From 1d7ec9000dae38b10ddb3763bddc2d23e5317052 Mon Sep 17 00:00:00 2001
From: Aaron Gable <aaron@letsencrypt.org>
Date: Tue, 3 Feb 2026 16:51:47 -0800
Subject: [PATCH] Don't ignore unrecognized CAA parameters

---
 va/caa.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/va/caa.go b/va/caa.go
index 475aa57b6eb..90a3a2c8b33 100644
--- a/va/caa.go
+++ b/va/caa.go
@@ -369,6 +369,16 @@ func (va *ValidationAuthorityImpl) validateCAA(caaSet *caaResult, wildcard bool,
 			continue
 		}
 
+		for _, param := range parsedParams {
+			// The existence of any parameters other than the ones we recognize means
+			// that this user wants something we don't understand. Don't interpret
+			// this record as allowing issuance. We're case-sensitive here to be
+			// strict in what we accept.
+			if param.tag != "accounturi" && param.tag != "validationmethods" {
+				continue
+			}
+		}
+
 		if !caaAccountURIMatches(parsedParams, va.accountURIPrefixes, params.accountURIID) {
 			continue
 		}