Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6132

CAA Validator should handle DNS that does not allow ANY queries

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      In order to find in the DNS either of the three record types CAA, CNAME, DNAME we make an ANY query to the DNS. ANY queries are not allowed by all DNS servers for some reason and in those cases we need to make separate queries:

      • Is there a CAA record?
      • If not, is there a CNAME record?
      • If not, is there a DNAME record?

      For domains that do not have a CAA record this will result in three DNS queries instead of one, but it seem to be the only way to get it running.

      DNS servers return SERVFAIL when the ANY query is denied.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              tomas Tomas Gustavsson
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: