From b4468d8468e91f274ee60465c6511b594ead4740 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Thu, 18 Jan 2024 09:52:32 -0800 Subject: [PATCH] Add the same DNS clarification to 3.2.2.5 --- docs/BR.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/BR.md b/docs/BR.md index ad10745d..a43206ea 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -916,6 +916,8 @@ This section defines the permitted processes and procedures for validating the A The CA SHALL confirm that prior to issuance, the CA has validated each IP Address listed in the Certificate using at least one of the methods specified in this section. +All DNS queries conducted in the course of validation MUST be made from the CA to authoritative nameservers, i.e. without the use of recursive resolvers operated outside the CA's audit scope. + Completed validations of Applicant authority may be valid for the issuance of multiple Certificates over time. In all cases, the validation must have been initiated within the time period specified in the relevant requirement (such as [Section 4.2.1](#421-performing-identification-and-authentication-functions) of this document) prior to Certificate issuance. For purposes of IP Address validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate. After July 31, 2019, CAs SHALL maintain a record of which IP validation method, including the relevant BR version number, was used to validate every IP Address.