[cabfpub] Continuing the discussion on CAA

Gervase Markham gerv at mozilla.org
Mon Oct 24 14:26:52 UTC 2016

On 24/10/16 14:58, Peter Bowen wrote:
> This could be very problematic for CAs that also do DNS hosting, as
> it could result in a situation where a user who has authorization to
> modify any DNS record in a zone could not modify CAA records because
> they are not the "domain owner”.

Then we need a better definition of "domain owner". The intent is clear
- CAs should not be editing the DNS, or asking ISPs etc. to edit the
DNS, to add themselves to CAA. The only person they should suggest this
to is the _customer_ - the certificate purchaser. If they are the DNS
host, they can have a checkbox on the control panel or some other
affirmative method of gaining consent, but they can't simply add a CAA
record for themselves without asking the domain owner.

If you can think of better wording, shoot :-)


More information about the Public mailing list