User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
Steps to reproduce:
I requested for a certificate on domain with configured CAA records set on DNS as follows:
critical.gm32888.pl. 1 IN CAA 128 issue "my.very.own.ca"
critical.gm32888.pl. 1 IN CAA 0 issue "comodoca.com"
I got my certificate issued
As states in CA/B Forum Baseline Requirements (Section 220.127.116.11. CAA Records)
"CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property with this flag set."
In RFC-6844 (Section 2.2. Defined Terms) "property" is specified as:
"Property: The tag-value portion of a CAA Resource Record."
According to this, in my case "property" is "issue my.very.own.ca"
I believe that it's not recognized property for Comodo CA.
It looks like a misissuance or possible mistake in CA\B BR and instead of "property", there should be "property tag" like that:
"CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property tag with this flag set."