You are located in service: DNS (Domain Name Service)

CAA (EN)

CAA (EN)

Kurzinformation

As of the 23.2.2018 Domain Name Server (DNS) Certification Authority Authorization (CAA) Resource Records (RR) according to RFC6844 [1] will be introduced at the RWTH.

CAA Records provide domain owners with the ability to authorize defined Certificate Authorities (CAs) to issue X.509 certificates (also known as SSL certificates) to host(s) under the domain. CAA records are intended to prevent certificates from being issued to unauthorized persons. A precondition for this is that the certification authority checks the CAA records. Since September 2017, Certification Authorities participating in the CA/Browser Forum are obliged to check CAA records when issuing the certificate [2].
 

What does this mean practically for a server administrator?

  1. Set/check CAA records for the host name (FQDN) of his server in the DNS.
  2. Generate certificate request (CSR) and send it to a CA defined in the CAA record.
  3. Step 1 is particularly necessary if a certificate is requested outside the DFN-PKI.

The following rules apply to CAA records within the domains delegated to the RWTH name servers:

  • The DFN-PKI is allowed for all zones (domains) by default (i.e. the CAA records are already maintained by the RWTH hostmaster).
  • DNS administrators can set additional CAA records per host via the "noc-portal" tool "DNS-Admin" [3].
  • DNS administrators who do not have rights for the "DNS-Admin" tool can address the entry of CAA records for FQDNs in their zone(s) to the RWTH hostmaster (hostmaster@rwth-aachen.de) or the RWTH CA (ca@rwth-aachen.de) or to the IT-ServiceDesk ((servicedesk@itc.rwth-aachen.de) by e-mail.
  • The list of CAs available for selection is maintained by the RWTH CA. Currently, this list contains the selection of CAs that have currently issued certificates (digicert.com, globalsign.com, letsencrypt.org, pki.dfn.de, telesec.de). These CAs have been identified via Cert Spotter [4].
  • Already issued certificates are not affected, because CAA records are only taken into account when issuing a certificate.
  • CAA records with the property "issuewild" are only allowed for hosts and can be entered upon request to the RWTH CA (ca@rwth-aachen.de).
  • Because of the hierarchical structure, a specific host entry takes effect before the zone entry.

A query is made, for example, via

  dig caa +noall +answer $DOMAIN.rwth-aachen.de

or if a specific entry exists

  dig caa +noall +answer $HOSTNAME.DOMAIN.rwth-aachen.de

Zusatzinformationen

Questions and suggestions can be addressed to "ca@rwth-aachen.de" or "hostmaster@rwth-aachen.de".

[1]          https://tools.ietf.org/html/rfc6844

[2]          https://blog.pki.dfn.de/2017/03/rfc-6844-certification-authority-authorization-caa/

[3]          https://noc-portal.rz.rwth-aachen.de/dns-admin/

[4]          https://sslmate.com/certspotter/

 
 

Abkürzungen

CACertification Authority
CAACertification Authority Authorization
CSRCertificate Signing Request
DNSDomain Name Server
FQDNFully Qualified Domain Name
RRResource Record (im DNS)
SSLSecure Socket Layer

last changed on 29.01.2021

How did this content help you?