Yes, I thought there was an exemption for that also. The A-DNS operator could always just momentarily change the records to authorize anyway, so why bother with the check?
On Wed, Jul 25, 2018 at 4:21 PM, Quirin Scheitle via dev-security-policy < [email protected]> wrote: > Hi Michel, > > > On 23. Jul 2018, at 22:36, michel.lebihan2000--- via dev-security-policy > <[email protected]> wrote: > > > > I think my domain registrar just violated my CAA by issuing that > > certificate. Where they allowed to issue this certificate? > > the name servers for lebihan.pl are ns[1-3].nazwa.pl. , which indicates > that your hoster (nazwa.pl) also operates your name servers. > > The certificate is issued by nazwaSSL, which links to Certum’s roots. > > Checking against current version 1.6.0 of BRs, Sec 3.2.2.8 reads: > > "CAA checking is optional if the CA or an Affiliate of the CA is the DNS > Operator (as defined in RFC 7719) of the domain's DNS.” > > So, if am not mistaken at some step, this is probably OK per current CAB > BRs. > > Kind regards > Quirin > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
