Even if I think this is probably won't solve much of anything as it is based on "compliant CA", which means will and proper implementation from CAs which proved to do much wrong in the past.
A better way, but with some performance impact for the clients, would be to match the CA's CN with the issuer domain for example, but that's not the direction taken. Anyway let's give it a try.
#1 Updated by Marc Dequènes about 2 years ago
- Status changed from New to Blocked
- % Done changed from 0 to 30
The RRs are ready but commented, as we have 9.9.5 and CAA support is only in 9.9.6 (https://kb.isc.org/article/AA-01210/0/BIND-9.9.6-Release-Notes.html).