Help Center/ Domain Name Service/ Best Practices/ Setting CAA Records to Prevent CAs from Issuing Unauthorized HTTPS Certificate
Updated on 2024-03-15 GMT+08:00
View PDF
Share

Setting CAA Records to Prevent CAs from Issuing Unauthorized HTTPS Certificate

Overview

Scenario

Certification Authority Authorization (CAA) is a way to ensure that HTTPS certificates are issued by authorized certificate authorities (CAs). It complies with IETF RFC 6844 standards. Since September 8, 2017, all CAs must check CAA record sets before issuing a certificate.

There are hundreds of CAs in the world that can issue HTTPS certificates for websites. If a CA is blacklisted, the browser will no longer trust the HTTPS certificates issued by this CA. If you try to access websites that have those certificates, the browser will prompt that the websites are not secure.

Figure 1 Untrusted HTTPS certificate warning

According to the CAA standards, a compliant CA must check CAA record sets of a domain name before issuing certificates.

  • If a CA does not find any CAA records, the CA can issue a certificate for the domain name.

    Other CAs can also issue certificates for this domain name, but may issue unauthorized certificates.

  • If a CA finds a CAA record set that authorizes it to issue certificates, the CA will issue a certificate for the domain name.
  • If a CA finds a CAA record that does not authorize it to issue certificates, the CA will not issue HTTPS certificates for the domain name to avoid unauthorized HTTPS certificates.

Using Huawei Cloud DNS, you can add CAA record sets for your public domain names on the management console.

Advantage

Configuring CAA record sets for website domain names enables you to configure a CA whitelist. Only authorized CAs can issue certificates for your website.

Notes and Constraints

A CAA record set consists of a flag byte and a tag-value pair in the format of [flag] [tag] [value].

  • flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, it is specified to 0.
  • tag: 1 to 15 characters, including letters and digits from 0 to 9. The tag can be one of the following:
    • issue: authorizes the CA to issue all types of certificates.
    • issuewild: authorizes the CA to issue wildcard certificates.
    • iodef: requests notifications once the CA receives invalid certificate requests.
  • value: authorized CA or email address/URL for notifications once the CA receives invalid certificate requests. The value depends on the setting of the tag and must be enclosed in quotation marks (""). The value can contain up to 255 characters, consisting of letters, digits, spaces, and special characters -#*?&_~=:;.@+^/!%
You can set CAA record sets based on the following rules to suit different scenarios.
Table 1 Configuration of CAA record sets

Function

Example CAA Record Set

Description

Configure a CAA record set for one domain name.

0 issue "ca.example.com"

Only the specified CA (ca.example.com) can issue certificates for a particular domain name (domain.com). Requests to issue certificates for the domain name by other CAs will be rejected.

0 issue ";"

No CA is allowed to issue certificates for the domain name (domain.com).

Enable a CA to report violations to the domain name holder.

0 iodef "mailto:admin@domain.com"

If a certificate request violates the CAA record set, the CA will notify the domain name holder of the violation.

0 iodef "http:// domain.com/log/"

0 iodef "https:// domain.com/log/"

Requests to issue certificates by unauthorized CAs will be recorded.

Authorize a CA to issue wildcard certificates.

0 issuewild "ca.example.com"

The authorized CA (ca.example.com) can issue wildcard certificates for the domain name.

Configuration example

0 issue "ca.abc.com"

0 issuewild "ca.def.com"

0 iodef "mailto:admin@domain.com"

A CAA record set is configured for domain.com.

  • Only CA ca.abc.com can issue certificates of all types.
  • Only CA ca.def.com can issue wildcard certificates.
  • Any other CAs are not allowed to issue certificates.
  • If a violation occurs, the CA sends a notification to admin@domain.com.

Resource Planning

The following tables list the planned public zone and record set.

Table 2 Domain name

Service

Public Zone

Record Set Type

DNS

domain.com

CAA
Table 3 Resources and costs

Service

Resource

Description

Quantity

Monthly Price

Domains

Domain name

Public domain name: domain.com

1

N/A

DNS
  • Public zone
  • Record set
  • Public zone: domain.com
  • Record set type: CAA

    Value:

    0 issue "ca.abc.com"

    0 iodef "mailto:admin@domain.com"

1

Free

Adding a CAA Record Set to a Public Zone

Figure 2 shows the process for adding a CAA record set to a public zone.

Figure 2 Adding a CAA record set to a public zone

Procedure

  1. Create a public zone.

    1. Go to the Public Zones page.
    2. Click Create Public Zone.
    3. Configure the parameters based on Table 4.
      Table 4 Parameters for creating a public zone

      Parameter

      Description

      Example Value

      Domain Name

      Name of the public zone, which is the domain name you registered

      The domain name can include two levels in addition to the top-level domain. The following are two examples:
      • Subdomain of domain.com: abc.domain.com
      • Subdomain of domain.com.cn: abc.domain.com.cn

      For details about the domain name format, see Domain Name Format and DNS Hierarchy.

      domain.com

      Email

      (Optional)

      Email address of the administrator managing the domain name. It is recommended that you set the email address to HOSTMASTER@Domain name.

      For details about the email address, see Why Was the Email Address Format Changed in the SOA Record?

      N/A

      Tag

      (Optional) Identifier of the domain name

      Each tag contains a key and a value. You can add a maximum of 10 tags to a zone.

      For details about tag key and value requirements, see Table 5.

      NOTE:

      If you have configured tag policies for DNS, you need to add tags to your zones based on the tag policies. If you add a tag that does not comply with the tag policies, zones may fail to be created. Contact the administrator to learn more about tag policies.

      example_key1

      example_value1

      Description

      (Optional)

      Supplementary information about the zone

      The value cannot exceed 255 characters.

      This is a zone example.
      Table 5 Tag naming rules

      Parameter

      Requirements

      Example Value

      Tag key
      • Cannot be left blank.
      • Must be unique for each resource.
      • Can contain a maximum of 36 characters.

      • Cannot start or end with a space nor contain special characters =*<>\,|/

      example_key1

      Value
      • Cannot be left blank.
      • Can contain a maximum of 43 characters.
      • Cannot start or end with a space nor contain special characters =*<>\,|/

      example_value1
    4. Click OK.

  1. Add a CAA record set.

    1. In the public zone list, click the domain name domain.com.

      The record set page is displayed.

    2. Click Add Record Set.

      The Add Record Set dialog box is displayed.

    3. Configure the parameters based on Table 6.
      Table 6 Parameters for adding a CAA record set

      Parameter

      Description

      Example Value

      Name

      Prefix of the domain name to be resolved.

      For example, if the domain name is domain.com, the domain name prefix can be any of the following:

      • www: The domain name to be resolved is www.domain.com, which is used for a website.
      • Left blank: The domain name is domain.com.

        The Name field cannot be set to an at sign (@). Just leave this field blank.

      • abc: The domain name to be resolved is abc.domain.com.
      • mail: The domain name to be resolved is mail.domain.com, which is used for email servers.
      • *: The domain name is *.domain.com, which is a wildcard domain name, covering all subdomains of domain.com.

      Leave this parameter blank.

      Type

      Type of the record set

      A message may be displayed indicating that the record set you are trying to add conflicts with an existing record set.

      For details, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?

      CAA – Grant certificate issuing permissions to CAs

      Line

      Resolution line.

      The DNS server will return the IP address of the specific line, depending on where the visitors come from.

      This parameter is only designated for public domain names.

      • Default: returns the default resolution result irrespective of where the visitors come from.
      • ISP: returns the resolution result based on visitors' carrier networks.
      • Region: returns the resolution result based on visitors' geographical locations.

      Default

      TTL (s)

      Cache duration of the record set on a local DNS server, in seconds.

      The value ranges from 1 to 2147483647, and the default is 300.

      If your service address changes frequently, set TTL to a smaller value.

      Learn more about TTL.

      300

      Value

      CA to be authorized to issue certificates for a domain name or its subdomains

      You can enter a maximum of 50 record values, each on a separate line.

      The format is [flag] [tag] [value].

      Configuration rules:

      • flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, the value is set to 0.
      • tag: You can enter 1 to 15 characters, consisting of letters and digits from 0 to 9. The tag can be one of the following:
        • issue: authorizes a CA to issue all types of certificates.
        • issuewild: authorizes a CA to issue wildcard certificates.
        • iodef: requests notifications once a CA receives invalid certificate requests.
      • value: authorized CA or email address/URL required for notification once the CA receives invalid certificate requests. The value depends on the value of tag and must be enclosed in quotation marks (""). The value can contain a maximum of 255 characters, consisting of letters, digits, spaces, and special characters -#*?&_~=:;.@+^/!%

      0 issue "ca.abc.com"

      0 iodef "mailto:admin@domain.com"

      Weight

      (Optional) Weight of a record set. The value ranges from 0 to 1000, and the default value is 1.

      This parameter is only designated for public domain names.

      If a resolution line in a zone contains multiple record sets of the same type, you can set different weights to each record set.

      1

      Tag

      (Optional) Identifier of a record set. Each tag contains a key and a value. You can add a maximum of 10 tags to a record set.

      For details about tag key and value requirements, see Table 7.

      NOTE:

      If you have configured tag policies for DNS, you need to add tags to your record sets based on the tag policies. If you add a tag that does not comply with the tag policies, record sets may fail to be created. Contact the administrator to learn more about tag policies.

      example_key1

      example_value1

      Description

      (Optional) Supplementary information about the record set.

      You can enter a maximum of 255 characters.

      The description of the hostname.
      Table 7 Tag key and value requirements

      Parameter

      Requirements

      Example Value

      Key
      • Cannot be left blank.
      • Must be unique for each resource.
      • Can contain a maximum of 36 characters.
      • Cannot start or end with a space nor contain special characters =*<>\,|/

      example_key1

      Value
      • Cannot be left blank.
      • Can contain a maximum of 43 characters.
      • Cannot start or end with a space nor contain special characters =*<>\,|/

      example_value1
    4. Click OK.

Checking Whether the CAA Record Has Taken Effect

Use Domain Information Groper (dig) to check whether the CAA record has taken effect. dig is a network administration command-line tool for querying the Domain Name System. If your OS does not support dig commands, install the dig tool.

Command format: dig [Record set type] [Domain name] +trace

Example:

dig caa www.domain.com +trace