[dns-operations] Browser and CA enforcement of CAA records?
operations at dns.16bits.net
Wed May 24 22:34:18 UTC 2017
On 2017-05-24 at 08:04 -0700, Paul Hoffman wrote:
> I think Andrew's question was not what are browsers supposed to do with
> CAA, but what are they actually doing. I'm interested in that as well.
> --Paul HOffman
Why would they be doing anything with them?
They would have needed to add code to query and check a DNS entry that
is unneeded for its usecase and the specification clearly says they MUST
I find rfc6844 is very clear on this:
> «it is possible
> that a certificate that is not conformant with the CAA records
> currently published was conformant with the CAA records published at
> the time that the certificate was issued. Relying Applications MUST
> NOT use CAA records as part of certificate validation.»
More information about the dns-operations