Home / server / Questions / 992735
Accepted
uav
Asked: 2019-11-22 04:19:06 +0800 CST

CAA issuewild multi-level sub-sub-domains

  • 772

CAA probably makes sure that issued certificates come from my CA and not from another one.

Given in the DNS:

example.com. 300 IN CAA 0 issue "ca.example.com"
example.com. 300 IN CAA 0 issuewild "ca.example.com"

Question 1: Can my CA use it to issue the following sub-subdomains?

a.b.c.example.com
d.e.f.example.com

Question 2: If this is not possible, what is the easiest way to do this in DNS? We have many sub-subdomains.

domain-name-system

1 Answers

  1. Best Answer

    The CAA specification includes DNS walking up the root.

    So first a DNS query for CAA record at a.b.c.example.com will be done, and if this fails, then same query for b.c.example.com, then c.example.com, etc. until a match is found or the root is reached.

    See RFC 8659 §3 that shows the algorithm to be used:

      RelevantCAASet(domain):
    while domain is not ".":
      if CAA(domain) is not Empty:
        return CAA(domain)
      domain = Parent(domain)
    return Empty

    with this explanation:

    The search for a CAA RRset climbs the DNS name tree from the specified label up to, but not including, the DNS root "." until a CAA RRset is found.

    So answer to your Question 1 is yes, and hence question 2 disappears.

    • 1