- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Public Zones
- Private Zones
- Record Sets
- PTR Records
- Intelligent Resolution
- Permissions Management
- Using CTS to Collect DNS Key Operations
- Quota Adjustment
- Change History
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- APIs
- Examples
- Permissions Policies and Supported Actions
- Appendix
- Best Practices
-
FAQs
-
DNS Overview
- Will I Be Billed for the DNS Service?
- How Many Zones, PTR Records, and Record Sets Can I Create?
- What Are Huawei Cloud DNS Servers?
- What Are Huawei Cloud Private DNS Server Addresses?
- What Are the Differences Between Public and Private Domain Names?
- Does DNS Support IPv6?
- Does DNS Support Explicit and Implicit URLs?
- Does DNS Support Dynamic Domain Name Resolution?
- Does DNS Support Wildcard Entries?
- What Is TTL?
- How Many Domain Name Levels Does DNS Support?
- How Are Zones Queried to Resolve a Domain Name?
- What Are the Priorities of Resolution Lines?
- Why Was the Email Address Format Changed in the SOA Record?
- What Is CAA?
- Why Should I Set Priority For an MX Record Set?
- Can DNS Point a Domain Name to a Specific Port?
- Invalid Domain Resolution
- Website Access Failures
-
Public Zones
- Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?
- How Do I Add Record Sets to Subdomains?
- Which IP Address Is Returned for the Domain Name If There Are Multiple IP Addresses in a Record Set?
- Can I Modify a Zone?
- Can DNS Translate a Domain Name to IP Addresses of On-premises Servers or Third-Party Servers?
- How Can Multiple Domain Names Be Linked to the Same Website?
- How Do I View and Change the DNS Servers of a Domain Name?
-
Private Zones
- Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?
- How Do I Change Default DNS Servers of an ECS to Huawei Cloud Private DNS Servers?
- How Can I Access an ECS Using Its Host Name?
- How Can I Map the Private IP Address of an ECS to a Domain Name?
- How Can I Use a Private Domain Name to Route Internet Traffic?
- Can I Use Private Domain Names Across Regions?
- Do I Need to Register Private Domain Names?
- Will a Deleted VPC Be Automatically Disassociated from the Private Zone?
- Are Private DNS Server Addresses the Same for All Users?
- What Are the Restrictions on Concurrent Private DNS Requests?
- Reverse Resolution
- Domain Transfer
-
DNS Overview
What Is CAA?
Certification Authority Authorization (CAA) is to ensure that HTTPS certificates are issued by authorized certificate authorities (CAs). CAA complies with all IETF RFC 6844 requirements. As of September 8, 2017, all CAs are required to check CAA record sets before they can issue certificates.
CAA Specifications
Domain name owners can create CAA record sets to specify authorized CAs that can issue SSL certificates.
Only authorized CAs can issue SSL certificates for the domain names used by your website. Setting CAA record sets enhances security for your website.
CAs will perform a DNS lookup for CAA record sets when they issue certificates.
- If a CA does not find a CAA record set, the CA can issue a certificate for the domain name.
Other CAs can also issue certificates for this domain name, but these certificates may be insecure, and there will be messages indicating that your website is insecure when end users access your website.
- If a CA finds a CAA record set that authorizes it to issue certificates, the CA will issue a certificate for the domain name.
- If a CA finds a CAA record set that does not authorize it to issue certificates, the CA will not be able to issue SSL certificates for the domain name.
CAA Record Set
A CAA record set consists of a flag byte [flag], a property tag, and a property value [tag]-[value]. You can create multiple CAA record sets for a domain name.
|
Function |
Example CAA Record Set |
Description |
|---|---|---|
|
Configure a CAA record set for one domain name. |
0 issue "ca.example.com" |
Only the specified CA (ca.example.com) can issue certificates for a particular domain name (domain.com). Requests to issue certificates for the domain name by other CAs will be rejected. |
|
0 issue ";" |
No CA is allowed to issue certificates for the domain name (domain.com). |
|
|
Enable a CA to report violations to the domain name holder. |
0 iodef "mailto:admin@domain.com" |
If a certificate request violates the CAA record set, the CA will notify the domain name holder of the violation. |
|
0 iodef "http:// domain.com/log/" 0 iodef "https:// domain.com/log/" |
Requests to issue certificates by unauthorized CAs will be recorded. |
|
|
Authorize a CA to issue wildcard certificates. |
0 issuewild "ca.example.com" |
The authorized CA (ca.example.com) can issue wildcard certificates for the domain name. |
|
Configuration example |
0 issue "ca.abc.com" 0 issuewild "ca.def.com" 0 iodef "mailto:admin@domain.com" |
A CAA record set is configured for domain.com.
|
Checking Whether a CAA Record Set Has Taken Effect
Use Domain Information Groper (dig) to check whether the CAA record set has taken effect. dig is a network administration command-line tool for querying the Domain Name System. If your OS does not support dig commands, install the dig tool.
Command format: dig [Record set type] [Domain name] +trace.
Example command:
dig caa www.example.com +trace
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
