From 620b1c9d90d0a59a0d892fef089ce4f5f6f61742 Mon Sep 17 00:00:00 2001

From: Tomas Hozza <thozza@redhat.com>

Date: Fri, 1 Apr 2016 15:20:27 +0200

Subject: [PATCH] Added support for CAA records

Signed-off-by: Tomas Hozza <thozza@redhat.com>

---

 bin/tests/rdata_test.c           |   17 +-

 doc/rfc/rfc6844.txt              | 1011 ++++++++++++++++++++++++++++++++++++++

 lib/dns/rdata.c                  |   95 ++--

 lib/dns/rdata/generic/caa_257.c  |  370 ++++++++++++++

 lib/dns/rdata/generic/caa_257.h  |   32 ++

 lib/dns/rdata/generic/gpos_27.c  |    2 +-

 lib/dns/rdata/generic/hinfo_13.c |    4 +-

 lib/dns/rdata/generic/isdn_20.c  |    4 +-

 lib/dns/rdata/generic/naptr_35.c |    6 +-

 lib/dns/rdata/generic/spf_99.c   |    2 +-

 lib/dns/rdata/generic/txt_16.c   |    2 +-

 lib/dns/rdata/generic/uri_256.c  |   23 +-

 lib/dns/rdata/generic/x25_19.c   |    2 +-

 13 files changed, 1478 insertions(+), 92 deletions(-)

 create mode 100644 doc/rfc/rfc6844.txt

 create mode 100644 lib/dns/rdata/generic/caa_257.c

 create mode 100644 lib/dns/rdata/generic/caa_257.h

diff --git a/bin/tests/rdata_test.c b/bin/tests/rdata_test.c

index 51cc406..0f25364 100644

--- a/bin/tests/rdata_test.c

+++ b/bin/tests/rdata_test.c

@@ -15,8 +15,6 @@

  * PERFORMANCE OF THIS SOFTWARE.

  */

-/* $Id: rdata_test.c,v 1.52 2011/08/28 09:10:41 marka Exp $ */

-

 #include <config.h>

 #include <stdlib.h>

@@ -284,6 +282,11 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,

 		result = dns_rdata_tostruct(rdata, sp = &uri, NULL);

 		break;

 	}

+	case dns_rdatatype_caa: {

+		static dns_rdata_caa_t caa;

+		result = dns_rdata_tostruct(rdata, sp = &caa, NULL);

+		break;

+	}

 	case dns_rdatatype_wks: {

 		static dns_rdata_in_wks_t in_wks;

 		result = dns_rdata_tostruct(rdata, sp = &in_wks, NULL);

@@ -551,6 +554,11 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,

 		result = dns_rdata_tostruct(rdata, sp = &uri, mctx);

 		break;

 	}

+	case dns_rdatatype_caa: {

+		static dns_rdata_caa_t caa;

+		result = dns_rdata_tostruct(rdata, sp = &caa, mctx);

+		break;

+	}

 	case dns_rdatatype_wks: {

 		static dns_rdata_in_wks_t in_wks;

 		result = dns_rdata_tostruct(rdata, sp = &in_wks, mctx);

@@ -848,6 +856,11 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,

 		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &uri, b);

 		break;

 	}

+	case dns_rdatatype_caa: {

+		dns_rdata_caa_t caa;

+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &caa, b);

+		break;

+	}

 	case dns_rdatatype_wks: {

 		dns_rdata_in_wks_t in_wks;

 		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_wks, b);

diff --git a/doc/rfc/rfc6844.txt b/doc/rfc/rfc6844.txt

new file mode 100644

index 0000000..d923649

--- /dev/null

+++ b/doc/rfc/rfc6844.txt

@@ -0,0 +1,1011 @@

+

+

+

+

+

+

+Internet Engineering Task Force (IETF)                   P. Hallam-Baker

+Request for Comments: 6844                            Comodo Group, Inc.

+Category: Standards Track                                   R. Stradling

+ISSN: 2070-1721                                          Comodo CA, Ltd.

+                                                            January 2013

+

+

+    DNS Certification Authority Authorization (CAA) Resource Record

+

+Abstract

+

+   The Certification Authority Authorization (CAA) DNS Resource Record

+   allows a DNS domain name holder to specify one or more Certification

+   Authorities (CAs) authorized to issue certificates for that domain.

+   CAA Resource Records allow a public Certification Authority to

+   implement additional controls to reduce the risk of unintended

+   certificate mis-issue.  This document defines the syntax of the CAA

+   record and rules for processing CAA records by certificate issuers.

+

+Status of This Memo

+

+   This is an Internet Standards Track document.

+

+   This document is a product of the Internet Engineering Task Force

+   (IETF).  It represents the consensus of the IETF community.  It has

+   received public review and has been approved for publication by the

+   Internet Engineering Steering Group (IESG).  Further information on

+   Internet Standards is available in Section 2 of RFC 5741.

+

+   Information about the current status of this document, any errata,

+   and how to provide feedback on it may be obtained at

+   http://www.rfc-editor.org/info/rfc6844.

+

+Copyright Notice

+

+   Copyright (c) 2013 IETF Trust and the persons identified as the

+   document authors.  All rights reserved.

+

+   This document is subject to BCP 78 and the IETF Trust's Legal

+   Provisions Relating to IETF Documents

+   (http://trustee.ietf.org/license-info) in effect on the date of

+   publication of this document.  Please review these documents

+   carefully, as they describe your rights and restrictions with respect

+   to this document.  Code Components extracted from this document must

+   include Simplified BSD License text as described in Section 4.e of

+   the Trust Legal Provisions and are provided without warranty as

+   described in the Simplified BSD License.

+

+

+

+

+Hallam-Baker & Stradling     Standards Track                    [Page 1]

+

+RFC 6844          Certification Authority Authorization     January 2013

+

+

+Table of Contents

+

+   1. Introduction ....................................................2

+   2. Definitions .....................................................3

+      2.1. Requirements Language ......................................3

+      2.2. Defined Terms ..............................................3

+   3. The CAA RR Type .................................................5

+   4. Certification Authority Processing ..............................7

+      4.1. Use of DNS Security ........................................8

+   5. Mechanism .......................................................8

+      5.1. Syntax .....................................................8

+           5.1.1. Canonical Presentation Format ......................10

+      5.2. CAA issue Property ........................................10

+      5.3. CAA issuewild Property ....................................12

+      5.4. CAA iodef Property ........................................12

+   6. Security Considerations ........................................13

+      6.1. Non-Compliance by Certification Authority .................13

+      6.2. Mis-Issue by Authorized Certification Authority ...........13

+      6.3. Suppression or Spoofing of CAA Records ....................13

+      6.4. Denial of Service .........................................14

+      6.5. Abuse of the Critical Flag ................................14

+   7. IANA Considerations ............................................14

+      7.1. Registration of the CAA Resource Record Type ..............14

+      7.2. Certification Authority Restriction Properties ............15

+      7.3. Certification Authority Restriction Flags .................15

+   8. Acknowledgements ...............................................16

+   9. References .....................................................16

+      9.1. Normative References ......................................16

+      9.2. Informative References ....................................17

+

+1.  Introduction

+

+   The Certification Authority Authorization (CAA) DNS Resource Record

+   allows a DNS domain name holder to specify the Certification

+   Authorities (CAs) authorized to issue certificates for that domain.

+   Publication of CAA Resource Records allows a public Certification

+   Authority to implement additional controls to reduce the risk of

+   unintended certificate mis-issue.

+

+   Like the TLSA record defined in DNS-Based Authentication of Named

+   Entities (DANE) [RFC6698], CAA records are used as a part of a

+   mechanism for checking PKIX certificate data.  The distinction

+   between the two specifications is that CAA records specify an

+   authorization control to be performed by a certificate issuer before

+   issue of a certificate and TLSA records specify a verification

+   control to be performed by a relying party after the certificate is

+   issued.

+

+

+

+

+Hallam-Baker & Stradling     Standards Track                    [Page 2]

+

+RFC 6844          Certification Authority Authorization     January 2013

+

+

+   Conformance with a published CAA record is a necessary but not

+   sufficient condition for issuance of a certificate.  Before issuing a

+   certificate, a PKIX CA is required to validate the request according

+   to the policies set out in its Certificate Policy.  In the case of a

+   public CA that validates certificate requests as a third party, the

+   certificate will typically be issued under a public trust anchor

+   certificate embedded in one or more relevant Relying Applications.

+

+   Criteria for inclusion of embedded trust anchor certificates in

+   applications are outside the scope of this document.  Typically, such

+   criteria require the CA to publish a Certificate Practices Statement

+   (CPS) that specifies how the requirements of the Certificate Policy

+   (CP) are achieved.  It is also common for a CA to engage an

+   independent third-party auditor to prepare an annual audit statement

+   of its performance against its CPS.

+

+   A set of CAA records describes only current grants of authority to

+   issue certificates for the corresponding DNS domain.  Since a

+   certificate is typically valid for at least a year, it is possible

+   that a certificate that is not conformant with the CAA records

+   currently published was conformant with the CAA records published at

+   the time that the certificate was issued.  Relying Applications MUST

+   NOT use CAA records as part of certificate validation.

+

+   CAA records MAY be used by Certificate Evaluators as a possible

+   indicator of a security policy violation.  Such use SHOULD take

+   account of the possibility that published CAA records changed between

+   the time a certificate was issued and the time at which the

+   certificate was observed by the Certificate Evaluator.

+

+2.  Definitions

+

+2.1.  Requirements Language

+

+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",

+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this

+   document are to be interpreted as described in [RFC2119].

+

+2.2.  Defined Terms

+

+   The following terms are used in this document:

+

+   Authorization Entry:  An authorization assertion that grants or

+      denies a specific set of permissions to a specific group of

+      entities.

+

+   Certificate:  An X.509 Certificate, as specified in [RFC5280].

+

+

+

+

+Hallam-Baker & Stradling     Standards Track                    [Page 3]

+

+RFC 6844          Certification Authority Authorization     January 2013

+

+

+   Certificate Evaluator:  A party other than a relying party that

+      evaluates the trustworthiness of certificates issued by

+      Certification Authorities.

+

+   Certification Authority (CA):  An issuer that issues certificates in

+      accordance with a specified Certificate Policy.

+

+   Certificate Policy (CP):  Specifies the criteria that a Certification

+      Authority undertakes to meet in its issue of certificates.  See

+      [RFC3647].

+

+   Certification Practices Statement (CPS):  Specifies the means by

+      which the criteria of the Certificate Policy are met.  In most

+      cases, this will be the document against which the operations of

+      the Certification Authority are audited.  See [RFC3647].

+

+   Domain:  A DNS Domain Name.

+

+   Domain Name:  A DNS Domain Name as specified in [STD13].

+

+   Domain Name System (DNS):  The Internet naming system specified in

+      [STD13].

+

+   DNS Security (DNSSEC):  Extensions to the DNS that provide

+      authentication services as specified in [RFC4033], [RFC4034],

+      [RFC4035], [RFC5155], and revisions.

+

+   Issuer:  An entity that issues certificates.  See [RFC5280].

+

+   Property:  The tag-value portion of a CAA Resource Record.

+

+   Property Tag:  The tag portion of a CAA Resource Record.

+

+   Property Value:  The value portion of a CAA Resource Record.

+

+   Public Key Infrastructure X.509 (PKIX):  Standards and specifications

+      issued by the IETF that apply the [X.509] certificate standards

+      specified by the ITU to Internet applications as specified in

+      [RFC5280] and related documents.

+

+   Resource Record (RR):  A particular entry in the DNS including the

+      owner name, class, type, time to live, and data, as defined in

+      [STD13] and [RFC2181].

+

+   Resource Record Set (RRSet):  A set of Resource Records or a

+      particular owner name, class, and type.  The time to live on all

+      RRs with an RRSet is always the same, but the data may be

+      different among RRs in the RRSet.

+

+

+

+Hallam-Baker & Stradling     Standards Track                    [Page 4]

+

+RFC 6844          Certification Authority Authorization     January 2013

+

+

+   Relying Party:  A party that makes use of an application whose

+      operation depends on use of a certificate for making a security

+      decision.  See [RFC5280].

+

+   Relying Application:  An application whose operation depends on use

+      of a certificate for making a security decision.

+

+3.  The CAA RR Type

+

+   A CAA RR consists of a flags byte and a tag-value pair referred to as

+   a property.  Multiple properties MAY be associated with the same

+   domain name by publishing multiple CAA RRs at that domain name.  The

+   following flag is defined:

+

+   Issuer Critical:  If set to '1', indicates that the corresponding

+      property tag MUST be understood if the semantics of the CAA record

+      are to be correctly interpreted by an issuer.

+

+      Issuers MUST NOT issue certificates for a domain if the relevant

+      CAA Resource Record set contains unknown property tags that have

+      the Critical bit set.

+

+   The following property tags are defined:

+

+   issue <Issuer Domain Name> [; <name>=<value> ]* :  The issue property

+      entry authorizes the holder of the domain name 

+      Name> or a party acting under the explicit authority of the holder

+      of that domain name to issue certificates for the domain in which

+      the property is published.

+

+   issuewild <Issuer Domain Name> [; <name>=<value> ]* :  The issuewild

+      property entry authorizes the holder of the domain name 

+      Domain Name> or a party acting under the explicit authority of the

+      holder of that domain name to issue wildcard certificates for the

+      domain in which the property is published.

+

+   iodef <URL> :  Specifies a URL to which an issuer MAY report

+      certificate issue requests that are inconsistent with the issuer's

+      Certification Practices or Certificate Policy, or that a

+      Certificate Evaluator may use to report observation of a possible

+      policy violation.  The Incident Object Description Exchange Format

+      (IODEF) format is used [RFC5070].

+

+   The following example is a DNS zone file (see [RFC1035]) that informs

+   CAs that certificates are not to be issued except by the holder of

+   the domain name 'ca.example.net' or an authorized agent thereof.

+   This policy applies to all subordinate domains under example.com.

+

+

+

+

+Hallam-Baker & Stradling     Standards Track                    [Page 5]

+

+RFC 6844          Certification Authority Authorization     January 2013

+

+

+   $ORIGIN example.com

+   .       CAA 0 issue "ca.example.net"

+

+   If the domain name holder specifies one or more iodef properties, a

+   certificate issuer MAY report invalid certificate requests to that

+   address.  In the following example, the domain name holder specifies

+   that reports may be made by means of email with the IODEF data as an

+   attachment, a Web service [RFC6546], or both:

+

+   $ORIGIN example.com

+   .       CAA 0 issue "ca.example.net"

+   .       CAA 0 iodef "mailto:security@example.com"

+   .       CAA 0 iodef "http://iodef.example.com/"

+

+   A certificate issuer MAY specify additional parameters that allow

+   customers to specify additional parameters governing certificate

+   issuance.  This might be the Certificate Policy under which the

+   certificate is to be issued, the authentication process to be used

+   might be specified, or an account number specified by the CA to

+   enable these parameters to be retrieved.

+

+   For example, the CA 'ca.example.net' has requested its customer

+   'example.com' to specify the CA's account number '230123' in each of

+   the customer's CAA records.

+

+   $ORIGIN example.com

+   .       CAA 0 issue "ca.example.net; account=230123"

+

+   The syntax of additional parameters is a sequence of name-value pairs

+   as defined in Section 5.2.  The semantics of such parameters is left

+   to site policy and is outside the scope of this document.

+

+   The critical flag is intended to permit future versions CAA to

+   introduce new semantics that MUST be understood for correct

+   processing of the record, preventing conforming CAs that do not

+   recognize the new semantics from issuing certificates for the

+   indicated domains.

+

+   In the following example, the property 'tbs' is flagged as critical.

+   Neither the example.net CA nor any other issuer is authorized to

+   issue under either policy unless the processing rules for the 'tbs'

+   property tag are understood.

+

+   $ORIGIN example.com

+   .       CAA 0 issue "ca.example.net; policy=ev"

+   .       CAA 128 tbs "Unknown"

+

+

+

+

+

+Hallam-Baker & Stradling     Standards Track                    [Page 6]

+

+RFC 6844          Certification Authority Authorization     January 2013

+

+

+   Note that the above restrictions only apply at certificate issue.

+   Since the validity of an end entity certificate is typically a year

+   or more, it is quite possible that the CAA records published at a

+   domain will change between the time a certificate was issued and

+   validation by a relying party.

+

+4.  Certification Authority Processing

+

+   Before issuing a certificate, a compliant CA MUST check for

+   publication of a relevant CAA Resource Record set.  If such a record

+   set exists, a CA MUST NOT issue a certificate unless the CA

+   determines that either (1) the certificate request is consistent with

+   the applicable CAA Resource Record set or (2) an exception specified

+   in the relevant Certificate Policy or Certification Practices

+   Statement applies.

+

+   A certificate request MAY specify more than one domain name and MAY

+   specify wildcard domains.  Issuers MUST verify authorization for all

+   the domains and wildcard domains specified in the request.

+

+   The search for a CAA record climbs the DNS name tree from the

+   specified label up to but not including the DNS root '.'.

+

+   Given a request for a specific domain X, or a request for a wildcard

+   domain *.X, the relevant record set R(X) is determined as follows:

+

+   Let CAA(X) be the record set returned in response to performing a CAA

+   record query on the label X, P(X) be the DNS label immediately above

+   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME

+   alias record specified at the label X.

+

+   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

+

+   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =

+      R(A(X)), otherwise

+

+   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

+

+   o  R(X) is empty.

+

+   For example, if a certificate is requested for X.Y.Z the issuer will

+   search for the relevant CAA record set in the following order:

+

+      X.Y.Z

+

+      Alias (X.Y.Z)

+

+      Y.Z

+

+

+

+Hallam-Baker & Stradling     Standards Track                    [Page 7]

+

+RFC 6844          Certification Authority Authorization     January 2013

+

+

+      Alias (Y.Z)

+

+      Z

+

+      Alias (Z)

+

+      Return Empty

+

+4.1.  Use of DNS Security

+

+   Use of DNSSEC to authenticate CAA RRs is strongly RECOMMENDED but not

+   required.  An issuer MUST NOT issue certificates if doing so would

+   conflict with the relevant CAA Resource Record set, irrespective of

+   whether the corresponding DNS records are signed.

+

+   DNSSEC provides a proof of non-existence for both DNS domains and RR

+   set within domains.  DNSSEC verification thus enables an issuer to

+   determine if the answer to a CAA record query is empty because the RR

+   set is empty or if it is non-empty but the response has been

+   suppressed.

+

+   Use of DNSSEC allows an issuer to acquire and archive a proof that

+   they were authorized to issue certificates for the domain.

+   Verification of such archives MAY be an audit requirement to verify

+   CAA record processing compliance.  Publication of such archives MAY

+   be a transparency requirement to verify CAA record processing

+   compliance.

+

+5.  Mechanism

+

+5.1.  Syntax

+

+   A CAA RR contains a single property entry consisting of a tag-value

+   pair.  Each tag represents a property of the CAA record.  The value

+   of a CAA property is that specified in the corresponding value field.

+

+   A domain name MAY have multiple CAA RRs associated with it and a

+   given property MAY be specified more than once.

+

+   The CAA data field contains one property entry.  A property entry

+   consists of the following data fields:

+

+

+

+

+

+

+

+

+

+

+Hallam-Baker & Stradling     Standards Track                    [Page 8]

+

+RFC 6844          Certification Authority Authorization     January 2013

+

+

+   +0-1-2-3-4-5-6-7-|0-1-2-3-4-5-6-7-|

+   | Flags          | Tag Length = n |

+   +----------------+----------------+...+---------------+

+   | Tag char 0     | Tag char 1     |...| Tag char n-1  |

+   +----------------+----------------+...+---------------+

+   +----------------+----------------+.....+----------------+

+   | Value byte 0   | Value byte 1   |.....| Value byte m-1 |

+   +----------------+----------------+.....+----------------+

+

+   Where n is the length specified in the Tag length field and m is the

+   remaining octets in the Value field (m = d - n - 2) where d is the

+   length of the RDATA section.

+

+   The data fields are defined as follows:

+

+   Flags:  One octet containing the following fields:

+

+      Bit 0, Issuer Critical Flag:  If the value is set to '1', the

+         critical flag is asserted and the property MUST be understood

+         if the CAA record is to be correctly processed by a certificate

+         issuer.

+

+         A Certification Authority MUST NOT issue certificates for any

+         Domain that contains a CAA critical property for an unknown or

+         unsupported property tag that for which the issuer critical

+         flag is set.

+

+      Note that according to the conventions set out in [RFC1035], bit 0

+      is the Most Significant Bit and bit 7 is the Least Significant

+      Bit. Thus, the Flags value 1 means that bit 7 is set while a value

+      of 128 means that bit 0 is set according to this convention.

+

+      All other bit positions are reserved for future use.

+

+      To ensure compatibility with future extensions to CAA, DNS records

+      compliant with this version of the CAA specification MUST clear

+      (set to "0") all reserved flags bits.  Applications that interpret

+      CAA records MUST ignore the value of all reserved flag bits.

+

+   Tag Length:  A single octet containing an unsigned integer specifying

+      the tag length in octets.  The tag length MUST be at least 1 and

+      SHOULD be no more than 15.

+

+

+

+

+

+

+

+

+

+Hallam-Baker & Stradling     Standards Track                    [Page 9]

+

+RFC 6844          Certification Authority Authorization     January 2013

+

+

+   Tag:  The property identifier, a sequence of US-ASCII characters.

+

+      Tag values MAY contain US-ASCII characters 'a' through 'z', 'A'

+      through 'Z', and the numbers 0 through 9.  Tag values SHOULD NOT

+      contain any other characters.  Matching of tag values is case

+      insensitive.

+

+      Tag values submitted for registration by IANA MUST NOT contain any

+      characters other than the (lowercase) US-ASCII characters 'a'

+      through 'z' and the numbers 0 through 9.

+

+   Value:  A sequence of octets representing the property value.

+      Property values are encoded as binary values and MAY employ sub-

+      formats.

+

+      The length of the value field is specified implicitly as the

+      remaining length of the enclosing Resource Record data field.

+

+5.1.1.  Canonical Presentation Format

+

+   The canonical presentation format of the CAA record is:

+

+   CAA <flags> <tag> <value>

+

+   Where:

+

+   Flags:  Is an unsigned integer between 0 and 255.

+

+   Tag:  Is a non-zero sequence of US-ASCII letters and numbers in lower

+      case.

+

+   Value:  Is the <character-string> encoding of the value field as

+      specified in [RFC1035], Section 5.1.

+

+5.2.  CAA issue Property

+

+   The issue property tag is used to request that certificate issuers

+   perform CAA issue restriction processing for the domain and to grant

+   authorization to specific certificate issuers.

+

+   The CAA issue property value has the following sub-syntax (specified

+   in ABNF as per [RFC5234]).

+

+

+

+

+

+

+

+

+

+Hallam-Baker & Stradling     Standards Track                   [Page 10]

+

+RFC 6844          Certification Authority Authorization     January 2013

+

+

+   issuevalue  = space [domain] space [";" *(space parameter) space]

+

+   domain = label *("." label)

+   label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))

+

+   space = *(SP / HTAB)

+

+   parameter =  tag "=" value

+

+   tag = 1*(ALPHA / DIGIT)

+

+   value = *VCHAR

+

+   For consistency with other aspects of DNS administration, domain name

+   values are specified in letter-digit-hyphen Label (LDH-Label) form.

+

+   A CAA record with an issue parameter tag that does not specify a

+   domain name is a request that certificate issuers perform CAA issue

+   restriction processing for the corresponding domain without granting

+   authorization to any certificate issuer.

+

+   This form of issue restriction would be appropriate to specify that

+   no certificates are to be issued for the domain in question.

+

+   For example, the following CAA record set requests that no

+   certificates be issued for the domain 'nocerts.example.com' by any

+   certificate issuer.

+

+   nocerts.example.com       CAA 0 issue ";"

+

+   A CAA record with an issue parameter tag that specifies a domain name

+   is a request that certificate issuers perform CAA issue restriction

+   processing for the corresponding domain and grants authorization to

+   the certificate issuer specified by the domain name.

+

+   For example, the following CAA record set requests that no

+   certificates be issued for the domain 'certs.example.com' by any

+   certificate issuer other than the example.net certificate issuer.

+

+   certs.example.com       CAA 0 issue "example.net"

+

+   CAA authorizations are additive; thus, the result of specifying both

+   the empty issuer and a specified issuer is the same as specifying

+   just the specified issuer alone.

+

+

+

+

+

+

+

+Hallam-Baker & Stradling     Standards Track                   [Page 11]

+

+RFC 6844          Certification Authority Authorization     January 2013

+

+

+   An issuer MAY choose to specify issuer-parameters that further

+   constrain the issue of certificates by that issuer, for example,

+   specifying that certificates are to be subject to specific validation

+   polices, billed to certain accounts, or issued under specific trust

+   anchors.

+

+   The semantics of issuer-parameters are determined by the issuer

+   alone.

+

+5.3.  CAA issuewild Property

+

+   The issuewild property has the same syntax and semantics as the issue

+   property except that issuewild properties only grant authorization to

+   issue certificates that specify a wildcard domain and issuewild

+   properties take precedence over issue properties when specified.

+   Specifically:

+