Describe our remote VAs in Section 3.2.2 #263
Conversation
|
Requesting review from @beautifulentropy to confirm that this accurately describes our current deployment. |
| @@ -230,6 +230,8 @@ Prior to issuance of a Subscriber Certificate, ISRG uses at least one of the fol | |||
|
|
|||
| Validation for Wildcard Domain Names is only performed using the DNS Change method. | |||
|
|
|||
| All successful validations and CAA checks performed by our Primary Network Perspectives are corroborated by multiple Remote Network Perspectives located in at least two distinct Regional Internet Registries. Each Remote Network Perspective has an independent DNS resolver and cache. | |||
There was a problem hiding this comment.
The initial DCV and CAA checks are verified from multiple network perspectives. However, CAA rechecks, which may occur just before finalization, are only validated from the primary perspective in Production. To fix this, we have two options: set EnforceMultiCAA to true in Production or set EnforceMPIC to true in Production. There’s a pending issue (IN-10875) to implement the latter change.
There was a problem hiding this comment.
We can also choose to not fix it, and instead massage the phrasing here, since the BRs allow single-perspective rechecks:
A CA MAY reuse corroborating evidence for CAA record quorum compliance for a maximum of 398 days.
Fixes #234
Do not merge until #7962 has been deployed to Production