Use of Authoritative DNS

[srdavidson]

Noting the ballot language under debate at TLS Validation WG. If accepted, it should be replicated in the S/MIME BR, probably in section 3.2.

All DNS queries conducted in the course of validation MUST be made from the CA to authoritative nameservers, i.e. without the use of recursive resolvers operated outside the CA's audit scope.

[srdavidson]

We may need to make an update to the SBR. We reference section 3.2.2.4 of the TLS BR. While the TLS ballot applies to 3.2.2.4, the relevant text was added to 3.2.2.2.

See https://cabforum.org/2024/02/23/ballot-sc-70-clarify-the-use-of-dtps-for-domain-control-validation/ and https://github.com/cabforum/servercert/commit/0997cf99ffed91b62031250dfc444075237c35eb

[srdavidson]

This ballot had a IPR issue, which was resolved. However, it will apparently be re-balloted in ServerCert WG, so we'll monitor.