logoalt Hacker News

aleksejsyesterday at 11:35 PM2 repliesview on HN

> This is imperfect, as CAA record validation is not mandatory yet. But by March 2027 all the CAs a supposed to have support.

Is that true? My read of Section 1.2.1 in [1] suggests CAA checking has been mandatory since 2017‐09‐08.

[1] https://cabforum.org/working-groups/server/baseline-requirem...

Replies

mcpherrinmtoday at 12:03 AM

CAA checking is mandatory, so you can always restrict to a given CA.

To get complete control with DNSSEC, you also need the accounturi and validationmethod extensions (which you need to guarantee only your account can issue, and only with the DNS validation type).

Those aren't yet mandatory, but you can restrict to a CA today which implements them, like Let's Encrypt.

show 1 reply
8organicbitstoday at 12:12 AM

I have it partially right. The extensions are not yet mandatory.

https://www.feistyduck.com/newsletter/issue_137_acme_caa__ex...