> In the security considerations, specifically 5.6, we omit the trivial but > most pertinent risk: the CAA record type must be implemented by all CAs in > order to be fully effective. Any CA that does not honor CAA can potentially > (mis-)issue a rogue cert for the domain in question. > > I suspect that this is by far not the case today. In fact many managed DNS > servers still do not support this record type either. I think it's implied that all security considerations applicable to CAA are inherited by ACME-CAA. But the specification could probably stand to be more clear about this.
Hugo Landau _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
