Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

big.basic.caatestsuite.com #2

Closed
kumarde opened this issue Sep 2, 2017 · 1 comment
Closed

big.basic.caatestsuite.com #2

kumarde opened this issue Sep 2, 2017 · 1 comment

Comments

@kumarde
Copy link

kumarde commented Sep 2, 2017
edited
Loading

How big of a CAA record are CAs supposed to be able to handle? big.basic.caatestsuite.com is much bigger than 512-bytes, which is the max for DNS records over UDP.

dig big.basic.caatestsuite.com. type257
;; Truncated, retrying in TCP mode.
;; Connection to 192.168.0.1#53(192.168.0.1) for big.basic.caatestsuite.com. failed: connection refused.
;; Connection to 127.0.0.1#53(127.0.0.1) for big.basic.caatestsuite.com. failed: connection refused.
@AGWA
Copy link
Member

AGWA commented Sep 2, 2017

This would be best asked on [email protected], but my interpretation is that since neither RFC6844 nor the BRs define a maximum record set size, then CAs should be prepared to handle record sets that fit within the maximum DNS message size (65535 bytes). If they can't, then it would be a lookup failure occurring within the CA's infrastructure and they must not issue.

@AGWA AGWA closed this as completed Aug 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AGWA @kumarde