From 70dfd59a7711f2653dbea081a8644de81d7c6c8a Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Thu, 18 Jan 2024 08:34:34 -0800 Subject: [PATCH] Clarify the use of third-party DNS recursive resolvers Add a sentence to BRs Section 3.2.2.4 clarifying that the use of DNS recursive resolvers which are operated outside the CAs audit scope qualifies as use of a Delegated Third Party, which is forbidden for domain control validation. --- docs/BR.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/BR.md b/docs/BR.md index c85365b1..ada75c6c 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -704,6 +704,8 @@ The CA SHALL confirm that prior to issuance, the CA has validated each Fully-Qua 1. When the FQDN is not an Onion Domain Name, the CA SHALL validate the FQDN using at least one of the methods listed below; and 2. When the FQDN is an Onion Domain Name, the CA SHALL validate the FQDN in accordance with Appendix B. +All DNS queries conducted in the course of validation MUST be made from the CA to authoritative nameservers, i.e. without the use of recursive resolvers operated outside the CA's audit scope. + Completed validations of Applicant authority may be valid for the issuance of multiple Certificates over time. In all cases, the validation must have been initiated within the time period specified in the relevant requirement (such as [Section 4.2.1](#421-performing-identification-and-authentication-functions) of this document) prior to Certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate. CAs SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain.