DNS Certification Authority Authorization (CAA) uses the Internet's Domain Name System to specify which certificate authorities may be regarded as authoritative for a domain. This is intended to support additional cross-checking at the client end of TLS connections[dubious – discuss] to attempt to prevent certificates issued by CAs other than the specified CAs from being used to spoof the identity of websites or perform man-in-the-middle attacks on them.
DNS Certification Authority Authorization is specified by RFC 6844, which designated a new "CAA" DNS RR type to carry name-value pairs that can carry a wide range of information to be used as part of the CA authorization process. Use of CAA, where available, to validate certificates is recommended, but not mandatory.[1]
As of 2016[update], CAA records are supported in the BIND DNS server,[2] the NSD authoritative DNS server (as of version 4.0.1),[3] the Knot DNS server (since version 2.2.0).[4] and PowerDNS (since version 4.0.0).[5]
References
- ^ P. Hallam-Baker and R. Stradling (January 2013). "RFC 6844: DNS Certification Authority Authorization (CAA) Resource Record". Internet Engineering Task Force.
- ^ Vicky Risk (August 29, 2014). "Certificate Authority Authorization Records". Internet Systems Consortium.
- ^ NLNet Labs (January 27, 2014). "NSD: Name Server Daemon Releases". NLNet Labs.
- ^ Včelak, Jan. "[knot-dns-users] Knot DNS 2.2.0 release". Retrieved 2016-04-26.
- ^ "Supported Record Types". PowerDNS.com.
See also