RFC 6844 – DNS Certification Authority Authorization (CAA) Resource Record

RFC 5844DNS Certification Authority Authorization (CAA) Resource Record; IETF; P. Hallam-Baker (Comodo), R. Stradling (Comodo); 2013-01.

Example

$ORIGIN example.com
 .       CAA 0 issue "ca.example.net; account=230123
 .       CAA 0 iodef "mailto:security@example.com"
 .       CAA 0 iodef "http://iodef.example.com/"
$ORIGIN example.com
.       CAA 0 issue "ca.example.net; policy=ev"
.       CAA 128 tbs "Unknown"

Note the value 128 is the bit zero as the order of the bits is big endian.

Flags

Issuer Critical
If set to ’1′, indicates that the corresponding property tag MUST be understood if the semantics of the CAA record are to be correctly interpreted by an issuer. Issuers MUST NOT issue certificates for a domain if the relevant CAA Resource Record set contains unknown property tags that have the Critical bit set.

Property Tags

issue Issuer Domain Name [; name=value ]*
The issue property entry authorizes the holder of the domain name <Issuer Domain Name> or a party acting under the explicit authority of the holder of that domain name to issue certificates for the domain in which the property is published.
issuewild Issuer Domain Name [; name=value ]*
The issuewild property entry authorizes the holder of the domain name Issuer Domain Name or a party acting under the explicit authority of the holder of that domain name to issue wildcard certificates for the domain in which the property is published.
iodef URL
Specifies a URL to which an issuer MAY report certificate issue requests that are inconsistent with the issuer’s Certification Practices or Certificate Policy, or that a Certificate Evaluator may use to report observation of a possible policy violation. The Incident Object Description Exchange Format (IODEF) format is used [RFC5070].

Notes

Note that according to the conventions set out in [RFC1035], bit 0 is the Most Significant Bit and bit 7 is the Least Significant Bit. Thus, the Flags value 1 means that bit 7 is set while a value of 128 means that bit 0 is set according to this convention.

Referenced

RFC5070
The Incident Object Description Exchange Format (IODEF)

Comments are closed.