Help Center> Domain Name Service> Best Practices> Setting CAA Records to Prevent Unauthorized HTTPS Certificate Issuing

Updated on 2022-09-16 GMT+08:00

View PDF

Setting CAA Records to Prevent Unauthorized HTTPS Certificate Issuing

Certification Authority Authorization (CAA) is a way to ensure that HTTPS certificates are issued by authorized certificate authorities (CAs). It is in compliance with IETF RFC 6844 standards. Since September 8, 2017, all CAs must check CAA records before issuing a certificate.

Using Huawei Cloud DNS, you can add CAA records for your public domain names on the web-based management console.

Background

There are hundreds of CAs in the world that can issue HTTPS certificates for websites. If a CA is blacklisted, the browser will no longer trust the HTTPS certificates issued by this CA. If users try to access websites that have those certificates, the browser will prompt that the websites are not secure.

Figure 1 Untrusted HTTPS certificate warning
Click to enlarge

According to the CAA standards, a compliant CA must check CAA records of a domain name before issuing certificates.

If the CA does not find any CAA records, it can issue a certificate for the domain name.
Any other CAs are also able to issue certificates for this domain name, bringing risks of certificate mis-issuing.
If the CA finds a CAA record that authorizes it to issue certificates, it will issue a certificate for the domain name.
If the CA finds a CAA record, but the record does not authorize it to issue certificates, the CA will not be able to issue HTTPS certificates for the domain name. In this case, HTTPS certificates will not be mis-issued.

Adding CAA records for website domain names enables you to configure a CA whitelist. Only authorized CAs can issue certificates for your website.

Configuration Rule

A CAA record consists of a flag byte and a tag-value pair in the format of [flag] [tag] [value].

The elements in a CAA record are described as follows:

flag: CA identifier, which is an unsigned character ranging from 0 to 255. Usually, it is specified to 0.
tag: Enter 1 to 15 characters, including letters and digits from 0 to 9. The tag can be the following:
- issue: authorizes CAs to issue all types of certificates.
- issuewild: authorizes CAs to issue wildcard certificates.
- iodef: requests notifications once CAs receive invalid certificate requests.

value: authorized CA or email address/URL for notifications once the CA receives invalid certificate requests, depending on the setting of the tag. The value must be enclosed in quotation marks (""). The value can be up to 255 characters, including letters, digits, spaces, and special characters -#*?&_~=:;.@+^/!%

You can set CAA records based on the following rules in different scenarios.

**Table 1** Configuration of CAA records
Function	Example	Description
Configure a CAA record for one domain name.	0 issue "ca.example.com"	Only the specified CA (ca.example.com) can issue certificates for a particular domain name (domain.com). Requests to issue certificates for the domain name by other CAs will be rejected.
Configure a CAA record for one domain name.	0 issue ";"	No CA is allowed to issue certificates for the domain name domain.com.
Configure the CA to report violations to the domain name holder.	0 iodef "mailto:admin@domain.com"	If a certificate request violates the CAA record, the CA will notify the domain name holder of the violation.
	0 iodef "http:// domain.com/log/" 0 iodef "https:// domain.com/log/"	Requests to issue certificates by unauthorized CAs will be recorded.
Authorize a CA to issue wildcard certificates.	0 issuewild "ca.example.com"	The specified CA (ca.example.com) can issue wildcard certificates for the domain name.
Configuration example	0 issue "ca.abc.com" 0 issuewild "ca.def.com" 0 iodef "mailto:admin@domain.com"	The example configures a CAA record for the domain name domain.com. Only CA ca.abc.com can issue certificates of all types. Only CA ca.def.com can issue wildcard certificates. Any other CAs are not allowed to issue certificates. When a violation occurs, the CA sends a notification to admin@domain.com.

Adding a CAA Record Set

Log in to the management console.
In the Network category, click Domain Name Service.
The DNS console is displayed.
In the navigation pane, choose .
The Public Zones page is displayed.
In the public zone list, click the zone name domain.com.
The record set page is displayed.
Click Add Record Set.
The Add Record Set dialog box is displayed.
Set CAA record set parameters.
- Type: CAA – Grant certificate issuing permissions to CAs
- Line: Default
- TTL: 300s (5 minutes)
- Value:
  0 issue "ca.abc.com"
  
  0 iodef "mailto:admin@domain.com"
Click OK.

Checking Whether a CAA Record Has Taken Effect

Use Domain Information Groper (dig) to check whether the CAA record has taken effect. dig is a network administration command-line tool for querying the Domain Name System. If your OS does not support dig commands, install the dig tool.

Command format: dig [Record set type] [Domain name] +trace.

Example command:

dig caa www.example.com +trace

Next topic: Configuring a Private Domain Name for an ECS

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel