[dns-operations] Browser and CA enforcement of CAA records?

Ángel operations at dns.16bits.net
Wed May 24 22:34:18 UTC 2017

On 2017-05-24 at 08:04 -0700, Paul Hoffman wrote:
> I think Andrew's question was not what are browsers supposed to do with 
> CAA, but what are they actually doing. I'm interested in that as well.
> --Paul HOffman

Why would they be doing anything with them?
They would have needed to add code to query and check a DNS entry that
is unneeded for its usecase and the specification clearly says they MUST
NOT use.

I find rfc6844 is very clear on this:
>    «it is possible
>    that a certificate that is not conformant with the CAA records
>    currently published was conformant with the CAA records published at
>    the time that the certificate was issued.  Relying Applications MUST
>    NOT use CAA records as part of certificate validation.»
-- https://tools.ietf.org/html/rfc6844#section-1

More information about the dns-operations mailing list