On Tue, Mar 07, 2017 at 03:46:00AM +0000, Salz, Rich wrote: > > Specifically, it 10.3 use of DNSSEC is a RECOMMENDATION, not a > > requirement: > > > > https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-10.3 > > > > I would have expected a requirement here. > > The WG consensus has been for recommendation.
I've had complete disinterest in CAA which initially was accepted by CA/B forum as a "recommendation", which meant that the constraint was meaningless. Rumour has it that CAA will soon be a requirement, so I've now published CAA records. The CAA check is/was easy to make and crippling it by not making it a requirement was IMNSHO a mistake. Similarly, using a DNSSEC-capable resolver is by no means rocket science, much of the world is doing just that via Google's, Verisign's, ... open resolvers. Leaving the CAs wiggle-room to avoid what should be standard practice by now makes no sense. I urge the WG to reconsider. -- Viktor. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme