DNS Certification Authority Authorization (CAA) Resource Record
RFC 8659
Document | Type |
RFC - Proposed Standard
(November 2019; Errata)
Obsoletes RFC 6844
|
|
---|---|---|---|
Authors | Phillip Hallam-Baker , Rob Stradling , Jacob Hoffman-Andrews | ||
Last updated | 2019-12-12 | ||
Replaces | draft-hoffman-andrews-caa-simplification | ||
Stream | IETF | ||
Formats | plain text html xml pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Russ Housley | ||
Shepherd write-up | Show (last changed 2018-11-04) | ||
IESG | IESG state | RFC 8659 (Proposed Standard) | |
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Roman Danyliw | ||
Send notices to | Russ Housley <housley@vigilsec.com> | ||
IANA | IANA review state | IANA OK - Actions Needed | |
IANA action state | RFC-Ed-Ack |
Internet Engineering Task Force (IETF) P. Hallam-Baker Request for Comments: 8659 Venture Cryptography Obsoletes: 6844 R. Stradling Category: Standards Track Sectigo ISSN: 2070-1721 J. Hoffman-Andrews Let's Encrypt November 2019 DNS Certification Authority Authorization (CAA) Resource Record Abstract The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain name. CAA Resource Records allow a public CA to implement additional controls to reduce the risk of unintended certificate mis-issue. This document defines the syntax of the CAA record and rules for processing CAA records by CAs. This document obsoletes RFC 6844. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8659. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction 2. Definitions 2.1. Requirements Language 2.2. Defined Terms 3. Relevant Resource Record Set 4. Mechanism 4.1. Syntax 4.1.1. Canonical Presentation Format 4.2. CAA issue Property 4.3. CAA issuewild Property 4.4. CAA iodef Property 4.5. Critical Flag 5. Security Considerations 5.1. Use of DNS Security 5.2. Non-compliance by Certification Authority 5.3. Mis-Issue by Authorized Certification Authority 5.4. Suppression or Spoofing of CAA Records 5.5. Denial of Service 5.6. Abuse of the Critical Flag 6. Deployment Considerations 6.1. Blocked Queries or Responses 6.2. Rejected Queries and Malformed Responses 6.3. Delegation to Private Nameservers 6.4. Bogus DNSSEC Responses 7. Differences from RFC 6844 8. IANA Considerations 9. References 9.1. Normative References 9.2. Informative References Acknowledgements Authors' Addresses 1. Introduction The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain name. Publication of CAA Resource Records allows a public CA to implement additional controls to reduce the risk of unintended certificate mis-issue. Like the TLSA record defined in DNS-Based Authentication of Named Entities (DANE) [RFC6698], CAA records are used as a part of a mechanism for checking PKIX [RFC6698] certificate data. The distinction between CAA and TLSA is that CAA records specify an authorization control to be performed by a CA before issuing a certificate and TLSA records specify a verification control to be performed by a Relying Party after the certificate is issued. Conformance with a published CAA record is a necessary, but not sufficient, condition for the issuance of a certificate. Criteria for the inclusion of embedded trust anchor certificates in applications are outside the scope of this document. Typically, such criteria require the CA to publish a Certification Practices Statement (CPS) that specifies how the requirements of the Certificate Policy (CP) are achieved. It is also common for a CA to engage an independent third-party auditor to prepare an annual audit statement of its performance against its CPS. A set of CAA records describes only current grants of authority to issue certificates for the corresponding DNS domain name. Since certificates are valid for a period of time, it is possible that aShow full document text