> On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > For a little more context, the idea is that we can speed up the CAA check for > all customers while working with those who have DNSSEC to make sure they > aren't killing performance. If there's a way to group them easily into > buckets (timeout + quick does DNSSEC exist check), working on improving the > experience for that particular set of customers is easier. That bucket can > then be improved later.
Given the disaster that DNSSEC+CAA has been over the past few days for multiple CAs and the fact that it’s optional in the CAA RFC, what do you think about proposing a ballot to remove the DNSSEC requirement from the BRs entirely? Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
