RFC Errata

Errata Search

Source of RFC  
Summary Table Full Records

RFC 6844, "DNS Certification Authority Authorization (CAA) Resource Record", January 2013

Note: This RFC has been obsoleted by RFC 8659

Source of RFC: pkix (sec)

Errata ID: 4922
Status: Rejected
Type: Technical
Publication Format(s) : TEXT

Reported By: Attila Bruncsák
Date Reported: 2017-02-03
Rejected by: Stephen Farrell
Date Rejected: 2017-02-03

Section 4 says:

The search for a CAA record climbs the DNS name tree from the
   specified label up to but not including the DNS root '.'.

It should say:

The search for a CAA record must not climb the DNS name tree from the
   specified label up.


Obviously it does not make any sense to climb up. If there would be CAA record published for the "com" TLD, than it would make what relation to the CAA of the "example.com" domain? From an other viewpoint: all CAs are going to check the "com" TLD for CAA record if a given organization has no CAA record published in its own domain?
Another, more practical example: "example.com" needs a certificate for his top domain (https://example.com/), so it decides to publish the CAA record to enforce the security. Doing this it may unknowingly affect the renewal of the certificate for the wellhidden.hr.example.com where the hr.example.com domain is under different administrative authority than example.com domain itself.
This would be a change and hence is not an erratum

Report New Errata

Advanced Search