<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 10, 2017, at 8:19 AM, Paul Hoffman via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Greetings. I'm interested in how CAA is working out for both the names and CA communities.<br class=""><br class="">Is someone collecting anecdotal reports of certificate non-issuance due to CAA checking? I kind of imagine they fall into at least two buckets: "I really do own the name but don't know how that wrong CAA record got there" and "As a CA, we have seen X blocked attempts to use us to try to get certs that had CAA records from other vendors". I guess I'm also interested in "About X% of our renewals are names that have us correctly listed in a CAA record”.</div></div></blockquote><br class=""></div><div>The major thing I’ve seen so far is related to DNSSEC implementations. There was a hope that DNSSEC could assist in confirming the lack of CAA records for a given QNAME, but it is turning out that many libraries don’t expose the level of detail needed to make this happen in a reliable manner.</div><div><br class=""></div><div>Details are on the mozilla.dev.security.policy group (<a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/2WxCMEYEbrE/lv4yNj9gAQAJ" class="">https://groups.google.com/d/msg/mozilla.dev.security.policy/2WxCMEYEbrE/lv4yNj9gAQAJ</a> ), but the high level is that differentiating between affirmatively unsigned (e.g. signed delegation without DS records) and problem down the delegation is not possible in many cases.</div><div><br class=""></div><div>Additionally the CNAME and presumably DNAME handling is known to be buggy and there is are errata for 6844 that change the processing. Given that these change the algorithm they are held for update. This Forum didn’t get a ballot out that requires following these errata, but there is a clear intention that the revised version is correct, so some CAs are using the errata algorithm and some are using the original.</div><div><br class=""></div><div>I’m sure more data will be known over the next few weeks, as it was just two days ago it became mandatory that CAs check for CAA.</div><div><br class=""></div><div>Thanks,</div><div>Peter</div></body></html>