Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Domain Name Service/ Best Practices/ Setting CAA Records to Prevent CAs from Issuing Unauthorized HTTPS Certificate

Setting CAA Records to Prevent CAs from Issuing Unauthorized HTTPS Certificate

Updated on 2024-03-15 GMT+08:00

Overview

Scenario

Certification Authority Authorization (CAA) is a way to ensure that HTTPS certificates are issued by authorized certificate authorities (CAs). It complies with IETF RFC 6844 standards. Since September 8, 2017, all CAs must check CAA record sets before issuing a certificate.

There are hundreds of CAs in the world that can issue HTTPS certificates for websites. If a CA is blacklisted, the browser will no longer trust the HTTPS certificates issued by this CA. If you try to access websites that have those certificates, the browser will prompt that the websites are not secure.

Figure 1 Untrusted HTTPS certificate warning

According to the CAA standards, a compliant CA must check CAA record sets of a domain name before issuing certificates.

  • If a CA does not find any CAA records, the CA can issue a certificate for the domain name.

    Other CAs can also issue certificates for this domain name, but may issue unauthorized certificates.

  • If a CA finds a CAA record set that authorizes it to issue certificates, the CA will issue a certificate for the domain name.
  • If a CA finds a CAA record that does not authorize it to issue certificates, the CA will not issue HTTPS certificates for the domain name to avoid unauthorized HTTPS certificates.

Using Huawei Cloud DNS, you can add CAA record sets for your public domain names on the management console.

Advantage

Configuring CAA record sets for website domain names enables you to configure a CA whitelist. Only authorized CAs can issue certificates for your website.

Notes and Constraints

A CAA record set consists of a flag byte and a tag-value pair in the format of [flag] [tag] [value].

  • flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, it is specified to 0.
  • tag: 1 to 15 characters, including letters and digits from 0 to 9. The tag can be one of the following:
    • issue: authorizes the CA to issue all types of certificates.
    • issuewild: authorizes the CA to issue wildcard certificates.
    • iodef: requests notifications once the CA receives invalid certificate requests.
  • value: authorized CA or email address/URL for notifications once the CA receives invalid certificate requests. The value depends on the setting of the tag and must be enclosed in quotation marks (""). The value can contain up to 255 characters, consisting of letters, digits, spaces, and special characters -#*?&_~=:;.@+^/!%
You can set CAA record sets based on the following rules to suit different scenarios.
Table 1 Configuration of CAA record sets

Function

Example CAA Record Set

Description

Configure a CAA record set for one domain name.

0 issue "ca.example.com"

Only the specified CA (ca.example.com) can issue certificates for a particular domain name (domain.com). Requests to issue certificates for the domain name by other CAs will be rejected.

0 issue ";"

No CA is allowed to issue certificates for the domain name (domain.com).

Enable a CA to report violations to the domain name holder.

0 iodef "mailto:admin@domain.com"

If a certificate request violates the CAA record set, the CA will notify the domain name holder of the violation.

0 iodef "http:// domain.com/log/"

0 iodef "https:// domain.com/log/"

Requests to issue certificates by unauthorized CAs will be recorded.

Authorize a CA to issue wildcard certificates.

0 issuewild "ca.example.com"

The authorized CA (ca.example.com) can issue wildcard certificates for the domain name.

Configuration example

0 issue "ca.abc.com"

0 issuewild "ca.def.com"

0 iodef "mailto:admin@domain.com"

A CAA record set is configured for domain.com.

  • Only CA ca.abc.com can issue certificates of all types.
  • Only CA ca.def.com can issue wildcard certificates.
  • Any other CAs are not allowed to issue certificates.
  • If a violation occurs, the CA sends a notification to admin@domain.com.

Resource Planning

The following tables list the planned public zone and record set.

Table 2 Domain name

Service

Public Zone

Record Set Type

DNS

domain.com

CAA

Table 3 Resources and costs

Service

Resource

Description

Quantity

Monthly Price

Domains

Domain name

Public domain name: domain.com

1

N/A

DNS

  • Public zone
  • Record set
  • Public zone: domain.com
  • Record set type: CAA

    Value:

    0 issue "ca.abc.com"

    0 iodef "mailto:admin@domain.com"

1

Free

Adding a CAA Record Set to a Public Zone

Figure 2 shows the process for adding a CAA record set to a public zone.

Figure 2 Adding a CAA record set to a public zone

Procedure

  1. Create a public zone.

    1. Go to the Public Zones page.
    2. Click Create Public Zone.
    3. Configure the parameters based on Table 4.
      Table 4 Parameters for creating a public zone

      Parameter

      Description

      Example Value

      Domain Name

      Name of the public zone, which is the domain name you registered

      The domain name can include two levels in addition to the top-level domain. The following are two examples:
      • Subdomain of domain.com: abc.domain.com
      • Subdomain of domain.com.cn: abc.domain.com.cn

      For details about the domain name format, see Domain Name Format and DNS Hierarchy.

      domain.com

      Email

      (Optional)

      Email address of the administrator managing the domain name. It is recommended that you set the email address to HOSTMASTER@Domain name.

      For details about the email address, see Why Was the Email Address Format Changed in the SOA Record?

      N/A

      Tag

      (Optional) Identifier of the domain name

      Each tag contains a key and a value. You can add a maximum of 10 tags to a zone.

      For details about tag key and value requirements, see Table 5.

      NOTE:

      If you have configured tag policies for DNS, you need to add tags to your zones based on the tag policies. If you add a tag that does not comply with the tag policies, zones may fail to be created. Contact the administrator to learn more about tag policies.

      example_key1

      example_value1

      Description

      (Optional)

      Supplementary information about the zone

      The value cannot exceed 255 characters.

      This is a zone example.

      Table 5 Tag naming rules

      Parameter

      Requirements

      Example Value

      Tag key

      • Cannot be left blank.
      • Must be unique for each resource.
      • Can contain a maximum of 36 characters.
      • Cannot start or end with a space nor contain special characters =*<>\,|/

      example_key1

      Value

      • Cannot be left blank.
      • Can contain a maximum of 43 characters.
      • Cannot start or end with a space nor contain special characters =*<>\,|/

      example_value1

    4. Click OK.

  1. Add a CAA record set.

    1. In the public zone list, click the domain name domain.com.

      The record set page is displayed.

    2. Click Add Record Set.

      The Add Record Set dialog box is displayed.

    3. Configure the parameters based on Table 6.
      Table 6 Parameters for adding a CAA record set

      Parameter

      Description

      Example Value

      Name

      Prefix of the domain name to be resolved.

      For example, if the domain name is domain.com, the domain name prefix can be any of the following:

      • www: The domain name to be resolved is www.domain.com, which is used for a website.
      • Left blank: The domain name is domain.com.

        The Name field cannot be set to an at sign (@). Just leave this field blank.

      • abc: The domain name to be resolved is abc.domain.com.
      • mail: The domain name to be resolved is mail.domain.com, which is used for email servers.
      • *: The domain name is *.domain.com, which is a wildcard domain name, covering all subdomains of domain.com.

      Leave this parameter blank.

      Type

      Type of the record set

      A message may be displayed indicating that the record set you are trying to add conflicts with an existing record set.

      For details, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?

      CAA – Grant certificate issuing permissions to CAs

      Line

      Resolution line.

      The DNS server will return the IP address of the specific line, depending on where the visitors come from.

      This parameter is only designated for public domain names.

      • Default: returns the default resolution result irrespective of where the visitors come from.
      • ISP: returns the resolution result based on visitors' carrier networks.
      • Region: returns the resolution result based on visitors' geographical locations.

      Default

      TTL (s)

      Cache duration of the record set on a local DNS server, in seconds.

      The value ranges from 1 to 2147483647, and the default is 300.

      If your service address changes frequently, set TTL to a smaller value.

      Learn more about TTL.

      300

      Value

      CA to be authorized to issue certificates for a domain name or its subdomains

      You can enter a maximum of 50 record values, each on a separate line.

      The format is [flag] [tag] [value].

      Configuration rules:

      • flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, the value is set to 0.
      • tag: You can enter 1 to 15 characters, consisting of letters and digits from 0 to 9. The tag can be one of the following:
        • issue: authorizes a CA to issue all types of certificates.
        • issuewild: authorizes a CA to issue wildcard certificates.
        • iodef: requests notifications once a CA receives invalid certificate requests.
      • value: authorized CA or email address/URL required for notification once the CA receives invalid certificate requests. The value depends on the value of tag and must be enclosed in quotation marks (""). The value can contain a maximum of 255 characters, consisting of letters, digits, spaces, and special characters -#*?&_~=:;.@+^/!%

      0 issue "ca.abc.com"

      0 iodef "mailto:admin@domain.com"

      Weight

      (Optional) Weight of a record set. The value ranges from 0 to 1000, and the default value is 1.

      This parameter is only designated for public domain names.

      If a resolution line in a zone contains multiple record sets of the same type, you can set different weights to each record set.

      1

      Tag

      (Optional) Identifier of a record set. Each tag contains a key and a value. You can add a maximum of 10 tags to a record set.

      For details about tag key and value requirements, see Table 7.

      NOTE:

      If you have configured tag policies for DNS, you need to add tags to your record sets based on the tag policies. If you add a tag that does not comply with the tag policies, record sets may fail to be created. Contact the administrator to learn more about tag policies.

      example_key1

      example_value1

      Description

      (Optional) Supplementary information about the record set.

      You can enter a maximum of 255 characters.

      The description of the hostname.

      Table 7 Tag key and value requirements

      Parameter

      Requirements

      Example Value

      Key

      • Cannot be left blank.
      • Must be unique for each resource.
      • Can contain a maximum of 36 characters.
      • Cannot start or end with a space nor contain special characters =*<>\,|/

      example_key1

      Value

      • Cannot be left blank.
      • Can contain a maximum of 43 characters.
      • Cannot start or end with a space nor contain special characters =*<>\,|/

      example_value1

    4. Click OK.

Checking Whether the CAA Record Has Taken Effect

Use Domain Information Groper (dig) to check whether the CAA record has taken effect. dig is a network administration command-line tool for querying the Domain Name System. If your OS does not support dig commands, install the dig tool.

Command format: dig [Record set type] [Domain name] +trace

Example:

dig caa www.domain.com +trace

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback