[dns-operations] Browser and CA enforcement of CAA records?

Paul Hoffman phoffman at proper.com
Thu May 25 02:26:01 UTC 2017

On 24 May 2017, at 15:34, Ángel wrote:

> On 2017-05-24 at 08:04 -0700, Paul Hoffman wrote:
>> I think Andrew's question was not what are browsers supposed to do 
>> with
>> CAA, but what are they actually doing. I'm interested in that as 
>> well.
>> --Paul HOffman
> Why would they be doing anything with them?

Because they didn't read the spec.

> They would have needed to add code to query and check a DNS entry that
> is unneeded for its usecase and the specification clearly says they 
> NOT use.


> I find rfc6844 is very clear on this:
>>    «it is possible
>>    that a certificate that is not conformant with the CAA records
>>    currently published was conformant with the CAA records published 
>> at
>>    the time that the certificate was issued.  Relying Applications 
>>    NOT use CAA records as part of certificate validation.»
> -- https://tools.ietf.org/html/rfc6844#section-1

I know; I helped write that text during the development of the spec. 
That doesn't mean that everyone is following it.

--Paul Hoffman

More information about the dns-operations mailing list