[dns-operations] Browser and CA enforcement of CAA records?
Robert Edmonds
edmonds at mycre.ws
Wed May 24 16:07:55 UTC 2017
Paul Hoffman wrote:
> On 24 May 2017, at 7:24, Daniel Stirnimann wrote:
>
> > Hi Andrew
> >
> > CAA record checks only apply for certificate issuance. Once it is issued
> > this record has no effect. web browsers are also not checking CAA
> > records. You might want to read:
> > https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
>
> I think Andrew's question was not what are browsers supposed to do with CAA,
> but what are they actually doing. I'm interested in that as well.
I checked Chromium using their code search tool.
https://cs.chromium.org/search/?q=DNS+CAA+package:%5Echromium$+case:yes&type=cs
The only relevant match appears to be this, from
src/tools/metrics/histograms/histograms.xml:
<histogram name="Net.SSLHostInfoDNSLookupDelayMs" units="ms">
<obsolete>
Removed in 2011.
</obsolete>
<owner>Please list the metric's owners. Add more owner tags as needed.</owner>
<summary>
Time that we would have wasted had we waited for a CAA lookup in order to
validate a certificate.
</summary>
</histogram>
--
Robert Edmonds
More information about the dns-operations
mailing list