The Baseline Requirements section 3.2.2.8. (v1.4.8+) states that:
CAs are permitted to treat a record lookup failure as permission to issue if:
- the failure is outside the CA's infrastructure
- the lookup has been retried at least once; and
- the domain's zone does not have a DNSSEC validation chain to the ICANN root.
It'll be great to have the last point checked by some tests. As I understand it a CA may issue if i.e. a DS record is not set or alike that'll break the chain to the ICANN root no matter if a CAA-RR was used or not.
The Baseline Requirements section 3.2.2.8. (v1.4.8+) states that:
It'll be great to have the last point checked by some tests. As I understand it a CA may issue if i.e. a DS record is not set or alike that'll break the chain to the ICANN root no matter if a CAA-RR was used or not.