[cabfpub] DNSSEC validation for CAA record lookup failure

Gervase Markham gerv at mozilla.org
Fri Sep 15 13:00:37 UTC 2017


On 14/09/17 18:02, Geoff Keating via Public wrote:
>     the domain's zone does not have a DNSSEC validation chain to the
>     ICANN root. 
> 
> I suggest replacing the last item with “the record being looked up is
> classified as ‘Insecure’ under RFC 4035 section 4.3, as amended.”

Section 4.3 begins:

"A security-aware resolver MUST be able to determine whether it should
expect a particular RRset to be signed."

and then explains how to so determine. And this seems to me to be
exactly what we want to determine. So, for me, that makes this change
clear and understandable. And one would hope that it's well-defined,
unless parts of how DNSSEC works are not well-defined (surely not!).

Gerv



More information about the Public mailing list