big.basic.caatestsuite.com

SSLMate / caatestsuite

Test suite which checks compliance with CAA checking as defined in version 1.4.8 of the CABF Baseline Requirements

https://caatestsuite.com

Apache License 2.0

10 stars 4 forks source link

big.basic.caatestsuite.com #2

Closed kumarde closed 5 years ago

kumarde commented 6 years ago

How big of a CAA record are CAs supposed to be able to handle? big.basic.caatestsuite.com is much bigger than 512-bytes, which is the max for DNS records over UDP.

dig big.basic.caatestsuite.com. type257
;; Truncated, retrying in TCP mode.
;; Connection to 192.168.0.1#53(192.168.0.1) for big.basic.caatestsuite.com. failed: connection refused.
;; Connection to 127.0.0.1#53(127.0.0.1) for big.basic.caatestsuite.com. failed: connection refused.

AGWA commented 6 years ago

This would be best asked on public@cabforum.org, but my interpretation is that since neither RFC6844 nor the BRs define a maximum record set size, then CAs should be prepared to handle record sets that fit within the maximum DNS message size (65535 bytes). If they can't, then it would be a lookup failure occurring within the CA's infrastructure and they must not issue.