[dns-operations] Browser and CA enforcement of CAA records?

Daniel Stirnimann daniel.stirnimann at switch.ch
Wed May 24 14:24:15 UTC 2017

Hi Andrew

CAA record checks only apply for certificate issuance. Once it is issued
this record has no effect. web browsers are also not checking CAA
records. You might want to read:


On 24.05.17 15:36, Andrew White wrote:
> Hi all,
> My google-fu is failing me. Does anyone have any information on the
> following?
> What browser enforcement will be done in Firefox/Chrome/Safari post-Sep
> 2017 for CAA records? Will the browser throw up a warning like is thrown
> up for invalid or self-signed certs if a CAA DNS entry indicates the
> cert presented by the site shouldn't have been issued?
> Do I understand correctly that the absense of CAA records will cause no
> harm; i.e. the absence of a CAA record for a given hostname (or parent
> domain) simply means that any CA can issue a cert to that FQDN, and no
> browser complaints will be generated?
> Are there any cases where lack of a CAA record will have impact other
> than being permissive on CA cert issuance?
> -Andrew
> P.S. FWIW I set up a null CAA record today and indeed LetsEncrypt
> refused to issue me a cert. Good job LetsEncrypt.

More information about the dns-operations mailing list