Hi, inspired by the ballot paragraph [1], I set up a domain that is fully DNSSEC signed [2], but does not reply to CAA queries (timeout).
I could obtain certificates for this domain from Buypass and Startcom [3]. Other CAs (RapidSSL, GeoTrust, LetsEncrypt) have refused to issue, and GoDaddy and Certum have been stuck in "Pending" for days and will likely not issue. Per my interpretation, and per the discussion in the other CAA/DNSSSEC thread, I believe those should not have been issued. I have reported this to the issuing CAs. What do you think? Kind regards Quirin [1] CAs are permitted to treat a record lookup failure as permission to issue if: the failure is outside the CA’s infrastructure; the lookup has been retried at least once; and the domain’s zone does not have a DNSSEC validation chain to the ICANN root. [2] https://dnssec-debugger.verisignlabs.com/crossbear.org [3] https://crt.sh/?q=crossbear.org _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy