RFC 8657 CAA extension in production

Let's Encrypt initially implemented partial support for what would eventually become a standard in RFC 8657 in May 2018 (ACME-CAA "validationmethods" support). This was deployed to staging, but deployment to production was halted as (multiple) problems were encountered.

Since then some years have passed and I believe that all issues originally blocking this have now been resolved? I would therefore like to ask if this is something that could be enabled in production in the near future. I really like the concept of being able to restrict issuance to certain challenges, so I'm really hoping that this is now ready to move into production.

[I just issued a test cert via HTTP-01 on a domain that has the new validationparameters set to dns-01 only. On staging I get "CAA record prevents issuance" as expected, but production issues the cert without complaining, so it's still not active there]

7 Likes

Yes, I believe the blocking issues are all resolved. What's needed now is just some dedicated time from Boulder devs to go over the spec and implementation with a fine-toothed comb and make sure we're 100% correct there. Since CAA checking is part of our compliance duties, it's particularly important that we not get it wrong in any way. Apologies for letting the implementation drag out so long - it's something we'd still like to make happen.

11 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.