[ECA-6128] Make querying top level domains (TLDs) for CAA lookups optional - PrimeKey Issue Tracker

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: EJBCA 6.9.0.6
Fix Version/s: EJBCA 6.9.1
Component/s: None
Labels:
- CAA

Issue discovered during:
Customer
Epic Link:
CAA Bugs/Improvements
Sprint:
EJBCA Sprint 1

Description

The CAA RFC specifies that CAA checks should be made all the way up a domain tree, but in reality the chances of a domain having CAA records the more common TLDs (.com, org, .co.uk etc...) are rather slim.

A simply solution is to implement a simple semicolon split ignore list of TLDS in the CAA validator ("com;org;net;se;co.uk") to allow the CA itself to diverge from the RFC.

Note: this list should be case case insensitive, trim spaces and allow for either with periods (.com) or without (com).

Attachments

Issue Links

relates

ECA-6063 Make Trust Anchor for CAA Validators configurable

Closed

Activity

People

Assignee:

Bastian Fredriksson

Reporter:

Mike Agrenius Kushner

Verified by:

Mike Agrenius Kushner

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

2017-09-18 15:21

Updated:

2019-05-13 13:11

Resolved:

2017-10-03 15:44

Time Tracking

Estimated:

Remaining:

Logged:

2d 2h

ENTERPRISE SUPPORT MIGRATED TO SUPPORT.PRIMEKEY.COM