From 9992fabc8c7e339c9fb9221346ccf604e9af4779 Mon Sep 17 00:00:00 2001
From: Jacob Hoffman-Andrews <github@hoffman-andrews.com>
Date: Wed, 30 May 2018 15:57:55 -0700
Subject: [PATCH] Clarify RRsets with no issue/issuewild. (#1)

As proposed in [erratum 5244](https://www.rfc-editor.org/errata/eid5244), clarify that non-empty CAA RR sets with no issue or issuewild property tags are permission to issue.

See also [mailing list thread](https://www.ietf.org/mail-archive/web/spasm/current/msg01104.html).
---
 draft-ietf-lamps-rfc6844bis.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/draft-ietf-lamps-rfc6844bis.md b/draft-ietf-lamps-rfc6844bis.md
index ef535f9..676f7cc 100644
--- a/draft-ietf-lamps-rfc6844bis.md
+++ b/draft-ietf-lamps-rfc6844bis.md
@@ -480,6 +480,11 @@ CAA authorizations are additive; thus, the result of specifying both
 the empty issuer and a specified issuer is the same as specifying
 just the specified issuer alone.
 
+A non-empty CAA record set that contains no issue property tags
+is authorization to any certificate issuer to issue for the corresponding
+domain, provided that it is a non-wildcard domain, and no records in the
+CAA record set otherwise prohibit issuance.
+
 An issuer MAY choose to specify issuer-parameters that further
 constrain the issue of certificates by that issuer, for example,
 specifying that certificates are to be subject to specific validation
@@ -504,6 +509,11 @@ If at least one issuewild property is specified in the relevant
 CAA record set, all issue properties MUST be ignored when
 processing a request for a domain that is a wildcard domain.
 
+A non-empty CAA record set that contains no issue or issuewild property tags
+is authorization to any certificate issuer to issue for the corresponding
+wildcard domain, provided that no records in the CAA record set otherwise
+prohibit issuance.
+
 ##  CAA iodef Property
 
 The iodef property specifies a means of reporting certificate issue