Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6155

Make "treat lookup failure as permission to issue" configurable for CAA lookups

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.11.0
    • Component/s: None
    • Labels:

      Description

      Currently, if an error occurs during a CAA lookup, e.g.

      1. The response is garbage
      2. Timeout
      3. Someone pulls the network cable (I/O error)

      we treat such situations as "permission to issue" if there is no valid DNSSEC on the domain we are querying CAA records for.

      According to the baseline requirements, we are allowed to treat the lookup as permission to issue if the error occurs outside the CAs infrastructure.

      However, if the CA runs its own DNS resolver they may want to disable this option to avoid mis-issuance of certificates if their internal DNS responder becomes unstable. Preferably, this can be an option in the admin GUI.

        Attachments

          Activity

            People

            • Assignee:
              realiserad Bastian Fredriksson
              Reporter:
              realiserad Bastian Fredriksson
              Verified by:
              Mike Agrenius Kushner
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 4 hours
                4h
                Remaining:
                Time Spent - 3 hours Remaining Estimate - 1 hour
                1h
                Logged:
                Time Spent - 3 hours Remaining Estimate - 1 hour
                3h