Require DNSSEC validation for CAA records when the domain is DNSSEC enabled

cabforum / servercert

Repository for the CA/Browser Forum Server Certificate Chartered Working Group

https://cabforum.org/working-groups/scwg/

151 stars 104 forks source link

Require DNSSEC validation for CAA records when the domain is DNSSEC enabled #352

Open CBonnell opened 2 years ago

CBonnell commented 2 years ago

Consider removing exceptions for DNSSEC failures on CAA lookup, and fail-closed instead.

CBonnell commented 2 years ago

This was discussed on the 2022-07-28 call.

There was a lack of interest in prioritizing this item.

CBonnell commented 12 months ago

This was discussed again on the 2023-10-19 call. There was rough consensus that we should keep this in the backlog, as there may be some security value in requiring this. However, the MPIC/MPDV work may lessen any additional benefit derived from mandating DNSSEC verification.