CAA Test Results

As promised, I’ve been testing Certification Authority Authorization (CAA) with some Certificate Authorities and here’s what I found so far:

Amazon Certificate Manager (ACM)

Amazon Certificate Manager

It does not appear they honor the IODEF since I didn’t receive an email.

Let’s Encrypt appears to also block issuance:

Let’s Encrypt (using lego)

2018/12/29 16:44:30 Could not obtain certificates acme: Error -> One or more domains had a problem:
[www.niem.es] acme: Error 403 - urn:ietf:params:acme:error:caa - Error finalizing order :: Rechecking CAA: While processing CAA for niem.es: CAA record for niem.es prevents issuance, While processing CAA for www.niem.es: CAA record for www.niem.es prevents issuance

Alas, no email received from them either.

If you own a domain, you should certainly configure CAA. It appears to work and is another preventive control against phishing.