Talk:DNS Certification Authority Authorization

Use by TLS clients
I think the idea that CAA is supposed to be used by TLS clients is mistaken:

https://tools.ietf.org/html/rfc6844#section-6 says:

The objective of the CAA record properties described in this document is to reduce the risk of certificate mis-issue rather than avoid reliance on a certificate that has been mis-issued. DANE [RFC6698] describes a mechanism for avoiding reliance on mis-issued certificates.

This came up because I was trying to give someone advice about using CAA to prevent misissuance by having a blanket-deny policy most of the time, except while actually requesting certs. Can we confirm this? Schoen (talk) 20:13, 14 November 2016 (UTC)


 * I can confirm that CAA is only implemented by CAs, and not by TLS clients. You should however, be using short certificate lifetimes and automating certificate issuance if at all possible, so this advice probably isn't useful. TheDragonFire (talk) 14:07, 14 October 2017 (UTC)

Examples
When using a subdomain, certificate authorities climb the DNS name tree looking for a CAA record until they find one or reach the second-level domain:

; The certificate authority will be permitted to issue certificates for example.com and certs.nocerts.example.com, but not nocerts.example.com example.com. IN CAA  0 issue "ca.example.net" nocerts.example.com. IN CAA  0 issue ";" certs.nocerts.example.com. IN CAA  0 issue "ca.example.net"

If a record is empty, any CNAME or DNAME aliases are checked for a CAA record before moving up to a higher subdomain:

; The certificate authority will be allowed to issue certificates for certs.example.com example.net. IN CAA  0 issue "ca.example.net" example.com. IN CAA  0 issue ";" certs.example.com. IN CNAME  example.net

To authorise issuance for normal certificates, while restricting the issuance of wildcard certificates:

example.com. IN CAA  0 issue "ca.example.net" example.com. IN CAA  0 issuewild ";"

To authorise issuance for example.com but not nocerts.example.com:

example.com. IN CAA  0 issue "ca.example.net" nocerts.example.com. IN CAA  0 issue ";"

Moved from the article due to sourcing concerns. TheDragonFire (talk) 12:04, 12 July 2018 (UTC)