On Sun, 22 Nov 2020, Stephane Bortzmeyer wrote:
IMHO, the CAA algorithm is bad because it crosses administrative boundaries. RFC 8659 at least excludes the root but it still allows, for instance, AFNIC to put a CAA record in .fr which will apply to all .fr domains which do not have an explicit CAA. It seems bad.
I don't see why, since it only acts as a default. Any registrant that cares which CA they use can publish their own CAA. If the registrants object, that's between them and Afnic.
Over in DMARC land we have a proposal called PSD which specifically sets a default policy for the whole TLD, since .BANK and .INSURANCE want to do that for their registrants.
Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
