure as equivalent to a successful,
empty response if those conditions are met. That way, for instance if a CAA
lookup for "nonexistent.example.com" returns NXDOMAIN, the CA is still
required to attempt looking up a CAA record for "example.com".

So I agree that your "most likely" option is the ideal, and is what CAs
should be implementing to be conservative, but the BRs do not currently say
that. I would support a ballot to amend it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171004/431deed4/attachment-0003.html>


More information about the Public mailing list