The BRs permit CAs to bypass CAA checking for a domain if "the CA or
an Affiliate of the CA is the DNS Operator (as defined in RFC 7719)
of the domain's DNS."
Much like the forbidden "any other method" of domain validation, the DNS
operator exception is perilously under-specified. It doesn't say
On Mon, Feb 8, 2021 at 1:40 PM Andrew Ayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> The BRs permit CAs to bypass CAA checking for a domain if "the CA or
> an Affiliate of the CA is the DNS Operator (as defined in RFC 7719)
> of the domain's DNS."
>
> Much like the
2 matches
Mail list logo
