[dns-operations] Browser and CA enforcement of CAA records?

Mark Andrews marka at isc.org
Thu May 25 02:24:58 UTC 2017


In message <1495665258.930.3.camel at 16bits.net>, =?ISO-8859-1?Q?=C1ngel?= writes:
> On 2017-05-24 at 08:04 -0700, Paul Hoffman wrote:
> > I think Andrew's question was not what are browsers supposed to do with
> > CAA, but what are they actually doing. I'm interested in that as well.
> >
> > --Paul HOffman
>
> Why would they be doing anything with them?
> They would have needed to add code to query and check a DNS entry that
> is unneeded for its usecase and the specification clearly says they MUST
> NOT use.
>
> I find rfc6844 is very clear on this:
> >    it is possible
> >    that a certificate that is not conformant with the CAA records
> >    currently published was conformant with the CAA records published at
> >    the time that the certificate was issued.  Relying Applications MUST
> >    NOT use CAA records as part of certificate validation.
> >
> -- https://tools.ietf.org/html/rfc6844#section-1

Now, if they were to lookup TLSA records that would be correct and
would be useful but it is also off topic.

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list