Recognize, but do not process, issuevmc CAA tags

BartG95 · BartG95 · commit 0a83a35cb16c · 2025-08-30T15:31:12.000+02:00
diff --git a/va/caa.go b/va/caa.go
@@ -208,6 +208,12 @@ func filterCAA(rrs []*dns.CAA) ([]*dns.CAA, []*dns.CAA, bool) {
 			// of course we do not do any further processing, as we do not issue
 			// S/MIME certificates.
 			continue
+		case "issuevmc":
+			// We support the issuevmc property tag insofar as we recognize it and
+			// therefore do not bail out if someone has a critical issuevmc tag. But
+			// of course we do not do any further processing, as we do not issue
+			// VMC certificates.
+			continue
 		default:
 			// The critical flag is the bit with significance 128. However, many CAA
 			// record users have misinterpreted the RFC and concluded that the bit
diff --git a/va/caa_test.go b/va/caa_test.go
@@ -1163,6 +1163,7 @@ func TestFilterCAA(t *testing.T) {
 				{Tag: "issuewild", Value: "b"},
 				{Tag: "iodef", Value: "c"},
 				{Tag: "issuemail", Value: "c"},
+				{Tag: "issuevmc", Value: "c"},
 			},
 			expectedIssueVals: []string{"a"},
 			expectedWildVals:  []string{"b"},
@@ -1174,6 +1175,7 @@ func TestFilterCAA(t *testing.T) {
 				{Tag: "issuewild", Value: "b", Flag: 128},
 				{Tag: "iodef", Value: "c", Flag: 128},
 				{Tag: "issuemail", Value: "c", Flag: 128},
+				{Tag: "issuevmc", Value: "c", Flag: 128},
 			},
 			expectedIssueVals: []string{"a"},
 			expectedWildVals:  []string{"b"},
