[dns-operations] Browser and CA enforcement of CAA records?

Andrew White andrew at vivalibre.com
Wed May 24 19:31:27 UTC 2017


FWIW it does appear that SSL Labs is including a CAA DNS check as part of
its SSL scoring system since January.

https://blog.qualys.com/ssllabs/2017/01/13/whats-new-ssl-labs-1-26-5



On Wed, May 24, 2017 at 6:36 AM, Andrew White <andrew at vivalibre.com> wrote:

> Hi all,
>
> My google-fu is failing me. Does anyone have any information on the
> following?
>
> What browser enforcement will be done in Firefox/Chrome/Safari post-Sep
> 2017 for CAA records? Will the browser throw up a warning like is thrown up
> for invalid or self-signed certs if a CAA DNS entry indicates the cert
> presented by the site shouldn't have been issued?
>
> Do I understand correctly that the absense of CAA records will cause no
> harm; i.e. the absence of a CAA record for a given hostname (or parent
> domain) simply means that any CA can issue a cert to that FQDN, and no
> browser complaints will be generated?
>
> Are there any cases where lack of a CAA record will have impact other than
> being permissive on CA cert issuance?
>
> -Andrew
>
> P.S. FWIW I set up a null CAA record today and indeed LetsEncrypt refused
> to issue me a cert. Good job LetsEncrypt.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170524/a966384d/attachment.html>


More information about the dns-operations mailing list