CAA lookup failure

FGasper · September 13, 2019, 7:26pm

Hello,

We’re implementing a CAA pre-check as part of our application’s pre-order verification process.

Given a CAA verification for www.example.com. Assume that www.example.com/CAA fails SERVFAIL, but example.com returns NOERROR.

From my reading of CAB 1.6.6, it appears that, in this situation, a CA would ignore the SERVFAIL, and apply example.com’s CAA authorization value to www.example.com?

Thank you for your time!

mnordhoff · September 13, 2019, 7:53pm

Under the conditions listed, a CA can ignore SERVFAIL. A CA isn’t required to ignore it, though. And Let’s Encrypt doesn’t.

(example.com. uses DNSSEC, so no CA can ignore SERVFAIL for it.)