[cabfpub] Draft ballot 219: Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag

Gervase Markham gerv at mozilla.org
Thu Jan 25 09:22:46 UTC 2018

On 24/01/18 21:45, Corey Bonnell via Public wrote:
> Given that the intent of the RFC is clear (such a CAA Resource Record
> Set is implicit permission to issue), we are proposing the following
> change to allow for CAA processing consistent with the intent of the RFC.

I don't think the intent of the RFC on this point is particularly clear,
but I agree that specified behaviour is better than unspecified.

> CAs MAY treat a non-empty CAA Resource Record Set that does not contain
> any issue property tags (and also does not contain any issuewild
> property tags when performing CAA processing for a Wildcard Domain Name)
> as permission to issue, provided that 

a) issuance would be consistent with any other property tags which are
present; and

b) the CAA Resource Record Set does not contain any unrecognized
property with the critical flag set.

This is a little bit of future-proofing, which you could add if you felt
it valuable. There are no such other property tags (as mentioned in
bullet a) defined at the moment, but that may not always be true.

In fact, if we have a), perhaps b) is redundant?


More information about the Public mailing list