[cabfpub] Continuing the discussion on CAA

Gervase Markham gerv at mozilla.org
Mon Oct 24 04:37:33 MST 2016


Hi Eneli,

On 24/10/16 12:08, Eneli Kirme via Public wrote:
> But consider this scenario: a hypothetical CoolCA approaching a DNS
> service provider, be it an ISP, domain registrar or some kind of hosting
> provider, with a proposal to include a CAA record pointing to the CoolCA
> into their default configuration. 

I would expect the DNS service provider to refuse, because otherwise
they'll have a lot of angry customers ringing them up, saying "my CA
tells me I can't have a certificate, and it's your fault".

However, to address this, would it be reasonable to add a clause in the
CAA-related change which said something like: "CAs MUST NOT add (or
cause or request to be added) CAA records to the DNS without the
explicit permission of the domain owner."

Gerv


More information about the Public mailing list