vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/dns/umn/dns_faq_032.html
Qin Ying, Fan 97832252bc DNS UMN 0930 version 
Reviewed-by: Kucerak, Kristian <kristian.kucerak@t-systems.com>
Co-authored-by: Qin Ying, Fan <fanqinying@huawei.com>
Co-committed-by: Qin Ying, Fan <fanqinying@huawei.com>
2022-10-04 14:13:06 +00:00

79 lines
8.4 KiB
HTML
Raw Blame History

<a name="dns_faq_032"></a><a name="dns_faq_032"></a>
<h1 class="topictitle1">What Is CAA?</h1>
<div id="body1519870470780"><p id="dns_faq_032__p61745197150">Certification Authority Authorization (CAA) is a way to ensure that SSL certificates are issued by authorized certificate authorities (CAs). CAA complies with all RFC 6844 requirements. As of September 8, 2017, all CAs are required to check CAA records before they can issue certificates.</p>
<div class="section" id="dns_faq_032__section78537244532"><h4 class="sectiontitle">CAA Specifications</h4><p id="dns_faq_032__p16333165717483">Domain name owners can create CAA records to specify authorized CAs that can issue SSL certificates.</p>
<p id="dns_faq_032__p14564171123">For security reasons, only authorized CAs can issue SSL certificates for the domain names used by your website. Setting CAA records enhances security for your website.</p>
<p id="dns_faq_032__p1770902113565">CAs will perform a DNS lookup for CAA records when they issue certificates.</p>
<ul id="dns_faq_032__ul23651723135614"><li id="dns_faq_032__li899581619517">If a CA does not find a CAA record, it can issue a certificate for the domain name.<p id="dns_faq_032__p106161250711"><a name="dns_faq_032__li899581619517"></a><a name="li899581619517"></a>Any other CAs can also issue certificates for this domain name. Insecure certificates may be issued, and messages indicating that your website is insecure when users access your website.</p>
</li><li id="dns_faq_032__li1092914272586">If the CA finds a CAA record that authorizes it to issue certificates, it will issue a certificate for the domain name.</li><li id="dns_faq_032__li202122027165612">If the CA finds a CAA record but the record does not authorize it to issue certificates, the CA will not be able to issue SSL certificates for the domain name.</li></ul>
</div>
<div class="section" id="dns_faq_032__section167971597533"><h4 class="sectiontitle">CAA Record</h4><p id="dns_faq_032__p16909334125413">A CAA record consists of a flag byte <strong id="dns_faq_032__b842352706155045">[flag]</strong>, a property tag, and a property value <strong id="dns_faq_032__b842352706155051">[tag]-[value]</strong>. You can create multiple CAA records for a domain name.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dns_faq_032__table17725641112120" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Configuration of CAA records</caption><thead align="left"><tr id="dns_faq_032__row187268412211"><th align="left" class="cellrowborder" valign="top" width="24.242424242424242%" id="mcps1.3.3.3.2.4.1.1"><p id="dns_faq_032__p17260416215">Function</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="23.232323232323235%" id="mcps1.3.3.3.2.4.1.2"><p id="dns_faq_032__p107261741132119">Example</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="52.52525252525253%" id="mcps1.3.3.3.2.4.1.3"><p id="dns_faq_032__p6726104110214">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="dns_faq_032__row117262041172112"><td class="cellrowborder" rowspan="2" valign="top" width="24.242424242424242%" headers="mcps1.3.3.3.2.4.1.1 "><p id="dns_faq_032__p137261841172118">Configure a CAA record for one domain name.</p>
</td>
<td class="cellrowborder" valign="top" width="23.232323232323235%" headers="mcps1.3.3.3.2.4.1.2 "><p id="dns_faq_032__p19726184114218">0 issue "ca.example.com"</p>
</td>
<td class="cellrowborder" valign="top" width="52.52525252525253%" headers="mcps1.3.3.3.2.4.1.3 "><p id="dns_faq_032__p45933152818">Only the specified CA (<strong id="dns_faq_032__b193760717517189">ca.example.com</strong>) can issue certificates for a particular domain name (<strong id="dns_faq_032__b110240485517189">domain.com</strong>). Requests to issue certificates for the domain name by other CAs will be rejected.</p>
</td>
</tr>
<tr id="dns_faq_032__row127268411218"><td class="cellrowborder" valign="top" headers="mcps1.3.3.3.2.4.1.1 "><p id="dns_faq_032__p072612416211">0 issue ";"</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.3.2.4.1.2 "><p id="dns_faq_032__p14726134152119">No CA is allowed to issue certificates for the domain name <strong id="dns_faq_032__b84235270615569">domain.com</strong>.</p>
</td>
</tr>
<tr id="dns_faq_032__row5726341122120"><td class="cellrowborder" rowspan="2" valign="top" width="24.242424242424242%" headers="mcps1.3.3.3.2.4.1.1 "><p id="dns_faq_032__p149740122612">Configure the CA to report violations to the domain name holder.</p>
</td>
<td class="cellrowborder" valign="top" width="23.232323232323235%" headers="mcps1.3.3.3.2.4.1.2 "><p id="dns_faq_032__p1172624172110">0 iodef "mailto:admin@domain.com"</p>
</td>
<td class="cellrowborder" valign="top" width="52.52525252525253%" headers="mcps1.3.3.3.2.4.1.3 "><p id="dns_faq_032__p572613411210">If a certificate request violates the CAA record, the CA will notify the domain name holder of the violation.</p>
</td>
</tr>
<tr id="dns_faq_032__row6726114118217"><td class="cellrowborder" valign="top" headers="mcps1.3.3.3.2.4.1.1 "><p id="dns_faq_032__p1472634172117">0 iodef "http:// domain.com/log/"</p>
<p id="dns_faq_032__p15945133714424">0 iodef "https:// domain.com/log/"</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.3.2.4.1.2 "><p id="dns_faq_032__p177261419213">Requests to issue certificates by unauthorized CAs will be recorded.</p>
</td>
</tr>
<tr id="dns_faq_032__row1091554812514"><td class="cellrowborder" valign="top" width="24.242424242424242%" headers="mcps1.3.3.3.2.4.1.1 "><p id="dns_faq_032__p15915144822517">Authorize a CA to issue wildcard certificates.</p>
</td>
<td class="cellrowborder" valign="top" width="23.232323232323235%" headers="mcps1.3.3.3.2.4.1.2 "><p id="dns_faq_032__p591564812251">0 issuewild "ca.example.com"</p>
</td>
<td class="cellrowborder" valign="top" width="52.52525252525253%" headers="mcps1.3.3.3.2.4.1.3 "><p id="dns_faq_032__p69154484255">The specified CA (<strong id="dns_faq_032__b8423527061622">ca.example.com</strong>) can issue wildcard certificates for the domain name.</p>
</td>
</tr>
<tr id="dns_faq_032__row6815165112515"><td class="cellrowborder" valign="top" width="24.242424242424242%" headers="mcps1.3.3.3.2.4.1.1 "><p id="dns_faq_032__p08156512257">Configuration example</p>
</td>
<td class="cellrowborder" valign="top" width="23.232323232323235%" headers="mcps1.3.3.3.2.4.1.2 "><p id="dns_faq_032__p76671429277">0 issue "ca.abc.com"</p>
<p id="dns_faq_032__p3667742162717">0 issuewild "ca.def.com"</p>
<p id="dns_faq_032__p166794217275">0 iodef "mailto:admin@domain.com"</p>
</td>
<td class="cellrowborder" valign="top" width="52.52525252525253%" headers="mcps1.3.3.3.2.4.1.3 "><p id="dns_faq_032__p79761441164912">The example configures a CAA record for the domain name <strong id="dns_faq_032__b8423527061647">domain.com</strong>.</p>
<ul id="dns_faq_032__ul2285344104918"><li id="dns_faq_032__li20765750104917">Only CA <strong id="dns_faq_032__b84235270616425">ca.abc.com</strong> can issue certificates of all types.</li><li id="dns_faq_032__li6981012155212">Only CA <strong id="dns_faq_032__b84235270616454">ca.def.com</strong> can issue wildcard certificates.</li><li id="dns_faq_032__li12561158144911">Any other CAs are not allowed to issue certificates.</li><li id="dns_faq_032__li92852445491">When a violation occurs, the CA sends a notification to <strong id="dns_faq_032__b84235270616554">admin@domain.com</strong>.</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="dns_faq_032__section614411459319"><h4 class="sectiontitle">Checking Whether a CAA Record Has Taken Effect</h4><p id="dns_faq_032__p4344564452">Use Domain Information Groper (dig) to check whether the CAA record has taken effect. dig is a network administration command-line tool for querying the Domain Name System. If your OS does not support dig commands, install the dig tool.</p>
<p id="dns_faq_032__p4991101111475">Command format: <strong id="dns_faq_032__b1877112419248">dig</strong> [<em id="dns_faq_032__i1930613526455">Record set type</em>] [<em id="dns_faq_032__i7500656194520">Domain name</em>] <strong id="dns_faq_032__b6133449247">+trace</strong>.</p>
<p id="dns_faq_032__p2023713557484">Example command:</p>
<p id="dns_faq_032__p10698153811445"><strong id="dns_faq_032__b161441034155213">dig caa www.example.com +trace</strong></p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dns_faq_1402.html">DNS Overview</a></div>
</div>
</div>
View Git Blame Copy Permalink