[cabfpub] Continuing the discussion on CAA
pzb at amzn.com
Mon Oct 24 06:58:16 MST 2016
> On Oct 24, 2016, at 4:37 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> However, to address this, would it be reasonable to add a clause in the
> CAA-related change which said something like: "CAs MUST NOT add (or
> cause or request to be added) CAA records to the DNS without the
> explicit permission of the domain owner."
This could be very problematic for CAs that also do DNS hosting, as it could result in a situation where a user who has authorization to modify any DNS record in a zone could not modify CAA records because they are not the "domain owner”.
While this sounds similar to the argument against CAA, the key difference is that this rule would change permissions without any action. CAA leaves a default action as “allow”, while this would change a default action to “deny”.
More information about the Public