boulder icon indicating copy to clipboard operation
boulder copied to clipboard
verified publisher icon letsencrypt

Add feature flag to only do CAA checking at Finalize time

Open aarongable opened this issue 2 years ago • 1 comments

We currently have slightly complex, slightly fragile CAA rechecking logic to ensure that we have up-to-date CAA records at issuance time even if the validation documents are more than 8 hours old.

We could greatly simplify this by a) not doing CAA checking at validation time; and b) always doing CAA checking at issuance/finalize time.

aarongable avatar Aug 29 '23 18:08 aarongable

This should probably be a two-step process:

  1. always check CAA at finalization time;
  2. never check CAA at validation time.

Thanks to #7058, we have spare capacity to do (1).

aarongable avatar Nov 07 '23 19:11 aarongable