Hi Awei, My take: the CA has proof of the absence of a DNSSEC trust chain for a.example.com . In the absence of a trust chain back to the IANA DNSSEC root, the permission to issue on CAA lookup failure clause can be invoked so long as the other criteria are met. That failure mode can involve servfail.
Also, dig returning NOERROR depends a lot on which recursive dig is pointed to. dig does not implement its own recursive (+trace is a poor man's recursive with some cheating). If the recursive did not validate DNSSEC, that could explain the NOERROR response. unbound-host ( https://linux.die.net/man/1/unbound-host ) implements a full recursive algorithm or you can just control the config of the recursive used by dig. Best, Henry On Tue, Mar 17, 2026 at 8:58 AM Awel Dia <[email protected]> wrote: > Hello everyone, > > I am submitting this inquiry regarding CAA record checking under CA/B > Forum Baseline Requirements, in a scenario involving a CNAME alias and > DNSSEC-related SERVFAIL. > > The domain a.example.com has a CNAME record pointing to > 67c520ec0d.uniwaf.com.a.example.com has no CAA records > configured.a.example.com does not enable DNSSEC. > > When checking the CNAME target domain 67c520ec0d.uniwaf.com via DNSViz at > https://dnsviz.net/d/67c520ec0d.uniwaf.com/dnssec/, the result returns > SERVFAIL due to DNSSEC validation failure. > However, a direct dig query for CAA records on a.example.com returns > NOERROR with no CAA records. > > My question is:no CAA records result for a.example.com as a valid basis > to proceed with certificate issuance, even though the CNAME target domain > returns SERVFAIL? > > Thanks! > Awei > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/27a075ce-03de-4cf2-a8f4-0f9d34f53c69n%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/27a075ce-03de-4cf2-a8f4-0f9d34f53c69n%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAGxVKU6zX8KxStCDgz37DPm4R3gnPHSsVYEj45suC7m1O-YReQ%40mail.gmail.com.
