RFC Errata
RFC 6844, "DNS Certification Authority Authorization (CAA) Resource Record", January 2013
Note: This RFC has been obsoleted by RFC 8659
Source of RFC: pkix (sec)
Errata ID: 5244
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Corey Bonnell
Date Reported: 2018-01-26
Held for Document Update by: EKR
Date Held: 2018-11-30
Section 5.2 says:
CAA authorizations are additive; thus, the result of specifying both the empty issuer and a specified issuer is the same as specifying just the specified issuer alone.
It should say:
CAA authorizations are additive; thus, the result of specifying both the empty issuer and a specified issuer is the same as specifying just the specified issuer alone. A non-empty CAA record set that does not contain an issue property tag is authorization to any certificate issuer to issue for the corresponding domain, provided that no records in the CAA record set otherwise prohibit issuance.
Notes:
The current wording in the RFC does not clearly state how non-empty CAA record sets which do not contain any "issue" property tags should be handled in terms of whether or not such record sets authorize issuance. The additional wording clarifies the correct handling of this case.