Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6144

Introduce global DNS lookup caching in the CAA Validator

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: EJBCA 6.9.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      Current caching for CAA lookups only works for separate requests with multiple SANs (introduced in ECA-6129). We should add a global cache for CAA lookups.

      Each CAA DNS lookup comes with a TTL (time-to-live). In order to avoid our customers being blocked by their resolvers. Certificates must be issued within 8 hours of the lookup OR what is specified in the TTL. (Whichever has the greater decides)

      DNSJava already has a cache implementation ( http://www.xbill.org/dnsjava/doc/org/xbill/DNS/Cache.html), we should start looking there.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            hsunmark Henrik Sunmark
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: