|
|
|
|
|
|
by jedisct1
3512 days ago
|
|
|
If the DNS zones have CAA records that don't include Letsencrypt, clients should refuse using the new certificates. That would be a problem (provided that CAA working as expected can be qualified as a problem) if the original certificates were still valid. But with expired certificates, there is nothing to lose. |
|
|
Let's Encrypt obeys CAA, if you try to validate for a domain which has a CAA record saying e.g. "Only Symantec may issue for this domain", Let's Encrypt's software will reject the validation. Current Baseline Requirements don't require this of a CA (they're required to document what they do with CAA but most picked "soft fail" ie they will issue but maybe do extra scrutiny) because they feared it would be used somehow in an anti-competitive way.
Client software like Firefox, or Internet Explorer, ignores CAA altogether, as described in the design of CAA.