[cabfpub] Continuing the discussion on CAA

Gervase Markham gerv at mozilla.org
Mon Oct 24 11:37:33 UTC 2016

Hi Eneli,

On 24/10/16 12:08, Eneli Kirme via Public wrote:
> But consider this scenario: a hypothetical CoolCA approaching a DNS
> service provider, be it an ISP, domain registrar or some kind of hosting
> provider, with a proposal to include a CAA record pointing to the CoolCA
> into their default configuration. 

I would expect the DNS service provider to refuse, because otherwise
they'll have a lot of angry customers ringing them up, saying "my CA
tells me I can't have a certificate, and it's your fault".

However, to address this, would it be reasonable to add a clause in the
CAA-related change which said something like: "CAs MUST NOT add (or
cause or request to be added) CAA records to the DNS without the
explicit permission of the domain owner."


More information about the Public mailing list