Skip to main content

DNS Certification Authority Authorization (CAA) Resource Record
RFC 6844

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: RFC Editor <>,
    pkix mailing list <>,
    pkix chair <>
Subject: Protocol Action: 'DNS Certification Authority Authorization (CAA) Resource Record' to Proposed Standard (draft-ietf-pkix-caa-15.txt)

The IESG has approved the following document:
- 'DNS Certification Authority Authorization (CAA) Resource Record'
  (draft-ietf-pkix-caa-15.txt) as Proposed Standard

This document is the product of the Public-Key Infrastructure (X.509)
Working Group.

The IESG contact persons are Sean Turner and Stephen Farrell.

A URL of this Internet Draft is:

Ballot Text

Technical Summary

The Certification Authority Authorization (CAA) DNS Resource Record
allows a DNS domain name holder to specify one or more Certification
Authorities authorized to issue certificates for that domain. CAA
resource records allow a public Certification Authority to implement
additional controls to reduce the risk of unintended certificate mis-issue.

Working Group Summary

This document might have been pursued in other WGs, specifically
DNSEXT, since it specifies a new DNS record type. It also might have
been pursued in DANE, but the focus of DANE is sufficiently different
that it is probably not a good fit there. Because the document specifies
a DNS record type, for use with PKI technology, PKIX was reasonable
choice for the authors. There was some controversy initially, but that
went away over time.

Document Quality

I am not aware of any existing implementations of the protocol, but
both authors work for a company that is represented by a trust anchor in
browsers and operating systems, and thus it is likely that their
organization will support this proposal via an implementation.


Steve Kent is the Document Shepherd.
Sean Turner the Responsible Area Director.

RFC Editor Note