Add verifier for CAA records

Question

Add verifier for CAA records

kelunik opened this issue 7 years ago · 2 comments

CAA records are now enforced and issue attempts which are blocked due to CAA give an unhelpful error message currently. A CAA validator should be added to catch such errors early and provide helpful error messages.

Answer 1 · 2018-01-24T13:42:56.000Z

@kelunik The idea of validating CAA ahead of time is a good idea 👍 I also wanted to mention that when you POST an authorization's challenge and it fails because of a CAA record that doesn't allow issuance you should get back a problem document in the response that has a clear detail message that can be echoed to the user. Something like "CAA record for example.com prevents issuance".

Answer 2 · 2018-01-24T13:52:52.000Z

Wasn't sure what ACME currently reports, but a self-verify like for challenges can be useful anyway.