Alternative DNS Certification Authority Authorization (CAA) Resource Record
draft-wicinski-lamps-caa-00
| Document | Type | Expired Internet-Draft (individual) | |
|---|---|---|---|
| Author | Tim Wicinski | ||
| Last updated | 2019-09-25 (Latest revision 2019-03-24) | ||
| Stream | (None) | ||
| Formats |
Expired & archived
plain text
xml
htmlized
pdfized
bibtex
|
||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | Expired | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
https://www.ietf.org/archive/id/draft-wicinski-lamps-caa-00.txt
Abstract
[RFC6844] defines the Certification Authority Authorization (CAA) DNS Resource Record type to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain name. With large domains covering multiple web properties, defining all possible certificate authorities for the domain has security implications. It would be beneficial to define a CAA for individual host names. This will allow CAA records that can be managed with fine grain control. This document provides an alternative CAA record using a _caa prefix label that will take precedent on a per Fully Qualified Domain Name (FQDN), if it exists. It will override any CAA record at the zone apex. This will not change current CAA record behavior, but will be an additional option.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)