Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for CAA records #494

Open
oyvindhagberg opened this issue Apr 19, 2023 · 1 comment
Open

Support for CAA records #494

oyvindhagberg opened this issue Apr 19, 2023 · 1 comment

Comments

@oyvindhagberg
Copy link
Contributor

It would be nice to have support for CAA records, including a sensible form of access control:

For uio.no sonen sin del, så er det primært to ting som ligger i _extra
filen :
2) Ca 140 CAA-innslag. Dette er jo ting som det kanskje vil bli mer av
etterhvert, og hvor det kan være ønskelig å delegere tilganger til
e.g. www-drift? Så det med å få støtte for CAA-records i mreg tror
jeg egentlig hadde vært en fin ting, dersom DIA har kapasitet til
det. Jeg kan evt. høre med Frank om hvor stort behovet er?

Anders
@terjekv
Copy link
Collaborator

terjekv commented May 30, 2023
edited
Loading

Okay, so if I understand https://datatracker.ietf.org/doc/html/rfc6844#section-3 our CAA records need to support three fields:

  • flag: An integer 0-255.
  • tag: On the form (from the RFC):
    • issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property entry authorizes the holder of the domain name or a party acting under the explicit authority of the holder of that domain name to issue certificates for the domain in which the property is published.
    • issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild property entry authorizes the holder of the domain name or a party acting under the explicit authority of the holder of that domain name to issue wildcard certificates for the domain in which the property is published.
    • iodef <URL>: Specifies a URL to which an issuer MAY report certificate issue requests that are inconsistent with the issuer's Certification Practices or Certificate Policy, or that a Certificate Evaluator may use to report observation of a possible policy violation. The Incident Object Description Exchange Format (IODEF) format is used [RFC5070].
  • value: A string field, cannot have spaces.

And in the zone file we are to output something the CAA records as such:

$ORIGIN example.com
   .       CAA 0 issue "ca.example.net"
   .       CAA 0 iodef "mailto:[email protected]"
   .       CAA 0 iodef "http://iodef.example.com/"

It is worth noting that CAAs can be set for both domains and specific hosts.

Oh, and there would have to be a specific access control for the record type itself, rather than following the host. Typically a specific list of groups may have access.

Have I understood the request?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@terjekv @oyvindhagberg