Documentation of CAA issuance experiments
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

CAA Issuance Tests

We conduct controlled experiments to analyze whether CAs hone the CAA record that has come into effect on September 8, 2017.

We conduct 1 round of tests right at CAA record effectiveness (around September 9), and a round of re-tests a month later (October 10th).

UPDATE 2017-11-23: We have identified issuance anomalies based on historic DNS records Link

UPDATE 2017-11-15: DigiCert has done an extense review of our test case D2, and even identified 4 new certificates affected by the same problem. Bugzilla

Test Domain Setups

We set up several test domains to check various corner cases of CAA deployment.
This list has some overlap with the nice work at

Zone files can be found under zonefiles/.

Domain Setup Expected CA Behavior FQDNs Zone
D1 Zone signed, CAA: 0 issue ";" Refuse,
D2 [1] Zone signed, Timeout on CAA record Refuse,
D3 Not signed, issue permitted, but critical flag and nonexistent CAA record set Refuse,
D4 Not signed, timeout on CAA record Retry, then Refuse or Issue,
D5 www --> D1 Refuse,,
D6 www --> www.D1 Refuse or Issue, (informational test)
D7 hash-ca, issue permissive Issue (informational test)
D8 hash-ca, issue denied Reject (informational test)

For case D4, RFC and CAB Ballot permit a CA to issue. However, CAs may (and maybe should) be more conservative and decide to refuse to issue after a timeout no the CAA record.

[1] More explanation on D2: The zonefile contains an "issue ;" CAA record, and all CAA replies for that zone are dropped. As the zone is signed, even in case of a non-dropped reply, no CA would be authorized to issue.

CA Test Results

The table header contains the expected result.

The first result indicates the result of the first test in September 2017, the second result the re-test in October 2017.

For example (Refused/Issued) indicates that a CA refused to issue in the first test in September, but issued in the re-test in October.

CA D1 (R) D2 (R) D3 (R) D4 (Any) D5 (R) D6 (Any) D7 (I) / D8 (R) Contact
RapidSSL [1] (Symantec) Refused/Refused Refused/Issued (Zone, Bug) Refused/Refused Refused/Issued -/Refused --/Issued Issued 13.10.17, 11:43 CEST
Comodo InstantSSL [5] Issued/Refused Issued/Issued (Zone)/Issued [4] Issued/Refused Issued/Issued (Zone) -/Refused -/Issued -/Issued 13.10.17, 11:47 CEST
LetsEncrypt Refused/Refused Refused/Refused Refused/Refused Refused/Refused -/Refused -/Issued -/Issued No need
GoDaddy Refused/Refused Refused/Refused Refused/Refused Issued/Issued -/Refused -/Issued D8: Refused No need
Startcom Refused/Pending Issued/Issued(Bug) Refused/Refused Refused/Issued -/Issued(Zone,Bug) -/Issued -/Issued 16.10.17, 15:15 CEST
Buypass [2] Refused/Refused Issued/Refused Refused/Refused ( Cancelled/Issued -/Refused -/ Refused D8: Refused No need
Certum Refused/Refused Issued/Refused Refused/Issued (Zone,Bug) Issued/Issued -/Issued (Zone, Bug) -/Issued -/Issued 16.10.17, 14:16 CEST
Sum 1/0 4/3 1/1 3/6 -/2 -/6 informational
Digicert Refused/Refused -/Refused -/Refused -/Issued -/Refused -/Issued -/Issued No need
Network Solution [3] Pending/- -- -- --
AlphaSSL (GlobalSign) -/Refused -/Refused -/Refused Issued -/Refused -/Issued -/D8: Refused No need [5] (Comodo Brand) -/Issued(Zone,Bug) -/Issued -/Pending -/Issued -/Pending -/Issued -/Issued
Thawte Trial (Symantec) -/Refused -/Issued -/Refused -/Issued -/Refused -/Issued -/Issued not CT compatible
Symantec -/Refused -/Refused -/Refused -/Issued -/Refused -/Issued -/Issued No need
GeoTrust (Symantec) -/Refused -/Issued -/Pending -/Issued -/Refused -/Issued -/tested above Basic -/Refused -/Issued -/ -/ -/ -/ -/ Comodo reseller

[1] Other Symantec brands with same backend as RapidSSL not tested individually. FIrst refusal might have been due to missing locality in CSR, we validated second-round CSRs using this checker

[2] First test for D4 cancelled after 2 days in pending, likely in wake of our bug report for D2.

[3] Due to the high cost of certificates and lengthy validation process, we only tested the basic case for DigiCert and Network Solutions.

[4] Comodo instantly reacted to our report and changed their system behaviour. An immediate re-test led to issuance 2 days later. Comodo then stated that they had to revert back to the old behavior for operational reasons.

[5] Though delivers Comodo certificates and uses the comodo backend, its observable behaviour differed.

Discussion on D2

Comodo First Round Bug Report

We will update this page as more information becomes available. You are very welcome to contact us through email/phone as listed on

Further information and opt-out contacts are given under

Useful Links:

RapidSSL/GeoTrust/Symantec/Thawte Trial Certificates

Comodo 1 2


CSR checker

Mozilla NSS Mis-Issuance Bugtracker

Mozilla CA contacts revoke mechanism