Hi, Tobi,
Please see inline.
[email protected] 在 2021年9月2日 星期四上午7:30:55 [UTC+8] 的信中寫道:
> On Tue, Aug 24, 2021 at 6:16 PM Li-Chun CHEN <[email protected]> wrote:
> >
> > => Our RA system performs the CAA record lookup by using the Dig
> command, which is not performed by our RAOs manually, and the query request
> is send to our HiNET DNS resolver (Chunghwa Telecom is a domain name
> registrar as well) which supports the checking of DNSSEC validation chain
> to the ICANN root. If the status response of Dig request is not ‘NOERROR’,
> our system will treat it as a record lookup failure and can therefore issue
> the certificate.
>
> Does this mean that
>
> 1) the dig output is parsed to determine whether the response is of
> status: NOERROR or some other status
=>Yes.
>
> 2) if a status of NOERROR is detected, the dig output is then
> presented to a RAO,
=> Yes, our RA system logs all dig outputs that are also presented to our
RAO.
>
> 3) if some other status is detected, the system skips over this step -
> i.e. does not consult a RAO, but assumes issuance is permitted as far
> as CAA records are concerned?
>
Our RA system will made the CAA checking in accordance with Section 3.2.2.8
of the BR, and a certificate is permitted to issue if the following
conditions are met:
a. if the dig output is ‘NOERROR’ or some other status (except
‘ERROR’); and
b. the lookup has been retried at least once; and
c. there does not have a DNSSEC validation chain to the ICANN root.
> Regards,
>
> Tobi
Sincerely Yours,
Li-Chun
Chunghwa Telecom
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c9823f19-8d7a-4a85-8ffd-bf9473402a06n%40mozilla.org.
