Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6137

Issue if CAA lookup failed more than once and there is no DNSSEC chain to the ICANN root

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.9.1
    • Component/s: None
    • Labels:

      Description

      If CAA lookup failed more than once and we can prove that there is no valid DNSSEC chain, we should be allowed to issue.

      CAs are permitted to treat a record lookup failure as permission to issue if:
      • the failure is outside the CA's infrastructure;
      • the lookup has been retried at least once; and
      • the domain's zone does not have a DNSSEC validation chain to the ICANN root.

      See Baseline Requirements 3.2.2.8
      https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.8.pdf

        Attachments

          Activity

            People

            • Assignee:
              bastianf Bastian Fredriksson
              Reporter:
              bastianf Bastian Fredriksson
              Verified by:
              Henrik Sunmark
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours
                4h