Esta página ainda não está disponível no idioma selecionado. Estamos trabalhando para adicionar mais opções de idiomas. Agradecemos sua compreensão.
Setting CAA Records to Prevent CAs from Issuing Unauthorized HTTPS Certificate
Overview
Scenarios
Certification Authority Authorization (CAA) is a way to ensure that HTTPS certificates are issued by authorized certificate authorities (CAs). CAA complies with IETF RFC 6844 requirements. Since September 8, 2017, all CAs must check CAA record sets before issuing a certificate.
There are hundreds of CAs in the world that can issue HTTPS certificates for websites. If a CA is blacklisted, the browser will no longer trust the HTTPS certificates issued by this CA. If you try to access websites that have those certificates, the browser will prompt that the websites are not secure.
According to the CAA standards, a compliant CA must check CAA record sets of a domain name before issuing certificates.
- If a CA does not find any CAA records, the CA can issue a certificate for the domain name.
Other CAs can also issue certificates for this domain name, but may issue unauthorized certificates.
- If a CA finds a CAA record set that authorizes it to issue certificates, the CA will issue a certificate for the domain name.
- If a CA finds a CAA record that does not authorize it to issue certificates, the CA will not issue HTTPS certificates for the domain name to avoid unauthorized HTTPS certificates.
Using Huawei Cloud DNS, you can configure CAA record sets for your public domain names on the DNS console.
Advantage
Configuring CAA record sets for website domain names enables you to configure a CA whitelist. Only authorized CAs can issue certificates for your website.
Notes and Constraints
A CAA record set consists of a flag byte and a tag-value pair in the format of [flag] [tag] [value].
- flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, it is specified to 0.
- tag: You can enter 1 to 15 characters. Only letters and digits from 0 to 9 are allowed. The tag can be one of the following:
- issue: authorizes the CA to issue all types of certificates.
- issuewild: authorizes the CA to issue wildcard certificates.
- iodef: requests notifications once a CA receives invalid certificate requests.
- value: authorized CA or email address/URL required for notifications once the CA receives invalid certificate requests. The value depends on the setting of the tag and must be enclosed in quotation marks (""). The value can contain no more than 255 characters. Only letters, digits, spaces, and special characters -#*?&_~=:;.@+^/!% are allowed.
|
Function |
Example Value |
Description |
|---|---|---|
|
Configure a CAA record set for one domain name. |
0 issue "ca.example.com" |
Only the specified CA (ca.example.com) can issue certificates for a particular domain name (domain.com). The requests to issue certificates for the domain name by other CAs will be rejected. |
|
0 issue ";" |
No CA is allowed to issue certificates for the domain name (domain.com). |
|
|
Enable a CA to report violations to the domain name holder. |
0 iodef "mailto:admin@domain.com" |
If a certificate request violates the CAA record set, the CA will notify the domain name holder of the violation. |
|
0 iodef "http:// domain.com/log/" 0 iodef "https:// domain.com/log/" |
The requests to issue certificates by unauthorized CAs will be recorded. |
|
|
Authorize a CA to issue wildcard certificates. |
0 issuewild "ca.example.com" |
The authorized CA (ca.example.com) can issue wildcard certificates for the domain name. |
|
Configuration example |
0 issue "ca.abc.com" 0 issuewild "ca.def.com" 0 iodef "mailto:admin@domain.com" |
A CAA record set is configured for domain.com.
|
Resource and Cost Planning
The following tables list the planned public zone and record set.
|
Service |
Public Zone |
Record Set Type |
|---|---|---|
|
DNS |
domain.com |
CAA |
|
Service |
Resource |
Description |
Quantity |
Monthly Price |
|---|---|---|---|---|
|
Domains |
Domain name |
Public domain name: domain.com |
1 |
N/A |
|
DNS |
|
1 |
Free |
Adding a CAA Record Set to a Public Zone
Figure 2 shows the process for adding a CAA record set to a public zone.
Procedure
- Create a public zone.
- Go to the Public Zones page.
- Click Create Public Zone.
- Configure the parameters based on Table 4.
Table 4 Parameters for creating a public zone Parameter
Description
Example Value
Domain Name
Name of the public zone, which is the domain name you have registered with a domain name registrar
For details about the domain name format, see Domain Name Format and DNS Hierarchy.
domain.com
Email
(Optional)
Email address of the administrator managing the domain name. It is recommended that you set the email address to HOSTMASTER@Domain name.
For more information about the email address, see Why Was the Email Address Format Changed in the SOA Record?
N/A
Tag
(Optional)
Identifier of the zone. Each tag contains a key and a value. You can add up to 20 tags to a zone.
example_key1
example_value1
Description
(Optional)
Supplementary information about the zone
The description can contain no more than 255 characters.
This is a zone example.
- Click OK.
- Add a CAA record set.
- In the public zone list, click the domain name domain.com.
The Record Sets tab is displayed.
- Click Add Record Set.
The Add Record Set dialog box is displayed.
- Configure the parameters based on Table 5.
Table 5 Parameters for adding a CAA record set Parameter
Description
Example Value
Name
Prefix of the domain name to be resolved.
For example, if the domain name is domain.com, the domain name prefix can be any of the following:
- www: The domain name is www.domain.com, which is used for a website.
- Left blank: The domain name is domain.com.
To use an at sign (@) as the domain name prefix, just leave this parameter blank.
- abc: The domain name to be resolved is abc.domain.com.
- mail: The domain name to be resolved is mail.domain.com, which is used for email servers.
- *: The domain name is *.domain.com, which is a wildcard domain name, covering all subdomains of domain.com.
Left blank
Type
Type of the record set
A message may be displayed, indicating that the record set you are trying to add conflicts with an existing record set of the zone.
For details, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?
CAA – Grant certificate issuing permissions to CAs
Line
Resolution line. The DNS server uses information about end users' carrier networks or geographical locations to determine the most appropriate server IP address to return.
The default value is Default.
This parameter is only configurable for public zone record sets.
- Default: returns the default resolution result when no resolution line is set based on end users' carrier networks or geographical locations.
- ISP: returns the resolution result based on end users' carrier networks.
- Region: returns the resolution result based on end users' geographical locations.
Default
TTL (s)
Cache duration of the record set on a local DNS server, in seconds.
The value ranges from 1 to 2147483647, and the default value is 300.
If your service address changes frequently, set TTL to a smaller value.
Learn more about TTL.
300
Value
CA to be authorized to issue certificates for a domain name or its subdomains.
You can enter up to 50 different IP addresses, each on a separate line.
The format is [flag] [tag] [value].
Configuration rules:
- flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, it is specified to 0.
- tag: You can enter 1 to 15 characters. Only letters and digits from 0 to 9 are allowed. The tag can be one of the following:
- issue: authorizes the CA to issue all types of certificates.
- issuewild: authorizes the CA to issue wildcard certificates.
- iodef: requests notifications once a CA receives invalid certificate requests.
- value: authorized CA or email address/URL required for notification once the CA receives invalid certificate requests. The value depends on the value of tag and must be enclosed in quotation marks (""). The value can contain no more than 255 characters. Only letters, digits, spaces, and special characters -#*?&_~=:;.@+^/!% are allowed.
0 issue "ca.abc.com"
0 iodef "mailto:admin@domain.com"
Weight
(Optional) Weight for the record set. The value ranges from 0 to 1000, and the default value is 1.
This parameter is only configurable for public zone record sets.
If a resolution line in a zone contains multiple record sets of the same type, you can set different weights to each record set.
1
Tag
(Optional) Identifier of the record set. Each tag contains a key and a value. You can add up to 20 tags to a record set.
example_key1
example_value1
Description
(Optional) Supplementary information about the record set.
The description can contain no more than 255 characters.
The description of the hostname.
- Click OK.
- In the public zone list, click the domain name domain.com.
Checking Whether the CAA Record Has Taken Effect
Use Domain Information Groper (dig) to check whether the CAA record has taken effect. dig is a network administration command-line tool for querying the Domain Name System. If your OS does not support dig commands, install the dig tool.
Command format: dig <record-set-type> <domain-name> +trace.
Example:
dig caa www.domain.com +trace
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
