trailofbits/twa

Should CAA check recurse?

AndyA opened this issue · 2 comments

AndyA commented

According to RFC 6844 a certificate authority should search up the DNS hierarchy for a CAA record:

https://tools.ietf.org/html/rfc6844#page-7

Currently twa only checks the actual domain name.

Yes, definitely! That's a bug.

I'll get around to it at some point, but a PR would be greatly appreciated 😄

AndyA commented

Fixed by cb42a3a. Thanks!