The Certification Authority Authorization (CAA) DNS Resource Record
allows a DNS domain name holder to specify one or more Certification
Authorities authorized to issue certificates for that domain. CAA
resource records allow a public Certification Authority to implement
additional controls to reduce the risk of unintended certificate mis-issue.
Working Group Summary
This document might have been pursued in other WGs, specifically
DNSEXT, since it specifies a new DNS record type. It also might have
been pursued in DANE, but the focus of DANE is sufficiently different
that it is probably not a good fit there. Because the document specifies
a DNS record type, for use with PKI technology, PKIX was reasonable
choice for the authors. There was some controversy initially, but that
went away over time.
I am not aware of any existing implementations of the protocol, but
both authors work for a company that is represented by a trust anchor in
browsers and operating systems, and thus it is likely that their
organization will support this proposal via an implementation.
Steve Kent is the Document Shepherd.
Sean Turner the Responsible Area Director.