New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
CAA records in DNS
Sertifitseerimiskeskus held their ground, but the CA/Browser Forum ultimately voted to require CAA checking starting September 2017:
https://cabforum.org/pipermail/public/2017-March/009988.html
Who currently supports CAA records in their products? Cloudflare and cPanel don't. Will this be a hard or soft deadline? Does anybody even listen to / accept the authority of the CA/Browser Forum?
For those unfamiliar: https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
DNS Certification Authority Authorization (CAA) uses the Internet's Domain Name System to allow the holder of a domain to specify which certificate authorities (CAs) are allowed to issue certificates for that domain.
Comments
As I understand it the mandatory bit applies to the checking not to the publishing. If you're a bank etc. nervous about certificate hijacking and choose to publish a CAA record for your chosen CA then this move will ensure it's checked and honoured by other CA's. I don't believe there's any planned requirement for all SSL requests to need to have a CAA record to check.
Kloxo-MR 7.0 already implementing 'CAA record'.
See 'https://www.ssllabs.com/ssltest/analyze.html?d=forum.mratwork.com' for example.
We do