I have a root domain I have control of and a set of subdomains, but other people are responsible for them.
I want to add a CAA protection to my root domain, but I don't want to restrict the subdomain users from using certification authorities of their choice.
Unfortunately, subdomains inherit the issue tag of a parent domain. Is there a technical possibility to allow any authority issue a certificate to a specific subdomain? An empty string means "no one".
Based on just looking at the
CAAspec, it appears that it should be technically possible to do what you are requesting.However, it's not a scenario that I have seen discussed elsewhere and it seems plausible that it may not have been considered by CA's when implementing their
CAAvalidation.The approach that looks possible in the spec boils down to this:
CAArecord set by starting at the name specified in the certificate request and using the first non-emptyCAARRSet that they encounter as they work themselves towards the root.issueproperty tag which request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers. (And section 5.3 describes howissuewildworks with overall the same semantics but being specific to requests with wildcard names.)This leads me to the conclusion that, if you were to publish
CAArecordsets which contain no records withissueorissuewildas their tag in these subdomains, according to the spec it seems that these subdomains should be unrestricted. An example of such aCAARRset would be only a record with theiodeftag.YMMV, it may turn out to be more practical to either just publish actual `CAA` issuance policies for the subdomains or alternatively forego `CAA` entirely.