Shulou(Shulou.com)05/31 Report--

This article mainly explains "how the domain name parses the CAA record". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to resolve CAA record by domain name".

Background

According to the statistics of authoritative departments, about hundreds of certification authorities (CA) around the world have the right to issue HTTPS certificates to prove the identity of your website. However, for some reason, certification authorities are often blacklisted by browsers and publicly announced that they will no longer trust their HTTPS certificates. So when you visit the website where these certificates are deployed, some browsers such as Google and Firefox will indicate that the HTTPS certificate is not trusted, and the HTTPS in the browser address bar will be marked with a small red line, and the web page cannot be accessed, as shown in the following figure.

CAA (Certification Authority Authorization, that is, Certificate Authority Authorization) is a security measure to prevent incorrect issuance of HTTPS certificates. It was approved by the Internet Engineering Task Force (IETF) in January 2013 and was listed as RFC6844. In March 2017, the CA browser Forum voted to approve Proposition 187, requiring CA institutions to carry out mandatory CAA inspections from September 8, 2017.

The CAA standard allows website owners to authorize only designated CA institutions to issue certificates for their domain names in order to prevent HTTPS certificates from being issued incorrectly. Currently, DNS, as the largest authoritative DNS service provider in China, has taken the lead in supporting CAA record types.

CAA record format

The format of the CAA record is: [flag] [tag] [value], which consists of [flag] of a flag byte and a [tag]-[value] (label-value) pair called attributes. You can add multiple CAA fields to the DNS record of a domain name.

The field describes an unsigned integer between flag0-255and is used to identify the certification authority. Usually fill in 0, which means that if the issuing authority cannot recognize this information, it will ignore it. Tag supports issue, issuewild, and iodef.

Any type of domain name certificate issued by a single certificate authority authorized by issue:CA.

Issuewild:CA authorizes a single certificate authority to issue wildcard certificates for hostnames.

Iodef:CA can send an illegal issuance record URL to an email address.

The domain name of valueCA or the email address used for notification of violations. Add CAA record

Suppose you want to allow only comodoca.com to issue certificates for the domain name gworg.com and send a violation notification to the mailbox admin@gworg.com. You can configure CAA records in the following ways.

Log in to the Ali Cloud Resolution console or your domain name provider (some domain name providers do not support CAA resolution)

Click the resolution settings under the target domain name action column.

Add the following two resolution records.

Host record value @ 0 issue "comodoca.com" @ 0 iodef "mailto:admin@gworg.com"

Detect CAA record

You can use the dig domain name record type command to query the resolution of CAA records. The test sample and the returned results are shown below.

Sh-3.2#digmidengd.xyzcaa;DiG9.10.5rc1midengd.xyzcaa;;globaloptions:+cmd;;Gotanswer:;;- > > HEADER

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.