Hi.Henry! Thank you very much for sharing.
First, I would like to share the dig commands I used and the corresponding results.I used 8.8.8.8 as the recursive parsing server. [image: 513aec30-9f4e-410c-8cbc-099f4faf5aa1.png] Secondly,I personally agree with your point of view.Thank you again for your sharing. Awei Thanks! On Wednesday, March 18, 2026 at 11:09:17 AM UTC+8 Henry Birge-Lee wrote: > Hi Awei, > > My take: the CA has proof of the absence of a DNSSEC trust chain for > a.example.com . In the absence of a trust chain back to the IANA DNSSEC > root, the permission to issue on CAA lookup failure clause can be invoked > so long as the other criteria are met. That failure mode can involve > servfail. > > Also, dig returning NOERROR depends a lot on which recursive dig is > pointed to. dig does not implement its own recursive (+trace is a poor > man's recursive with some cheating). If the recursive did not validate > DNSSEC, that could explain the NOERROR response. > > unbound-host ( https://linux.die.net/man/1/unbound-host ) implements a > full recursive algorithm or you can just control the config of the > recursive used by dig. > > Best, > Henry > > On Tue, Mar 17, 2026 at 8:58 AM Awel Dia <[email protected]> wrote: > >> Hello everyone, >> >> I am submitting this inquiry regarding CAA record checking under CA/B >> Forum Baseline Requirements, in a scenario involving a CNAME alias and >> DNSSEC-related SERVFAIL. >> >> The domain a.example.com has a CNAME record pointing to >> 67c520ec0d.uniwaf.com.a.example.com has no CAA records >> configured.a.example.com does not enable DNSSEC. >> >> When checking the CNAME target domain 67c520ec0d.uniwaf.com via DNSViz >> at https://dnsviz.net/d/67c520ec0d.uniwaf.com/dnssec/, the result >> returns SERVFAIL due to DNSSEC validation failure. >> However, a direct dig query for CAA records on a.example.com returns >> NOERROR with no CAA records. >> >> My question is:no CAA records result for a.example.com as a valid basis >> to proceed with certificate issuance, even though the CNAME target domain >> returns SERVFAIL? >> >> Thanks! >> Awei >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/27a075ce-03de-4cf2-a8f4-0f9d34f53c69n%40mozilla.org >> >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/27a075ce-03de-4cf2-a8f4-0f9d34f53c69n%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f3ddfe31-bb75-4cb5-a468-8c352702e368n%40mozilla.org.
