Open oyvindhagberg opened 1 year ago
Okay, so if I understand https://datatracker.ietf.org/doc/html/rfc6844#section-3 our CAA records need to support three fields:
<Issuer Domain Name> [; <name>=<value> ]*
: The issue property entry authorizes the holder of the domain name <Issuer Domain Name> [; <name>=<value> ]*
: The issuewild property entry authorizes the holder of the domain name <URL>
: Specifies a URL to which an issuer MAY report certificate issue requests that are inconsistent with the issuer's Certification Practices or Certificate Policy, or that a Certificate Evaluator may use to report observation of a possible policy violation. The Incident Object Description Exchange Format (IODEF) format is used [RFC5070].And in the zone file we are to output something the CAA records as such:
$ORIGIN example.com
. CAA 0 issue "ca.example.net"
. CAA 0 iodef "mailto:security@example.com"
. CAA 0 iodef "http://iodef.example.com/"
It is worth noting that CAAs can be set for both domains and specific hosts.
Oh, and there would have to be a specific access control for the record type itself, rather than following the host. Typically a specific list of groups may have access.
Have I understood the request?
It would be nice to have support for CAA records, including a sensible form of access control: