DNS Certification Authority Authorization (CAA) Resource Record
RFC 8659
| Document | Type |
RFC - Proposed Standard
(November 2019; Errata)
Obsoletes RFC 6844
|
|
|---|---|---|---|
| Authors | Phillip Hallam-Baker , Rob Stradling , Jacob Hoffman-Andrews | ||
| Last updated | 2019-12-12 | ||
| Replaces | draft-hoffman-andrews-caa-simplification | ||
| Stream | IETF | ||
| Formats | plain text html xml pdf htmlized bibtex | ||
| Reviews | |||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Russ Housley | ||
| Shepherd write-up | Show (last changed 2018-11-04) | ||
| IESG | IESG state | RFC 8659 (Proposed Standard) | |
| Consensus Boilerplate | Yes | ||
| Telechat date | |||
| Responsible AD | Roman Danyliw | ||
| Send notices to | Russ Housley <housley@vigilsec.com> | ||
| IANA | IANA review state | IANA OK - Actions Needed | |
| IANA action state | RFC-Ed-Ack | ||
Internet Engineering Task Force (IETF) P. Hallam-Baker
Request for Comments: 8659 Venture Cryptography
Obsoletes: 6844 R. Stradling
Category: Standards Track Sectigo
ISSN: 2070-1721 J. Hoffman-Andrews
Let's Encrypt
November 2019
DNS Certification Authority Authorization (CAA) Resource Record
Abstract
The Certification Authority Authorization (CAA) DNS Resource Record
allows a DNS domain name holder to specify one or more Certification
Authorities (CAs) authorized to issue certificates for that domain
name. CAA Resource Records allow a public CA to implement additional
controls to reduce the risk of unintended certificate mis-issue.
This document defines the syntax of the CAA record and rules for
processing CAA records by CAs.
This document obsoletes RFC 6844.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8659.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction
2. Definitions
2.1. Requirements Language
2.2. Defined Terms
3. Relevant Resource Record Set
4. Mechanism
4.1. Syntax
4.1.1. Canonical Presentation Format
4.2. CAA issue Property
4.3. CAA issuewild Property
4.4. CAA iodef Property
4.5. Critical Flag
5. Security Considerations
5.1. Use of DNS Security
5.2. Non-compliance by Certification Authority
5.3. Mis-Issue by Authorized Certification Authority
5.4. Suppression or Spoofing of CAA Records
5.5. Denial of Service
5.6. Abuse of the Critical Flag
6. Deployment Considerations
6.1. Blocked Queries or Responses
6.2. Rejected Queries and Malformed Responses
6.3. Delegation to Private Nameservers
6.4. Bogus DNSSEC Responses
7. Differences from RFC 6844
8. IANA Considerations
9. References
9.1. Normative References
9.2. Informative References
Acknowledgements
Authors' Addresses
1. Introduction
The Certification Authority Authorization (CAA) DNS Resource Record
allows a DNS domain name holder to specify the Certification
Authorities (CAs) authorized to issue certificates for that domain
name. Publication of CAA Resource Records allows a public CA to
implement additional controls to reduce the risk of unintended
certificate mis-issue.
Like the TLSA record defined in DNS-Based Authentication of Named
Entities (DANE) [RFC6698], CAA records are used as a part of a
mechanism for checking PKIX [RFC6698] certificate data. The
distinction between CAA and TLSA is that CAA records specify an
authorization control to be performed by a CA before issuing a
certificate and TLSA records specify a verification control to be
performed by a Relying Party after the certificate is issued.
Conformance with a published CAA record is a necessary, but not
sufficient, condition for the issuance of a certificate.
Criteria for the inclusion of embedded trust anchor certificates in
applications are outside the scope of this document. Typically, such
criteria require the CA to publish a Certification Practices
Statement (CPS) that specifies how the requirements of the
Certificate Policy (CP) are achieved. It is also common for a CA to
engage an independent third-party auditor to prepare an annual audit
statement of its performance against its CPS.
A set of CAA records describes only current grants of authority to
issue certificates for the corresponding DNS domain name. Since
certificates are valid for a period of time, it is possible that a
Show full document text