Closed kumarde closed 5 years ago
This would be best asked on public@cabforum.org
, but my interpretation is that since neither RFC6844 nor the BRs define a maximum record set size, then CAs should be prepared to handle record sets that fit within the maximum DNS message size (65535 bytes). If they can't, then it would be a lookup failure occurring within the CA's infrastructure and they must not issue.
How big of a CAA record are CAs supposed to be able to handle?
big.basic.caatestsuite.com
is much bigger than 512-bytes, which is the max for DNS records over UDP.