Ryan Sleevi via dev-security-policy <[email protected]> wrote: > I don't think we here will really be able to do anything for this; as you > note, this is really a question about fundamental DNS specification, and > whether or not other records can live along-side a CNAME. That seems like > it'd be IETF's DNS group?
Fair. I was just wondering if this group had any concerns or opinions on the matter. > If CDN wants to restrict what CAs its customers use (e.g. because the CDN > provisions certificates), having the CDN set CAA seems fine. If the CDN > does not want to restrict, it's not clear that having the "original" site > restrict is necessarily good or desirable? To me, the value in being able to do that is that I can allow one-offs for certain subdomains of a domain for which I already have CAA records set. I.e., I don't want to open the second-level domain entirely to whichever CA the 3rd-pary app uses, but I do want the 3rd-party app to get their certs for that one subdomain. It's alright if others don't see value in that; as you said (and I agree), it's ultimately a DNS question, so I can take it there. -Jan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
