Thanks, both. I read the CAB requirements, and I am still unsure of where the boundary falls for “possibly affected certs” versus “definitely affected certs” for this incident, and I can appreciate erring on the side of caution for something as serious as CAA validation. A serious warning to all possibly affected subscribers is definitely in order either way, but since severe downtime will result for many affected subscribers, I would hope that the response is a bit more moderated, e.g. immediate revocation happens only for certs where an included domain’s CAA history has changed and could indicate a compromise of validation integrity.
In my org’s case, no revocation was necessary because all relevant domains have never had CAA records; I’m not sure how your logs could prove this, but if possible, that sort of criterion could be used to limit the revocations to a much smaller set of certificates. Could you describe how you generated the list mentioned above? I see that the list has annotations such as “missing CAA checking results for <domain>” but it only mentions that for one of the domains in each cert.
Edit: I understand that the above missing results may invalidate the whole cert due to BR 18.104.22.168 point 4 in the first list, just because it’s questionable, e.g. you can’t prove it was valid so it doesn’t matter whether anyone else can prove it wasn’t valid.
My apologies if this is a stupid question, and please know that I very much appreciate your replies so far.