DNS Certification Authority Authorization (CAA) Resource Record
RFC 8659

Document Type RFC - Proposed Standard (November 2019; No errata)
Obsoletes RFC 6844
Last updated 2019-11-19
Replaces draft-hoffman-andrews-caa-simplification
Stream IETF
Formats plain text html xml pdf htmlized bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Russ Housley
Shepherd write-up Show (last changed 2018-11-04)
IESG IESG state RFC 8659 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Roman Danyliw
Send notices to Russ Housley <housley@vigilsec.com>
IANA IANA review state IANA OK - Actions Needed
IANA action state RFC-Ed-Ack


Internet Engineering Task Force (IETF)                   P. Hallam-Baker
Request for Comments: 8659                          Venture Cryptography
Obsoletes: 6844                                             R. Stradling
Category: Standards Track                                        Sectigo
ISSN: 2070-1721                                       J. Hoffman-Andrews
                                                           Let's Encrypt
                                                           November 2019

    DNS Certification Authority Authorization (CAA) Resource Record

Abstract

   The Certification Authority Authorization (CAA) DNS Resource Record
   allows a DNS domain name holder to specify one or more Certification
   Authorities (CAs) authorized to issue certificates for that domain
   name.  CAA Resource Records allow a public CA to implement additional
   controls to reduce the risk of unintended certificate mis-issue.
   This document defines the syntax of the CAA record and rules for
   processing CAA records by CAs.

   This document obsoletes RFC 6844.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8659.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
   2.  Definitions
     2.1.  Requirements Language
     2.2.  Defined Terms
   3.  Relevant Resource Record Set
   4.  Mechanism
     4.1.  Syntax
       4.1.1.  Canonical Presentation Format
     4.2.  CAA issue Property
     4.3.  CAA issuewild Property
     4.4.  CAA iodef Property
     4.5.  Critical Flag
   5.  Security Considerations
     5.1.  Use of DNS Security
     5.2.  Non-compliance by Certification Authority
     5.3.  Mis-Issue by Authorized Certification Authority
     5.4.  Suppression or Spoofing of CAA Records
     5.5.  Denial of Service
     5.6.  Abuse of the Critical Flag
   6.  Deployment Considerations
     6.1.  Blocked Queries or Responses
     6.2.  Rejected Queries and Malformed Responses
     6.3.  Delegation to Private Nameservers
     6.4.  Bogus DNSSEC Responses
   7.  Differences from RFC 6844
   8.  IANA Considerations
   9.  References
     9.1.  Normative References
     9.2.  Informative References
   Acknowledgements
   Authors' Addresses

1.  Introduction

   The Certification Authority Authorization (CAA) DNS Resource Record
   allows a DNS domain name holder to specify the Certification
   Authorities (CAs) authorized to issue certificates for that domain
   name.  Publication of CAA Resource Records allows a public CA to
   implement additional controls to reduce the risk of unintended
   certificate mis-issue.

   Like the TLSA record defined in DNS-Based Authentication of Named
   Entities (DANE) [RFC6698], CAA records are used as a part of a
   mechanism for checking PKIX [RFC6698] certificate data.  The
   distinction between CAA and TLSA is that CAA records specify an
   authorization control to be performed by a CA before issuing a
   certificate and TLSA records specify a verification control to be
   performed by a Relying Party after the certificate is issued.

   Conformance with a published CAA record is a necessary, but not
   sufficient, condition for the issuance of a certificate.

   Criteria for the inclusion of embedded trust anchor certificates in
   applications are outside the scope of this document.  Typically, such
   criteria require the CA to publish a Certification Practices
   Statement (CPS) that specifies how the requirements of the
   Certificate Policy (CP) are achieved.  It is also common for a CA to
   engage an independent third-party auditor to prepare an annual audit
   statement of its performance against its CPS.

   A set of CAA records describes only current grants of authority to
   issue certificates for the corresponding DNS domain name.  Since
   certificates are valid for a period of time, it is possible that a
Show full document text