CAA lookup failure


We’re implementing a CAA pre-check as part of our application’s pre-order verification process.

Given a CAA verification for Assume that fails SERVFAIL, but returns NOERROR.

From my reading of CAB 1.6.6, it appears that, in this situation, a CA would ignore the SERVFAIL, and apply’s CAA authorization value to

Thank you for your time!

Under the conditions listed, a CA can ignore SERVFAIL. A CA isn’t required to ignore it, though. And Let’s Encrypt doesn’t.

( uses DNSSEC, so no CA can ignore SERVFAIL for it.)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.