hablutzel1
commented
5 months ago As additional rationale for the proposal of this issue, the domain owner might want to signal the maximum time to live for his CAA information, e.g. if for whatever reason they change the CAA records frequently. Respecting the DNS TTL as the maximum provides them a way to do that.
Now, maybe the same interpretation might be useful to consider in other cases such as DCV, to allow the domain owners to limit the period during which CAs can reuse validations for their domains, e.g. if they don’t feel comfortable with allowing those validations to be reused for up to 398 days.
Now, considering that RFC 1035, “3.2.1. Format” (apparently) uses the “cache” word in the general sense instead of just referring to “resolver cache”:
TTL a 32 bit signed integer that specifies the time interval that the resource record may be cached before the source of the information should again be consulted.
It seems appropriate to always honor the DNS TTL as the maximum allowed for relying in the information conveyed by DNS records.
orangepizza
In TBRs Section 3.2.2.8, it states in part:
This seems counter to the intent of the TTL value which already sets the maximum time for which a given resource record can be relied upon. The CA/B Forum should not override that, by allowing CAs to cache CAA records for longer than the TTL presented in DNS. Rather, it makes substantially more sense (and fits perfectly within the DNS specification) for the CA/B Forum to set a maximum allowed caching period, e.g.
I believe this is supported in RFC 2181:
It may also be worth further expanding upon the interaction of multiple different TTLs encountered in the retrieval of a CAA record. For example: