We currently supports CAA record types as defined in RFC 6844.
CAA stands for Certification Authority Authorization" and is used to specify Certificate Authorities that may issue certificates for a domain.
Example CAA-records
example.com. IN CAA 0 issue "ca.example.net"
To disallow any certificate issuance, one may allow issuance only to an empty issuer list:
example.com. IN CAA 0 issue ";"
To indicate that certificate authorities should report invalid certificate requests to an email address and a Real-time Inter-network Defense endpoint:
example.com. IN CAA 0 iodef "mailto:security@example.com" example.com. IN CAA 0 iodef "http://iodef.example.com/"
To use a future extension of the protocol, for example, one which defines a new future property, which needs to be understood by the certificate authority before they can safely proceed, one may set the issuer critical flag:
example.com. IN CAA 0 issue "ca.example.net" example.com. IN CAA 128 future "value"
Comments
0 comments
Please sign in to leave a comment.