CAA
E697169
CAA (Certification Authority Authorization) is a DNS record type used to specify which certificate authorities are permitted to issue SSL/TLS certificates for a domain.
Statements (49)
| Predicate | Object |
|---|---|
| instanceOf |
Certification Authority Authorization mechanism
ⓘ
DNS resource record type ⓘ |
| abbreviationOf | Certification Authority Authorization NERFINISHED ⓘ |
| appliesTo |
domain names
ⓘ
subdomains ⓘ |
| belongsToProtocol | Domain Name System NERFINISHED ⓘ |
| cannotRestrict | which specific end-entities receive certificates ⓘ |
| canRestrict | which CAs may issue certificates ⓘ |
| checkedDuring | certificate issuance ⓘ |
| configurationInterface | DNS zone configuration ⓘ |
| definedIn | RFC 6844 NERFINISHED ⓘ |
| deploymentLocation | authoritative DNS zone for the domain ⓘ |
| enforcedBy | certificate authorities ⓘ |
| flag |
0
ⓘ
128 ⓘ |
| flagMeaning | 128: critical flag indicating unknown tags must cause issuance failure ⓘ |
| fullName | Certification Authority Authorization NERFINISHED ⓘ |
| inheritanceDescription | Subdomains inherit CAA policy from parent domains unless overridden ⓘ |
| introducedYear | 2013 ⓘ |
| madeMandatoryForCAsBy | CA/Browser Forum Baseline Requirements NERFINISHED ⓘ |
| policyScope | domain-level certificate issuance control ⓘ |
| queryClass | IN ⓘ |
| recordClass | resource record ⓘ |
| recordExample |
example.com. CAA 0 iodef "mailto:[email protected]"
ⓘ
example.com. CAA 0 issue "letsencrypt.org" ⓘ |
| recordTypeCode | 257 ⓘ |
| relatedTo |
HTTPS
NERFINISHED
ⓘ
TLS certificates ⓘ X.509 public key infrastructure NERFINISHED ⓘ |
| securityProperty |
enables domain owners to express CA issuance policy
ⓘ
reduces risk of mis-issuance of certificates ⓘ |
| standardizedBy |
Internet Engineering Task Force
ⓘ
surface form:
IETF
|
| supportsInheritance | yes ⓘ |
| syntaxElement |
flag
ⓘ
tag ⓘ value ⓘ |
| tag | iodef ⓘ |
| tag |
issue
ⓘ
issuewild ⓘ |
| tagPurpose | iodef: specify contact or reporting URI for policy violations ⓘ |
| tagPurpose |
issue: authorize a CA to issue non-wildcard certificates
ⓘ
issuewild: authorize a CA to issue wildcard certificates ⓘ |
| updatedBy | RFC 8659 NERFINISHED ⓘ |
| usedFor |
controlling issuance of SSL/TLS certificates
ⓘ
improving PKI security ⓘ specifying which certificate authorities may issue certificates for a domain ⓘ |
| valueType |
URI
ⓘ
domain name ⓘ email address (via mailto URI) ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.