Hi,
In the security considerations, specifically 5.6, we omit the trivial
but most pertinent risk: the CAA record type must be implemented by all
CAs in order to be fully effective. Any CA that does not honor CAA can
potentially (mis-)issue a rogue cert for the domain in question.
I suspect that this is by far not the case today. In fact many managed
DNS servers still do not support this record type either.
Thanks,
Yaron
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
