Ballot 214 – CAA Discovery CNAME Errata

Ballot overview

• Ballot 214, CAA Discovery CNAME Errata, is a Final Maintenance Guideline ballot in the Server Certificate Working Group.
• The ballot page states that the voting period has ended and the ballot has passed.
• Voting results shown on the page:
  • CAs: 13 yes, 3 no, 0 abstain; 81% of voting CAs voted in favor.
  • Browsers: 4 yes, 0 no, 0 abstain; 100% of voting browsers voted in favor.
• The page states quorum was met and the approval thresholds were met for both CAs and browsers.
• The page also states that at least one CA Member and one browser Member voted in favor, so the ballot was adopted.

What the ballot changes

• Updates Baseline Requirements v1.4.9 Section 3.2.2.8, CAA Records.
• Replaces the existing CAA checking language so that the CA must check for CAA records and follow the processing instructions for any records found, for each dNSName in the subjectAltName extension, as specified in RFC 6844 as amended by Errata 5065.
• Keeps the requirement that if the CA issues, it must do so within the TTL of the CAA record, or 8 hours, whichever is greater.
• Adds Appendix A to the Baseline Requirements for RFC6844 Errata 5065.
• The appendix text describes the corrected CNAME/DNAME processing for CAA discovery and notes that CAs SHOULD limit accepted CNAME chain length, while CAs MUST process CNAME chains that contain 8 or fewer CNAME records.

Timing and applicability

• Discussion begins: 2017-09-20 22:00 UTC
• Vote for approval begins: 2017-09-20 22:00 UTC
• Vote for approval ends: 2017-09-27 22:00 UTC
• If the vote approves the ballot, a 30-day review period follows.
• If no Exclusion Notices are filed, the ballot becomes effective at the end of the Review Period.
• If Exclusion Notice(s) are filed, ballot approval is rescinded and a PAG is to be created.
• The page does not give a single fixed effective date; effectiveness is conditional on the review period and whether exclusion notices are filed.