You make a good point. To reiterate the language from the BRs: > CAs are permitted to treat a record lookup failure as permission to issue if: > • the failure is outside the CA's infrastructure; > • the lookup has been retried at least once; and > • the domain's zone does not have a DNSSEC validation chain to the ICANN root.
Specifically, this talks about a single record lookup failure, but allows treating that as permission to issue. I think the behavior we'd really like here is to treat a record lookup failure as equivalent to a successful, empty response if those conditions are met. That way, for instance if a CAA lookup for "nonexistent.example.com" returns NXDOMAIN, the CA is still required to attempt looking up a CAA record for "example.com". So I agree that your "most likely" option is the ideal, and is what CAs should be implementing to be conservative, but the BRs do not currently say that. I would support a ballot to amend it.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
