7. Differences from RFC 6844

7. Differences from RFC 6844

This document obsoletes [RFC6844]. The most important change is to the "Certification Authority Processing" section (now called "Relevant Resource Record Set" (Section 3), as noted below). [RFC6844] specified an algorithm that performed DNS tree-climbing not only on the FQDN being processed but also on all CNAMEs and DNAMEs encountered along the way. This made the processing algorithm very inefficient when used on FQDNs that utilize many CNAMEs and would have made it difficult for hosting providers to set CAA policies on their own FQDNs without setting potentially unwanted CAA policies on their customers' FQDNs. This document specifies a simplified processing algorithm that only performs tree-climbing on the FQDN being processed, and it leaves the processing of CNAMEs and DNAMEs up to the CA's recursive resolver.

This document also includes a "Deployment Considerations" section (Section 6) detailing experience gained with practical deployment of CAA enforcement among CAs in the WebPKI.

This document clarifies the ABNF grammar for the issue and issuewild tags and resolves some inconsistencies with the document text. In particular, it specifies that parameters are separated with semicolons. It also allows hyphens in Property Tags.

This document also clarifies the processing of a CAA RRset that is not empty but that does not contain any issue or issuewild tags.

This document removes the section titled "The CAA RR Type," merging it with "Mechanism" (Section 4) because the definitions were mainly duplicates. It moves the "Use of DNS Security" section into Security Considerations (Section 5). It renames "Certification Authority Processing" to "Relevant Resource Record Set" (Section 3) and emphasizes the use of that term to more clearly define which domains are affected by a given RRset.