Hello,

We’re implementing a CAA pre-check as part of our application’s pre-order verification process.

Given a CAA verification for www.example.com. Assume that www.example.com/CAA fails SERVFAIL, but example.com returns NOERROR.

From my reading of CAB 1.6.6, it appears that, in this situation, a CA would ignore the SERVFAIL, and apply example.com’s CAA authorization value to www.example.com?

Thank you for your time!

Under the conditions listed, a CA can ignore SERVFAIL. A CA isn’t required to ignore it, though. And Let’s Encrypt doesn’t.

(example.com. uses DNSSEC, so no CA can ignore SERVFAIL for it.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.