As per RFC : CAA records assert a security policy that the holder of a domain name wishes to be observed by certificate issuers. The effectiveness of CAA records as an access control mechanism is thus dependent on observance of CAA constraints by issuers.
This is not to confuse about not trusting a certificate delivered by a specific CA. That is rfc6698 (DANE), but so far not enforced by browsers as far as I know.
In theory, all Cert Authorities should do a DNS CAA lookup before generating a certificate.
A few play along, but quite a few CAs don’t.
Wiki definition : https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
RFC 6844 : https://tools.ietf.org/html/rfc6844
A nice little web site to generate your CAA records : https://sslmate.com/caa/
Example :
dig +short CAA yahoo.com
0 issue “globalsign.com”
0 issue “digicert.com”
0 iodef “mailto:security@oath.com”
You can also use settings for wildcards:
0 issuewild “\;” <= (to disable the use of it).
Recent Comments