pub struct CAA { /* private fields */ }
Expand description
The CAA RR Type
RFC 6844, DNS Certification Authority Authorization, January 2013
3. The CAA RR Type
A CAA RR consists of a flags byte and a tag-value pair referred to as
a property. Multiple properties MAY be associated with the same
domain name by publishing multiple CAA RRs at that domain name. The
following flag is defined:
Issuer Critical: If set to '1', indicates that the corresponding
property tag MUST be understood if the semantics of the CAA record
are to be correctly interpreted by an issuer.
Issuers MUST NOT issue certificates for a domain if the relevant
CAA Resource Record set contains unknown property tags that have
the Critical bit set.
The following property tags are defined:
issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property
entry authorizes the holder of the domain name <Issuer Domain
Name> or a party acting under the explicit authority of the holder
of that domain name to issue certificates for the domain in which
the property is published.
issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild
property entry authorizes the holder of the domain name <Issuer
Domain Name> or a party acting under the explicit authority of the
holder of that domain name to issue wildcard certificates for the
domain in which the property is published.
iodef <URL> : Specifies a URL to which an issuer MAY report
certificate issue requests that are inconsistent with the issuer's
Certification Practices or Certificate Policy, or that a
Certificate Evaluator may use to report observation of a possible
policy violation. The Incident Object Description Exchange Format
(IODEF) format is used [RFC5070].
The following example is a DNS zone file (see [RFC1035]) that informs
CAs that certificates are not to be issued except by the holder of
the domain name 'ca.example.net' or an authorized agent thereof.
This policy applies to all subordinate domains under example.com.
$ORIGIN example.com
. CAA 0 issue "ca.example.net"
If the domain name holder specifies one or more iodef properties, a
certificate issuer MAY report invalid certificate requests to that
address. In the following example, the domain name holder specifies
that reports may be made by means of email with the IODEF data as an
attachment, a Web service [RFC6546], or both:
$ORIGIN example.com
. CAA 0 issue "ca.example.net"
. CAA 0 iodef "mailto:security@example.com"
. CAA 0 iodef "http://iodef.example.com/"
A certificate issuer MAY specify additional parameters that allow
customers to specify additional parameters governing certificate
issuance. This might be the Certificate Policy under which the
certificate is to be issued, the authentication process to be used
might be specified, or an account number specified by the CA to
enable these parameters to be retrieved.
For example, the CA 'ca.example.net' has requested its customer
'example.com' to specify the CA's account number '230123' in each of
the customer's CAA records.
$ORIGIN example.com
. CAA 0 issue "ca.example.net; account=230123"
The syntax of additional parameters is a sequence of name-value pairs
as defined in Section 5.2. The semantics of such parameters is left
to site policy and is outside the scope of this document.
The critical flag is intended to permit future versions CAA to
introduce new semantics that MUST be understood for correct
processing of the record, preventing conforming CAs that do not
recognize the new semantics from issuing certificates for the
indicated domains.
In the following example, the property 'tbs' is flagged as critical.
Neither the example.net CA nor any other issuer is authorized to
issue under either policy unless the processing rules for the 'tbs'
property tag are understood.
$ORIGIN example.com
. CAA 0 issue "ca.example.net; policy=ev"
. CAA 128 tbs "Unknown"
Note that the above restrictions only apply at certificate issue.
Since the validity of an end entity certificate is typically a year
or more, it is quite possible that the CAA records published at a
domain will change between the time a certificate was issued and
validation by a relying party.
Implementations§
source§impl CAA
impl CAA
sourcepub fn new_issue(
issuer_critical: bool,
name: Option<Name>,
options: Vec<KeyValue>
) -> Self
pub fn new_issue(
issuer_critical: bool,
name: Option<Name>,
options: Vec<KeyValue>
) -> Self
Creates a new CAA issue record data, the tag is issue
Arguments
issuer_critical
- indicates that the corresponding property tag MUST be understood if the semantics of the CAA record are to be correctly interpreted by an issuername
- authorized to issue certificates for the associated record labeloptions
- additional options for the issuer, e.g. ‘account’, etc.
sourcepub fn new_issuewild(
issuer_critical: bool,
name: Option<Name>,
options: Vec<KeyValue>
) -> Self
pub fn new_issuewild(
issuer_critical: bool,
name: Option<Name>,
options: Vec<KeyValue>
) -> Self
Creates a new CAA issue record data, the tag is issuewild
Arguments
issuer_critical
- indicates that the corresponding property tag MUST be understood if the semantics of the CAA record are to be correctly interpreted by an issuername
- authorized to issue certificates for the associated record labeloptions
- additional options for the issuer, e.g. ‘account’, etc.
sourcepub fn new_iodef(issuer_critical: bool, url: Url) -> Self
pub fn new_iodef(issuer_critical: bool, url: Url) -> Self
Creates a new CAA issue record data, the tag is iodef
Arguments
issuer_critical
- indicates that the corresponding property tag MUST be understood if the semantics of the CAA record are to be correctly interpreted by an issuerurl
- Url where issuer errors should be reported
Panics
If value
is not Value::Issuer
sourcepub fn issuer_critical(&self) -> bool
pub fn issuer_critical(&self) -> bool
Indicates that the corresponding property tag MUST be understood if the semantics of the CAA record are to be correctly interpreted by an issuer