CAs required to check DNS CAA RR

Interesting, finally some more security measures for issuing certificates.

Digicert just sent this email out and doing only this is not totally foolproof, but a small step that will hopefully make all the difference in the long term.

CAs Required to Abide by DNS CAA Resource Records Starting September 8, 2017

Starting September 8, 2017, Certificate Authorities (CAs) are required to check, process, and abide by a domain’s DNS Certification Authority Authorization (CAA) resource records (RRs) before a certificate can be issued to the requestor.

Note: If you are not using CAA resource records, this change does not directly affect you. We will continue to issue your certificates as before.

Prior to issuing a certificate, a CA will check the CAA RRs to establish whether they can issue a certificate for a domain. A CA can issue a certificate for a domain if a record for the domain doesn’t exist or if a record for the domain exists authorizing the CA to issue that type of certificate for the domain.

If you have or are planning to create CAA RRs for your domain(s), please see DNS CAA Resource Record Check.

CAA Resource Record Not Required

A CAA resource record is NOT REQUIRED for DigiCert to continue issuing certificates for your domains. The information provided concerning these records is only important if you already have CAA resource records set up for any of your domains or if you would like to add CAA resource records for your domains.