[dns-operations] Browser and CA enforcement of CAA records?

Robert Edmonds edmonds at mycre.ws
Wed May 24 16:07:55 UTC 2017

Paul Hoffman wrote:
> On 24 May 2017, at 7:24, Daniel Stirnimann wrote:
> > Hi Andrew
> > 
> > CAA record checks only apply for certificate issuance. Once it is issued
> > this record has no effect. web browsers are also not checking CAA
> > records. You might want to read:
> > https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
> I think Andrew's question was not what are browsers supposed to do with CAA,
> but what are they actually doing. I'm interested in that as well.

I checked Chromium using their code search tool.


The only relevant match appears to be this, from

    <histogram name="Net.SSLHostInfoDNSLookupDelayMs" units="ms">
        Removed in 2011.
      <owner>Please list the metric's owners. Add more owner tags as needed.</owner>
        Time that we would have wasted had we waited for a CAA lookup in order to
        validate a certificate.

Robert Edmonds

More information about the dns-operations mailing list