I would like to know how I can test if my devices, or browsers1 checks and applies DNS Certification Authority Authorization (CAA) correctly. And if it does not, how I can enable it and enforce CAA to be checked and rejected or at least warned about.
I’m mainly interested in testing this on Windows, Linux and Android systems but information about testing this in Apple macOS or iOS is also welcome. Or if it’s on the application level instead of the OS level I’m wondering about Firefox and Chromium based browser such as Google Chrome, Brave and Microsoft Edge.
1 If this still applies: https://security.stackexchange.com/questions/180903/why-dont-browsers-check-caa-records-to-help-ensure-a-certificate-is-valid.
>Solution :
There is no "correct checking of CAA by the device or browser". TLS clients like browsers are not in scope of CAA in the first place, it is only intended for certificate authorities. To cite from RFC 6844 about the purpose of CAA:
CAA Resource Records allow a public Certification Authority to
implement additional controls to reduce the risk of unintended
certificate mis-issue.
CAA records are also only checked at time of certificate issuance. The CAA record might change after certificate was issued, but while it is still valid. This means it would be wrong to check the CAA at any time after certificate issuance, which means clients like browsers would not be able to do it properly anyway since they cannot travel back to the time of issuance to check the CAA at this time.
This is also explained in the RFC itself, which therefore explicitly states
Relying Applications MUST
NOT use CAA records as part of certificate validation
…
CAA records MAY be used by Certificate Evaluators as a possible
indicator of a security policy violation. Such use SHOULD take
account of the possibility that published CAA records changed between
the time a certificate was issued and the time at which the
certificate was observed by the Certificate Evaluator.