community icon indicating copy to clipboard operation
community copied to clipboard
verified publisher icon open-telemetry

Add iodef property to opentelemetry.io CAA record

Open mx-psi opened this issue 3 months ago • 4 comments

CAA records allow setting an iodef property (see e.g. Wikipedia article or RFC section) where one can put a way to report attempts to issue a certificate that failed due to the CAA record. For example:

report.example.com         CAA 0 iodef "mailto:[email protected]"

means that [email protected] would get an email if a certificate authority attempted to issue a certificate for a domain and was prevented from doing so by the CAA record.

Note that support for this is not widespread, so it would not be a foolproof solution.

Motivated by open-telemetry/opentelemetry-go-vanityurls/issues/81.

mx-psi avatar Oct 07 '25 09:10 mx-psi

Netlify allows us to set such a CAA entry, do we know how this added entry interacts with the existing ones? Based on the following issue it seems not to be a good idea:

https://answers.netlify.com/t/cca-error-when-renewing-netlify-lets-encrypt-ssl-certificate/75052?utm_source=chatgpt.com

If the opentelemetry-go-vanityurls run as a netlify deployment I suspect this is going to be managed by them

svrnm avatar Oct 07 '25 11:10 svrnm

@austinlparker and @jsuereth should know how this was set up. The current CAA record affects both opentelemetry.io and all its subdomains

mx-psi avatar Oct 07 '25 12:10 mx-psi

if we make an iodef record for the apex domain does it report failed issuances for all subdomains?

austinlparker avatar Oct 22 '25 15:10 austinlparker

That is my understanding from the RFC, yes (provided the certificate authority attempting to issue the certificate supports this)

mx-psi avatar Oct 22 '25 16:10 mx-psi