Adding a CAA Record Set

Scenarios

If you want to specify CAs authorized to issue HTTPS certificates for your domain name, add CAA record sets for the domain name.

CAA record sets are used to prevent HTTPS certificates from being incorrectly issued.

For details about other record set types, see Record Set Types and Configuration Rules.

Constraints

CAA record sets can be added only to public zones.

Procedure

1. Log in to the management console.
2. In the service list, choose Network > Domain Name Service.

   The DNS console is displayed.

3. In the navigation pane on the left, choose Public Zones.

   The Public Zones page is displayed.

4. Click the domain name.
5. Click Add Record Set.

   The Add Record Set dialog box is displayed.

6. Configure the parameters based on Table 1.

   Table 1 Parameters for adding a CAA record set

   Parameter	Description	Example Value
   Name	Prefix of the domain name to be resolved. For example, if the domain name is example.com, the prefix can be as follows: www: The domain name is www.example.com, which is usually used for a website. Left blank: The domain name is example.com. The Name field cannot be set to an at sign (@). Just leave it blank. abc: The domain name is abc.example.com, a subdomain of example.com. mail: The domain name is mail.example.com, which is typically used for email servers. *: The domain name is *.example.com, which is a wildcard domain name, indicating all subdomains of example.com.	Left blank
   Type	Type of the record set A message may be displayed indicating that the record set you are trying to add conflicts with an existing record set.	CAA – Grant certificate issuing permissions to CAs
   TTL (s)	Cache duration of the record set on a local DNS server, in seconds. The value ranges from 1 to 2147483647, and the default is 300. If your service address changes frequently, set TTL to a smaller value.	300
   Value	CA to be authorized to issue certificates for a domain name or its subdomains You can enter a maximum of 50 record values, each on a separate line. The format is [flag] [tag] [value]. Configuration rules: flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, the value is set to 0. tag: You can enter 1 to 15 characters, consisting of letters and digits from 0 to 9. The tag can be one of the following: issue: authorizes a CA to issue all types of certificates. issuewild: authorizes a CA to issue wildcard certificates. iodef: requests notifications once a CA receives invalid certificate requests. value: authorized CA or email address/URL required for notification once the CA receives invalid certificate requests. The value depends on the value of tag and must be enclosed in quotation marks (""). The value can contain a maximum of 255 characters, consisting of letters, digits, spaces, and special characters -#*?&_~=:;.@+^/!%	0 issue "ca.abc.com" 0 issuewild "ca.def.com" 0 iodef "mailto:admin@domain.com" 0 iodef "http:// domain.com/log/"
   Tag	(Optional) Identifier of a record set. Each tag contains a key and a value. You can add a maximum of 20 tags to a record set. For details about tag key and value requirements, see Table 2.	example_key1 example_value1
   Description	(Optional) Supplementary information about the record set. You can enter a maximum of 255 characters.	-

   Table 2 Tag key and value requirements

   Parameter	Requirements	Example Value
   Key	Cannot be left blank. Must be unique for each resource. Can contain a maximum of 36 characters. Can contain only letters, digits, hyphens (-), at signs (@), and underscores (_).	example_key1
   Value	Cannot be left blank. Can contain a maximum of 43 characters. Can contain only letters, digits, hyphens (-), at signs (@), and underscores (_).	example_value1

7. Switch back to the Record Sets tab.

   The added record set is in the Normal state.