Re: [cabfpub] CAA look up failures and retry logic

From: Jacob Hoffman-Andrews [mailto:j...@letsencrypt.org] Sent: Wednesday, October 4, 2017 4:17 PM To: Doug Beattie <doug.beat...@globalsign.com>; CA/Browser Forum Public Discussion List <public@cabforum.org> Cc: geo...@apple.com Subject: Re: [cabfpub] CAA look up failures and retr

Re: [cabfpub] CAA look up failures and retry logic

You make a good point. To reiterate the language from the BRs: > CAs are permitted to treat a record lookup failure as permission to issue if: > • the failure is outside the CA's infrastructure; > • the lookup has been retried at least once; and > • the domain's zone does not have a DNSSEC

Re: [cabfpub] CAA look up failures and retry logic

From: geo...@apple.com [mailto:geo...@apple.com] Sent: Tuesday, October 3, 2017 10:07 PM To: Doug Beattie <doug.beat...@globalsign.com>; CA/Browser Forum Public Discussion List <public@cabforum.org> Subject: Re: [cabfpub] CAA look up failures and retry logic On

Re: [cabfpub] CAA look up failures and retry logic

> On Oct 4, 2017, at 12:01 AM, Doug Beattie via Public > wrote: > The BRs say if a lookup has been retried at least once that is permission to > issue. Does this mean doing > - a full CAA lookup, or > - re-doing one failed CAA(X) look-up, or > -

[cabfpub] CAA look up failures and retry logic

The BR requirement for retrying failed lookups is ambiguous and we'd like to receive some clarification, and eventually a ballot to help clarify the BRs. The BRs stay this: CAs are permitted to treat a record lookup failure as permission to issue if: - the failure is outside the CA's