← CABF Ballot Browser
SC-046 passed

Ballot SC046: Sunset the CAA exception for DNS Operator

Server Certificate Working Group

Key dates

Effective date
01 Jul 2021 4 years ago
Voting opened
26 May 2021 5 years ago
Voting closed
02 Jun 2021 5 years ago
Discussion opened
13 May 2021 5 years ago
Discussion closed
26 May 2021 5 years ago

Resources

GitHub diff https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..6d34b1d51f645912d2237d5d4b46f4a49e8352ed https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..6d34b1d51f645912d2237d5d4b46f4a49e8352ed

AI Summary

Generated 2026-06-23 21:22 UTC

Ballot overview

  • Ballot SC046, Sunset the CAA exception for DNS Operator, was a Server Certificate Working Group ballot.
  • The ballot addressed security issues in Baseline Requirements section 3.2.2.8 regarding CAA checking.
  • It removed the ability for a CA to skip CAA checking solely because the CA or an Affiliate is the DNS Operator.

What changed

  • The ballot modified the Baseline Requirements based on Version 1.7.4.
  • The redline changed section 3.2.2.8 so that CAA checking is no longer optional when the CA or an Affiliate of the CA is the DNS Operator.
  • The ballot text says this sunsets the CAA exception on 2021-07-01 for the DNS Operator.
  • The linked diff shows the rule as applying to certificates issued prior to July 1, 2021, after which CAA checking is no longer optional for that DNS Operator case.

Voting and approval

  • Voting completed and the ballot passed.
  • Certificate Issuers: 17 yes, 0 no, 0 abstentions.
  • Certificate Consumers: 5 yes, 0 no, 0 abstentions.
  • The bylaws requirements for issuer votes, consumer votes, member support, and quorum were all met.
  • One issuer vote was not counted because it was received after the voting period ended.
  • The ballot entered the IP Rights Review Period after approval.

Compliance impact

  • CAs could treat CAA checking as optional for the DNS Operator exception only for certificates issued prior to 2021-07-01.
  • On and after 2021-07-01, CAA checking is no longer optional in that DNS Operator or Affiliate scenario.
Model: gpt-5.4-mini Confidence: 0.98 Result: passed
Effective date
2021-07-01
Voting opened
2021-05-26
Voting closed
2021-06-02
Discussion opened
2021-05-13
Discussion closed
2021-05-26
Applicability and conditions

2021-07-01 — CAA checking is no longer optional for this DNS Operator exception Certificates issued when the CA or an Affiliate of the CA is the DNS Operator

2021-07-01 — The DNS Operator exception no longer applies; CAA checking must not be treated as optional in this case Certificates issued on or after this date

2021-07-01 — CAA checking remained optional for the DNS Operator exception until this date Certificates issued prior to this date

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Proposers

Ryan Sleevi of Google and endorsed by Ben Wilson of Mozilla and Jacob Hoffman-Andrews of ISRG/Let’s Encrypt.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC046: Sunset the CAA exception for DNS OperatorBallot SC046: Sunset the CAA exception for DNS OperatorThe voting on ballot SC46 has completed, and the ballot has passed.

View on cabforum.org → Last fetched 16 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action