Setting CAA Records to Prevent CAs from Issuing Unauthorized HTTPS Certificate
Overview
Scenarios
Certification Authority Authorization (CAA) is a way to ensure that HTTPS certificates are issued by authorized certificate authorities (CAs). CAA complies with IETF RFC 6844 requirements. As of September 8, 2017, all CAs are required to check CAA record sets before they can issue certificates.
There are hundreds of CAs in the world that can issue HTTPS certificates for websites. If a CA is blacklisted, the browser will no longer trust the HTTPS certificates issued by this CA. If you try to access websites that have those certificates, the browser will prompt that the websites are not secure, as shown in Figure 1.
According to the CAA standards, a compliant CA must check CAA record sets of a domain name before issuing certificates.
- If a CA does not find any CAA records, the CA can issue a certificate for the domain name.
Other CAs can also issue certificates for this domain name, but may issue unauthorized certificates.
- If a CA finds a CAA record set that authorizes it to issue certificates, the CA will issue a certificate for the domain name.
- If a CA finds a CAA record that does not authorize it to issue certificates, the CA will not issue HTTPS certificates for the domain name to avoid unauthorized HTTPS certificates.
Using Huawei Cloud DNS, you can configure CAA record sets for your public domain names on the DNS console.
Advantage
Configuring CAA record sets for website domain names enables you to configure a CA whitelist. Only authorized CAs can issue certificates for your website.
Notes and Constraints
A CAA record set consists of a flag byte and a tag-value pair in the format of [flag] [tag] [value].
- flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, it is specified to 0.
- tag: You can enter 1 to 15 characters. Only letters and digits from 0 to 9 are allowed. The tag can be one of the following:
- issue: authorizes a CA to issue all types of certificates.
- issuewild: authorizes a CA to issue wildcard certificates.
- iodef: requests notifications once a CA receives invalid certificate requests.
- value: authorized CA or email address/URL required for notifications once the CA receives invalid certificate requests. The value depends on the setting of the tag and must be enclosed in quotation marks (""). The value can contain a maximum of 255 characters. Only letters, digits, spaces, and the following special characters are allowed: -#*?&_~=:;.@+^/!%
Scenario |
Description |
Example |
---|---|---|
Configure a CAA record set for one domain name. |
Only the specified CA (ca.example.com) can issue certificates for a particular domain name (domain.com). The requests to issue certificates for the domain name by other CAs will be rejected. |
0 issue "ca.example.com" |
No CA is allowed to issue certificates for the domain name (domain.com). |
0 issue ";" |
|
Enable a CA to report violations to the domain name holder. |
If a certificate request violates the CAA record set, the CA will notify the domain name holder of the violation. |
0 iodef "mailto:admin@domain.com" |
The requests to issue certificates by unauthorized CAs will be recorded. |
0 iodef "http://domain.com/log/" 0 iodef "https:// domain.com/log/" |
|
Authorize a CA to issue wildcard certificates. |
The authorized CA (ca.example.com) can issue wildcard certificates for the domain name. |
0 issuewild "ca.example.com" |
Configuration example |
A CAA record set is configured for domain.com.
|
0 issue "ca.abc.com" 0 issuewild "ca.def.com" 0 iodef "mailto:admin@domain.com" |
Resource and Cost Planning
The following tables list the planned public zone and record set.
Service |
Public Zone |
Record Set Type |
---|---|---|
DNS |
domain.com |
CAA |
Adding a CAA Record Set to a Public Zone
Figure 2 shows the process for adding a CAA record set to a public zone.
Procedure
- Create a public zone.
- Go to the Public Zones page.
- Click Create Public Zone.
- Configure the parameters based on Table 4.
Table 4 Parameters for creating a public zone Parameter
Description
Example
Domain Name
Domain name purchased from a domain name registrar.
For details about the domain name format, see Domain Name Format and DNS Hierarchy.
domain.com
Tag
Optional.
Identifier of the zone. Each tag contains a key and a value. You can add up to 20 tags to a zone.
example_key1
example_value1
Description
Optional.
Supplementary information about the zone.
The description can contain a maximum of 255 characters.
This is a zone example.
- Click OK.
- Add a CAA record set.
- In the public zone list, click the domain name domain.com.
The Record Sets tab is displayed.
- Click Add Record Set.
The Add Record Set dialog box is displayed.
- Configure the parameters based on Table 5.
Table 5 Parameters for adding a CAA record set Parameter
Description
Example
Type
Type of the record set
A message may be displayed, indicating that the record set you are trying to add conflicts with an existing record set of the zone.
For details, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?
CAA – Grant certificate issuing permissions to CAs
Name
Prefix of the domain name to be resolved.
For example, if the domain name is domain.com, the domain name prefix can be any of the following:
- www: The domain name is www.domain.com, which is used for a website.
- Left blank: The domain name is domain.com.
To use an at sign (@) as the domain name prefix, just leave this parameter blank.
- abc: The domain name to be resolved is abc.domain.com.
- mail: The domain name to be resolved is mail.domain.com, which is used for email servers.
- *: The domain name is *.domain.com, which is a wildcard domain name, covering all subdomains of domain.com.
Left blank
Line
Resolution line. The DNS server uses information about end users' carrier networks or geographical locations to determine the most appropriate server IP address to return.
The default value is Default.
This parameter is only configurable for public zone record sets.
- Default: returns the default resolution result irrespective of where the visitors come from.
- ISP: returns the resolution result based on end users' carrier networks.
- Region: returns the resolution result based on end users' geographical locations.
Default
TTL (s)
Cache duration of the record set on a local DNS server, in seconds.
Default value: 300
Value range: 1 to 2147483647
If your service address changes frequently, set TTL to a smaller value.
Learn more about TTL.
300
Value
CA to be authorized to issue certificates for a domain name or its subdomains.
You can enter up to 50 different IP addresses, each on a separate line.
The format is [flag] [tag] [value].
Configuration rules:
- flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, it is specified to 0.
- tag: You can enter 1 to 15 characters. Only letters and digits from 0 to 9 are allowed. The tag can be one of the following:
- issue: authorizes a CA to issue all types of certificates.
- issuewild: authorizes a CA to issue wildcard certificates.
- iodef: requests notifications once a CA receives invalid certificate requests.
- value: authorized CA or email address/URL required for notification once the CA receives invalid certificate requests. The value depends on the value of tag and must be enclosed in quotation marks (""). The value can contain a maximum of 255 characters. Only letters, digits, spaces, and the following special characters are allowed: -#*?&_~=:;.@+^/!%
0 issue "ca.abc.com"
0 iodef "mailto:admin@domain.com"
Weight
(Optional) Weight for the record set. The value ranges from 0 to 1000, and the default value is 1.
This parameter is only configurable for public zone record sets.
If a resolution line in a zone contains multiple record sets of the same type, you can set different weights to each record set.
1
Tag
(Optional) Identifier of the record set. Each tag contains a key and a value. You can add up to 20 tags to a record set.
example_key1
example_value1
Description
(Optional) Supplementary information about the record set.
The description can contain a maximum of 255 characters.
The description of the hostname.
- Click OK.
- In the public zone list, click the domain name domain.com.
Checking Whether a CAA Record Set Has Taken Effect
Use Domain Information Groper (dig) to check whether the CAA record has taken effect. dig is a network administration command-line tool for querying the Domain Name System. If your OS does not support dig commands, install the dig tool.
Command format: dig <record-set-type> <domain-name> +trace.
Example:
dig caa www.domain.com +trace
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot