Hi, On saturday I was able to receive a certificate from comodo depsite the subdomain having a CAA record only allowing Let's Encrypt as the CA. Here's the cert: https://crt.sh/?id=207082245

I have by now heard from multiple other people that confirmed the same. Seems right now Comodo isn't checking CAA at all. There's also a bug in the Mozilla bug tracker: https://bugzilla.mozilla.org/show_bug.cgi?id=1398545 I was originally informed about the lack of CAA checking at Comodo by Michael Kliewe from the mail provider mail.de. However that was before CAA became mandatory. But even back then the Comodo webpage claimed that Comodo would check CAA since at least 12 months: https://support.comodo.com/index.php?/Knowledgebase/Article/View/1204/1/caa-record---certification-authority-authorization I have covered this also today in a news article for Golem.de [1] [1] https://www.golem.de/news/tls-zertifikate-zertifizierungsstellen-muessen-caa-records-pruefen-1709-129981.html google translate: https://translate.google.de/translate?sl=de&tl=en&js=y&prev=_t&hl=de&ie=UTF-8&edit-text=&act=url&u=https%3A%2F%2Fwww.golem.de%2Fnews%2Ftls-zertifikate-zertifizierungsstellen-muessen-caa-records-pruefen-1709-129981.html -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy