Help Center/ Domain Name Service/ Best Practices/ Setting CAA Records to Prevent Unauthorized HTTPS Certificate Issuing
Updated on 2022-09-16 GMT+08:00

Setting CAA Records to Prevent Unauthorized HTTPS Certificate Issuing

Certification Authority Authorization (CAA) is a way to ensure that HTTPS certificates are issued by authorized certificate authorities (CAs). It is in compliance with IETF RFC 6844 standards. Since September 8, 2017, all CAs must check CAA records before issuing a certificate.

Using Huawei Cloud DNS, you can add CAA records for your public domain names on the web-based management console.

Background

There are hundreds of CAs in the world that can issue HTTPS certificates for websites. If a CA is blacklisted, the browser will no longer trust the HTTPS certificates issued by this CA. If users try to access websites that have those certificates, the browser will prompt that the websites are not secure.

Figure 1 Untrusted HTTPS certificate warning

According to the CAA standards, a compliant CA must check CAA records of a domain name before issuing certificates.

  • If the CA does not find any CAA records, it can issue a certificate for the domain name.

    Any other CAs are also able to issue certificates for this domain name, bringing risks of certificate mis-issuing.

  • If the CA finds a CAA record that authorizes it to issue certificates, it will issue a certificate for the domain name.
  • If the CA finds a CAA record, but the record does not authorize it to issue certificates, the CA will not be able to issue HTTPS certificates for the domain name. In this case, HTTPS certificates will not be mis-issued.

Adding CAA records for website domain names enables you to configure a CA whitelist. Only authorized CAs can issue certificates for your website.

Configuration Rule

A CAA record consists of a flag byte and a tag-value pair in the format of [flag] [tag] [value].

The elements in a CAA record are described as follows:

  • flag: CA identifier, which is an unsigned character ranging from 0 to 255. Usually, it is specified to 0.
  • tag: Enter 1 to 15 characters, including letters and digits from 0 to 9. The tag can be the following:
    • issue: authorizes CAs to issue all types of certificates.
    • issuewild: authorizes CAs to issue wildcard certificates.
    • iodef: requests notifications once CAs receive invalid certificate requests.
  • value: authorized CA or email address/URL for notifications once the CA receives invalid certificate requests, depending on the setting of the tag. The value must be enclosed in quotation marks (""). The value can be up to 255 characters, including letters, digits, spaces, and special characters -#*?&_~=:;.@+^/!%
You can set CAA records based on the following rules in different scenarios.
Table 1 Configuration of CAA records

Function

Example

Description

Configure a CAA record for one domain name.

0 issue "ca.example.com"

Only the specified CA (ca.example.com) can issue certificates for a particular domain name (domain.com). Requests to issue certificates for the domain name by other CAs will be rejected.

0 issue ";"

No CA is allowed to issue certificates for the domain name domain.com.

Configure the CA to report violations to the domain name holder.

0 iodef "mailto:admin@domain.com"

If a certificate request violates the CAA record, the CA will notify the domain name holder of the violation.

0 iodef "http:// domain.com/log/"

0 iodef "https:// domain.com/log/"

Requests to issue certificates by unauthorized CAs will be recorded.

Authorize a CA to issue wildcard certificates.

0 issuewild "ca.example.com"

The specified CA (ca.example.com) can issue wildcard certificates for the domain name.

Configuration example

0 issue "ca.abc.com"

0 issuewild "ca.def.com"

0 iodef "mailto:admin@domain.com"

The example configures a CAA record for the domain name domain.com.

  • Only CA ca.abc.com can issue certificates of all types.
  • Only CA ca.def.com can issue wildcard certificates.
  • Any other CAs are not allowed to issue certificates.
  • When a violation occurs, the CA sends a notification to admin@domain.com.

Adding a CAA Record Set

  1. Log in to the management console.
  2. In the Network category, click Domain Name Service.

    The DNS console is displayed.

  3. In the navigation pane, choose .

    The Public Zones page is displayed.

  4. In the public zone list, click the zone name domain.com.

    The record set page is displayed.

  5. Click Add Record Set.

    The Add Record Set dialog box is displayed.

  6. Set CAA record set parameters.
    • Type: CAA – Grant certificate issuing permissions to CAs
    • Line: Default
    • TTL: 300s (5 minutes)
    • Value:

      0 issue "ca.abc.com"

      0 iodef "mailto:admin@domain.com"

  7. Click OK.

Checking Whether a CAA Record Has Taken Effect

Use Domain Information Groper (dig) to check whether the CAA record has taken effect. dig is a network administration command-line tool for querying the Domain Name System. If your OS does not support dig commands, install the dig tool.

Command format: dig [Record set type] [Domain name] +trace.

Example command:

dig caa www.example.com +trace