Setting CAA Records to Prevent CAs from Issuing Unauthorized HTTPS Certificate

Overview

Scenarios

Certification Authority Authorization (CAA) is a way to ensure that HTTPS certificates are issued by authorized certificate authorities (CAs). CAA complies with IETF RFC 6844 requirements. As of September 8, 2017, all CAs are required to check CAA record sets before they can issue certificates.

There are hundreds of CAs in the world that can issue HTTPS certificates for websites. If a CA is blacklisted, the browser will no longer trust the HTTPS certificates issued by this CA. If you try to access websites that have those certificates, the browser will prompt that the websites are not secure, as shown in Figure 1.

Resource and Cost Planning

The following tables list the planned public zone and record set.

Adding a CAA Record Set to a Public Zone

Figure 2 shows the process for adding a CAA record set for a public zone.

Figure 2 Adding a CAA record set for a public zone

Procedure

1. Create a public zone.
   1. Go to the Public Zones page.
   2. Click Create Public Zone.
   3. Configure the parameters based on Table 4.

      Table 4 Parameters for creating a public zone

      Parameter	Description	Example
      Domain Name	Domain name purchased from a domain name registrar. For details about the domain name format, see Domain Name Format and DNS Hierarchy.	domain.com
      Tag	Optional. Identifier of the zone. Each tag contains a key and a value. You can add up to 20 tags to a zone.	example_key1 example_value1
      Description	Optional. Supplementary information about the zone. The description can contain a maximum of 255 characters.	This is a zone example.

   4. Click OK.

2. Add a CAA record set.
   1. In the public zone list, click the domain name domain.com.

      The Record Sets tab is displayed.

   2. Click Add Record Set.

      The Add Record Set dialog box is displayed.

   3. Configure the parameters based on Table 5.

      Table 5 Parameters for adding a CAA record set

      Parameter	Description	Example
      Type	Type of the record set A message may be displayed, indicating that the record set you are trying to add conflicts with an existing record set of the zone. For details, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?	CAA – Grant certificate issuing permissions to CAs
      Name	Prefix of the domain name to be resolved. For example, if the domain name is domain.com, the domain name prefix can be any of the following: www: The domain name is www.domain.com, which is used for a website. Left blank: The domain name is domain.com. To use an at sign (@) as the domain name prefix, just leave this parameter blank. abc: The domain name to be resolved is abc.domain.com. mail: The domain name to be resolved is mail.domain.com, which is used for email servers. *: The domain name is *.domain.com, which is a wildcard domain name, covering all subdomains of domain.com.	Left blank
      Line	Resolution line. The DNS server uses information about end users' carrier networks or geographical locations to determine the most appropriate server IP address to return. The default value is Default. This parameter is only configurable for public zone record sets. Default: returns the default resolution result irrespective of where the visitors come from. ISP: returns the resolution result based on end users' carrier networks. Region: returns the resolution result based on end users' geographical locations.	Default
      TTL (s)	Cache duration of the record set on a local DNS server, in seconds. Default value: 300 Value range: 1 to 2147483647 If your service address changes frequently, set TTL to a smaller value. Learn more about TTL.	300
      Value	CA to be authorized to issue certificates for a domain name or its subdomains. You can enter up to 50 different IP addresses, each on a separate line. The format is [flag] [tag] [value]. Configuration rules: flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, it is specified to 0. tag: You can enter 1 to 15 characters. Only letters and digits from 0 to 9 are allowed. The tag can be one of the following: issue: authorizes a CA to issue all types of certificates. issuewild: authorizes a CA to issue wildcard certificates. iodef: requests notifications once a CA receives invalid certificate requests. value: authorized CA or email address/URL required for notification once the CA receives invalid certificate requests. The value depends on the value of tag and must be enclosed in quotation marks (""). The value can contain a maximum of 255 characters. Only letters, digits, spaces, and the following special characters are allowed: -#*?&_~=:;.@+^/!%	0 issue "ca.abc.com" 0 iodef "mailto:admin@domain.com"
      Weight	(Optional) Weight for the record set. The value ranges from 0 to 1000, and the default value is 1. This parameter is only configurable for public zone record sets. If a resolution line in a zone contains multiple record sets of the same type, you can set different weights to each record set.	1
      Tag	(Optional) Identifier of the record set. Each tag contains a key and a value. You can add up to 20 tags to a record set.	example_key1 example_value1
      Description	(Optional) Supplementary information about the record set. The description can contain a maximum of 255 characters.	The description of the hostname.

   4. Click OK.

Checking Whether a CAA Record Set Has Taken Effect

Use Domain Information Groper (dig) to check whether the CAA record has taken effect. dig is a network administration command-line tool for querying the Domain Name System. If your OS does not support dig commands, install the dig tool.

Command format: dig <record-set-type> <domain-name> +trace.

Example:

dig caa www.domain.com +trace