As promised, I’ve been testing Certification Authority Authorization (CAA) with some Certificate Authorities and here’s what I found so far:
Amazon Certificate Manager (ACM)
It does not appear they honor the IODEF since I didn’t receive an email.
Let’s Encrypt appears to also block issuance:
Let’s Encrypt (using lego)
2018/12/29 16:44:30 Could not obtain certificates acme: Error -> One or more domains had a problem:
[www.niem.es] acme: Error 403 - urn:ietf:params:acme:error:caa - Error finalizing order :: Rechecking CAA: While processing CAA for niem.es: CAA record for niem.es prevents issuance, While processing CAA for www.niem.es: CAA record for www.niem.es prevents issuance
Alas, no email received from them either.
If you own a domain, you should certainly configure CAA. It appears to work and is another preventive control against phishing.
security without obscurity 