[cabfpub] Continuing the discussion on CAA
gerv at mozilla.org
Mon Oct 24 11:37:33 UTC 2016
On 24/10/16 12:08, Eneli Kirme via Public wrote:
> But consider this scenario: a hypothetical CoolCA approaching a DNS
> service provider, be it an ISP, domain registrar or some kind of hosting
> provider, with a proposal to include a CAA record pointing to the CoolCA
> into their default configuration.
I would expect the DNS service provider to refuse, because otherwise
they'll have a lot of angry customers ringing them up, saying "my CA
tells me I can't have a certificate, and it's your fault".
However, to address this, would it be reasonable to add a clause in the
CAA-related change which said something like: "CAs MUST NOT add (or
cause or request to be added) CAA records to the DNS without the
explicit permission of the domain owner."
More information about the Public