Enabling ACME CAA Account and Method Binding

Today we are enabling ACME CAA Account and Method Binding in our production environment.

Certification Authority Authorization (CAA), specified by RFC 8659, is a feature that allows ACME clients to use a specific DNS record to limit which Certificate Authorities are allowed to issue for that domain name. Let's Encrypt has supported CAA for many years, and support for it is mandated by the Baseline Requirements for all CAs.

Account Binding and Validation Method Binding are two extensions to CAA specified by RFC 8657.

Subscribers who wish to limit the sets of domain control validation methods (i.e. DNS-01, HTTP-01, and/or TLS-ALPN-01) which can be used to demonstrate control over their domain name can include those methods in the "validationmethods" parameter of their CAA records.

Subscribers who wish to limit issuance to a specific ACME account can include that account's unique URL (as returned by the new-account endpoint with onlyReturnExisting set) in the "accounturi" parameter of their CAA records.

Please see the RFCs linked above for exact specifications of the proper format of a CAA record.

These features have been enabled in Staging for a significant amount of time (over a year). We do not expect to see any breakages as a result of enabling them in Production. If you observe any unexpected failures, please double-check your CAA records. If that does not resolve your issue, as always please post in the Help category of this forum.

23 Likes

We are postponing this to tomorrow. Sorry about that, and happy holidays!

13 Likes

CAA account and method binding are now enabled in production.

12 Likes