[dns-operations] Browser and CA enforcement of CAA records?
edmonds at mycre.ws
Wed May 24 16:07:55 UTC 2017
Paul Hoffman wrote:
> On 24 May 2017, at 7:24, Daniel Stirnimann wrote:
> > Hi Andrew
> > CAA record checks only apply for certificate issuance. Once it is issued
> > this record has no effect. web browsers are also not checking CAA
> > records. You might want to read:
> > https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
> I think Andrew's question was not what are browsers supposed to do with CAA,
> but what are they actually doing. I'm interested in that as well.
I checked Chromium using their code search tool.
The only relevant match appears to be this, from
<histogram name="Net.SSLHostInfoDNSLookupDelayMs" units="ms">
Removed in 2011.
<owner>Please list the metric's owners. Add more owner tags as needed.</owner>
Time that we would have wasted had we waited for a CAA lookup in order to
validate a certificate.
More information about the dns-operations