DNS operators will be required to verify CAA records when issuing certificates

As a result of additional checks, the CA/B Forum found that section 3.2.2.8 of the current rules for issuing SSL certificates (Baseline Requirements) contains security holes related to CAA verification.

Currently, section 3.2.2.8 allows bypassing the CAA check if the CA (or its affiliate) is a DNS operator.

The definition of a DNS operator given in RFC 7719 provides a clear technical description of how authoritative server zones (including NS records) are configured and transferred. Accordingly with that definition, the certification authority can bypass the verification of the CAA record, but this does not exempt it from the need to search for all other records when issuing each certificate.

This caused some disagreement among the certification authorities, who claimed to be authoritative without any confirmation, which is not in line with current regulations.

To avoid such problems, from July 1, 2021, the DNS operator will have to perform a CAA check. This will reduce the ambiguity of the rules for issuing certificates for certification authorities.

Subscribe to our updates to stay up to date on SSL developments.