[cabfpub] CAA, DNSSEC and NXDOMAIN
Ryan Sleevi
sleevi at google.com
Mon Oct 9 15:47:37 UTC 2017
I believe your interpretation is correct - it is an authoritative positive
response of non-existence (meaning not a failure)
On Fri, Oct 6, 2017 at 2:43 PM, Doug Beattie via Public <public at cabforum.org
> wrote:
>
>
> I understand the need to reject CAA lookups if there is DNSSEC on the zone
> and if you run into timeout/SERVFAIL/etc errors at any level in the RFC
> 6844 processing (www.example.com or example.com). Hopefully everyone has
> interpreted look up failure and DNSSEC this way.
>
>
>
> NSEC/NSEC3 records are returned only alongside NXDOMAIN responses for a
> signed zone – they provide authenticated denial of existence, essentially a
> “signed NXDOMAIN” response. Is this considered a failure or not? I think
> this should not preclude issuance to that domain, but wanted to get
> consensus.
>
>
>
> Doug
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171009/d23157ba/attachment-0003.html>
More information about the Public
mailing list