Adding a CAA Record Set
Scenarios
If you want to specify CAs authorized to issue HTTPS certificates for your domain name, add CAA record sets for the domain name.
CAA record sets are used to prevent HTTPS certificates from being incorrectly issued.
For more information about each type of record sets, see Record Set Types and Configuration Rules.
Constraints
CAA record sets can be added only to public zones.
Procedure
- Go to the Public Zones page.
- Locate the zone and click Manage Record Set in the Operation column.
- Click Add Record Set.
The Add Record Set dialog box is displayed.
- Configure the parameters based on Table 1.
Table 1 Parameters for adding a CAA record set Parameter
Description
Example Value
Name
Prefix of the domain name to be resolved.
For example, if the domain name is example.com, the prefix can be as follows:
- www: The domain name is www.example.com, which is usually used for a website.
- Left blank: The domain name is example.com.
To use an at sign (@) as the domain name prefix, just leave this parameter blank.
- abc: The domain name is abc.example.com, a subdomain of example.com.
- mail: The domain name is mail.example.com, which is usually used for email servers.
- *: The domain name is *.example.com, which is a wildcard domain name, indicating all subdomains of example.com.
Left blank
Type
Type of the record set
A message may be displayed indicating that the record set you are trying to add conflicts with an existing record set.
For details, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?
CAA – Grant certificate issuing permissions to CAs
Line
Resolution line.
The DNS server will return the IP address of the specific line, depending on where the visitors come from.
This parameter is only configurable for public zone record sets.
- Default: returns the default resolution result irrespective of where the visitors come from.
- ISP: returns the resolution result based on visitors' carrier networks. For details, see Configuring ISP Lines.
- Region: returns the resolution result based on visitors' geographical locations. For details, see Configuring Region Lines.
Default
TTL (s)
Cache duration of the record set on a local DNS server, in seconds.
The value ranges from 1 to 2147483647, and the default value is 300.
If your service address changes frequently, set TTL to a smaller value.
Learn more about TTL.
300
Value
CA to be authorized to issue certificates for a domain name or its subdomains
You can enter up to 50 values, each on a separate line.
The format is [flag] [tag] [value].
Configuration rules:
- flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, the value is set to 0.
- tag: You can enter 1 to 15 characters, consisting of letters and digits from 0 to 9. The tag can be one of the following:
- issue: authorizes a CA to issue all types of certificates.
- issuewild: authorizes a CA to issue wildcard certificates.
- iodef: requests notifications once a CA receives invalid certificate requests.
- value: authorized CA or email address/URL required for notification once the CA receives invalid certificate requests. The value depends on the value of tag and must be enclosed in quotation marks (""). The value can contain no more than 255 characters. Only letters, digits, spaces, and special characters -#*?&_~=:;.@+^/!% are allowed.
0 issue "ca.abc.com"
0 issuewild "ca.def.com"
0 iodef "mailto:admin@domain.com"
0 iodef "http:// domain.com/log/"
Weight
(Optional) Weight for the record set. The value ranges from 0 to 1000, and the default value is 1.
This parameter is only configurable for public zone record sets.
If a resolution line in a zone contains multiple record sets of the same type, you can set different weights to each record set. For details, see Configuring Weighted Routing.
1
Tag
(Optional) Identifier of the record set. Each tag contains a key and a value. You can add up to 20 tags to a record set.
For details about tag key and value requirements, see Table 2.
NOTE:If you have configured tag policies for DNS, you need to add tags to your record sets based on the tag policies. If you add a tag that does not comply with the tag policies, record sets may fail to be created. Contact the administrator to learn more about tag policies.
example_key1
example_value1
Description
(Optional) Supplementary information about the record set.
The description can contain no more than 255 characters.
-
Table 2 Tag key and value requirements Parameter
Requirements
Example Value
Key
- Cannot be left blank.
- Must be unique for each resource.
- Can contain no more than 36 characters.
- Cannot start or end with a space nor contain special characters =*<>\,|/
example_key1
Value
- Cannot be left blank.
- Can contain no more than 43 characters.
- Cannot start or end with a space nor contain special characters =*<>\,|/
example_value1
- Switch back to the Record Sets tab.
The added record set is in the Normal state.
Related Operations
For more information about CAA record sets, see Setting CAA Record Sets to Prevent Unauthorized HTTPS Certificate Issuing.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot