Hello everyone, I am submitting this inquiry regarding CAA record checking under CA/B Forum Baseline Requirements, in a scenario involving a CNAME alias and DNSSEC-related SERVFAIL.
The domain a.example.com has a CNAME record pointing to 67c520ec0d.uniwaf.com.a.example.com has no CAA records configured.a.example.com does not enable DNSSEC. When checking the CNAME target domain 67c520ec0d.uniwaf.com via DNSViz at https://dnsviz.net/d/67c520ec0d.uniwaf.com/dnssec/, the result returns SERVFAIL due to DNSSEC validation failure. However, a direct dig query for CAA records on a.example.com returns NOERROR with no CAA records. My question is:no CAA records result for a.example.com as a valid basis to proceed with certificate issuance, even though the CNAME target domain returns SERVFAIL? Thanks! Awei -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/27a075ce-03de-4cf2-a8f4-0f9d34f53c69n%40mozilla.org.
