[dns-operations] Browser and CA enforcement of CAA records?

Andrew White andrew at vivalibre.com
Wed May 24 13:36:04 UTC 2017

Hi all,

My google-fu is failing me. Does anyone have any information on the

What browser enforcement will be done in Firefox/Chrome/Safari post-Sep
2017 for CAA records? Will the browser throw up a warning like is thrown up
for invalid or self-signed certs if a CAA DNS entry indicates the cert
presented by the site shouldn't have been issued?

Do I understand correctly that the absense of CAA records will cause no
harm; i.e. the absence of a CAA record for a given hostname (or parent
domain) simply means that any CA can issue a cert to that FQDN, and no
browser complaints will be generated?

Are there any cases where lack of a CAA record will have impact other than
being permissive on CA cert issuance?


P.S. FWIW I set up a null CAA record today and indeed LetsEncrypt refused
to issue me a cert. Good job LetsEncrypt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170524/a29884f7/attachment.html>

More information about the dns-operations mailing list