On Tue, Aug 24, 2021 at 6:16 PM Li-Chun CHEN <[email protected]> wrote: > > => Our RA system performs the CAA record lookup by using the Dig command, > which is not performed by our RAOs manually, and the query request is send to > our HiNET DNS resolver (Chunghwa Telecom is a domain name registrar as well) > which supports the checking of DNSSEC validation chain to the ICANN root. If > the status response of Dig request is not ‘NOERROR’, our system will treat it > as a record lookup failure and can therefore issue the certificate.
Does this mean that 1) the dig output is parsed to determine whether the response is of status: NOERROR or some other status 2) if a status of NOERROR is detected, the dig output is then presented to a RAO, 3) if some other status is detected, the system skips over this step - i.e. does not consult a RAO, but assumes issuance is permitted as far as CAA records are concerned? Regards, Tobi -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEZM%3DbPGpTUy4_uVtaSM4skR-_RzzF%3Dk7MVYbcb6jGfBWME7tg%40mail.gmail.com.
