2601:186:4401:9d15:59f8:cfa8:cfa1:944e (talk) No edit summary |
Dawnseeker2000 (talk | contribs) Typo fixing, typo(s) fixed: authorative → authoritative using AWB |
||
| Line 3: | Line 3: | ||
DNS Certification Authority Authorization is specified by RFC 6844, which designated a new "CAA" DNS RR type to carry name-value pairs that can carry a wide range of information to be used as part of the CA authorization process. Use of CAA, where available, to validate certificates is recommended, but not mandatory.<ref>{{cite web|url=https://tools.ietf.org/html/rfc6844|title=RFC 6844: DNS Certification Authority Authorization (CAA) Resource Record|publisher=Internet Engineering Task Force|author=P. Hallam-Baker and R. Stradling|date=January 2013}}</ref> |
DNS Certification Authority Authorization is specified by RFC 6844, which designated a new "CAA" DNS RR type to carry name-value pairs that can carry a wide range of information to be used as part of the CA authorization process. Use of CAA, where available, to validate certificates is recommended, but not mandatory.<ref>{{cite web|url=https://tools.ietf.org/html/rfc6844|title=RFC 6844: DNS Certification Authority Authorization (CAA) Resource Record|publisher=Internet Engineering Task Force|author=P. Hallam-Baker and R. Stradling|date=January 2013}}</ref> |
||
{{As of|2016}}, CAA records are supported in the [[BIND]] DNS server<ref>{{cite web|url=https://www.isc.org/blogs/certificate-authority-authorization-records/|title=Certificate Authority Authorization Records|publisher=Internet Systems Consortium|date=August 29, 2014|author=Vicky Risk}}</ref> and the NSD |
{{As of|2016}}, CAA records are supported in the [[BIND]] DNS server<ref>{{cite web|url=https://www.isc.org/blogs/certificate-authority-authorization-records/|title=Certificate Authority Authorization Records|publisher=Internet Systems Consortium|date=August 29, 2014|author=Vicky Risk}}</ref> and the NSD authoritative DNS server (as of version 4.0.1).<ref>{{cite web|url=http://www.nlnetlabs.nl/projects/nsd/index.html#releases|title=NSD: Name Server Daemon Releases|publisher=NLNet Labs|date=January 27, 2014|author=NLNet Labs}}</ref> |
||
== References == |
== References == |
||
| Line 14: | Line 14: | ||
{{SSL/TLS}} |
{{SSL/TLS}} |
||
| ⚫ | |||
[[Category:Transport Layer Security]] |
[[Category:Transport Layer Security]] |
||
[[Category:Domain name system]] |
[[Category:Domain name system]] |
||
| ⚫ | |||
Revision as of 17:02, 16 January 2016
DNS Certification Authority Authorization (CAA) uses the Internet's Domain Name System to specify which Certificate Authorities may be regarded as authoritative for a domain. This is intended to support additional cross-checking at the client end of TLS connections to attempt to prevent certificates issued by CAs other than the specified CAs from being used to spoof the identity of websites or perform man-in-the-middle attacks on them.
DNS Certification Authority Authorization is specified by RFC 6844, which designated a new "CAA" DNS RR type to carry name-value pairs that can carry a wide range of information to be used as part of the CA authorization process. Use of CAA, where available, to validate certificates is recommended, but not mandatory.[1]
As of 2016[update], CAA records are supported in the BIND DNS server[2] and the NSD authoritative DNS server (as of version 4.0.1).[3]
References
- ^ P. Hallam-Baker and R. Stradling (January 2013). "RFC 6844: DNS Certification Authority Authorization (CAA) Resource Record". Internet Engineering Task Force.
- ^ Vicky Risk (August 29, 2014). "Certificate Authority Authorization Records". Internet Systems Consortium.
- ^ NLNet Labs (January 27, 2014). "NSD: Name Server Daemon Releases". NLNet Labs.
See also