Hi,
inspired by the ballot paragraph [1], I set up a domain that is fully DNSSEC
signed [2], but does not reply to CAA queries (timeout).
I could obtain certificates for this domain from Buypass and Startcom [3].
Other CAs (RapidSSL, GeoTrust, LetsEncrypt) have refused to issue, and GoDaddy
and Certum have been stuck in "Pending" for days and will likely not issue.
Per my interpretation, and per the discussion in the other CAA/DNSSSEC thread,
I believe those should not have been issued. I have reported this to the
issuing CAs.
What do you think?
Kind regards
Quirin
[1] CAs are permitted to treat a record lookup failure as permission to issue
if:
the failure is outside the CA’s infrastructure;
the lookup has been retried at least once; and
the domain’s zone does not have a DNSSEC validation chain to the ICANN root.
[2] https://dnssec-debugger.verisignlabs.com/crossbear.org
[3] https://crt.sh/?q=crossbear.org
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
