[cabfpub] CAA records on google.com

Gervase Markham gerv at mozilla.org
Mon Jun 24 10:28:38 UTC 2013

On 20/06/13 15:39, Adam Langley wrote:
> Our DNS setup is probably unique and so wouldn't apply in many other situations.
> But I imagine that most people are using tools that process BIND-like
> zone files and support the arbitrary record format output by dig,
> above. Thus they can probably add CAA records without waiting for any
> software updates.

If other organizations are anything like us, the issue is not in adding
the values to DNS, it's in working out what the correct values are.

My preliminary investigation suggests that while we may be able to add
"issue" records for specific foo.mozilla.org domains (e.g.
addons.mozilla.org), and an "issuewild" record for mozilla.org itself,
it will be very hard to have an "issue" record for mozilla.org because
we have subdomains which are managed by third parties (e.g. for our
mailshot infrastructure), and they could change their SSL provider at
any time without informing us.


More information about the Public mailing list