this make me raise a question, if a ACME client given API for edit dns record for domain A and CAA currently not allow the CA it configured to ask certificate would it ethical to client insert that CA into CAA record of the domain A?
what if explicit --server option was given so user give intention to use that CA?
IIRC cloudflare does that for their "universal certificate" Certificate issued despite CAA record
6 Likes