terjekv
commented
1 year ago Okay, so if I understand https://datatracker.ietf.org/doc/html/rfc6844#section-3 our CAA records need to support three fields:
- flag: An integer 0-255.
- tag: On the form (from the RFC):
- issue
<Issuer Domain Name> [; <name>=<value> ]*: The issue property entry authorizes the holder of the domain nameor a party acting under the explicit authority of the holder of that domain name to issue certificates for the domain in which the property is published. - issuewild
<Issuer Domain Name> [; <name>=<value> ]*: The issuewild property entry authorizes the holder of the domain nameor a party acting under the explicit authority of the holder of that domain name to issue wildcard certificates for the domain in which the property is published. - iodef
<URL>: Specifies a URL to which an issuer MAY report certificate issue requests that are inconsistent with the issuer's Certification Practices or Certificate Policy, or that a Certificate Evaluator may use to report observation of a possible policy violation. The Incident Object Description Exchange Format (IODEF) format is used [RFC5070].
- issue
- value: A string field, cannot have spaces.
And in the zone file we are to output something the CAA records as such:
$ORIGIN example.com
. CAA 0 issue "ca.example.net"
. CAA 0 iodef "mailto:security@example.com"
. CAA 0 iodef "http://iodef.example.com/"It is worth noting that CAAs can be set for both domains and specific hosts.
Oh, and there would have to be a specific access control for the record type itself, rather than following the host. Typically a specific list of groups may have access.
Have I understood the request?
It would be nice to have support for CAA records, including a sensible form of access control: