0

CAA probably makes sure that issued certificates come from my CA and not from another one.

Given in the DNS:

example.com. 300 IN CAA 0 issue "ca.example.com"
example.com. 300 IN CAA 0 issuewild "ca.example.com"

Question 1: Can my CA use it to issue the following sub-subdomains?

a.b.c.example.com
d.e.f.example.com

Question 2: If this is not possible, what is the easiest way to do this in DNS? We have many sub-subdomains.

uav
  • 534
  • 5
  • 20

1 Answers1

1

The CAA specification includes DNS walking up the root.

So first a DNS query for CAA record at a.b.c.example.com will be done, and if this fails, then same query for b.c.example.com, then c.example.com, etc. until a match is found or the root is reached.

See RFC 8659 §3 that shows the algorithm to be used:

  RelevantCAASet(domain):
    while domain is not ".":
      if CAA(domain) is not Empty:
        return CAA(domain)
      domain = Parent(domain)
    return Empty

with this explanation:

The search for a CAA RRset climbs the DNS name tree from the specified label up to, but not including, the DNS root "." until a CAA RRset is found.

So answer to your Question 1 is yes, and hence question 2 disappears.

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43
  • With reservation: It looks as if my CA is not RFC compliant. By the way: With wildcard certificates you can only assign one subdomain level (right?) and with CAA you can "assign" many sub-subdomains. – uav Nov 23 '19 at 13:12
  • 1
    "With wildcard certificates you can only assign one subdomain level (right?) " Correct. – Patrick Mevzek Nov 23 '19 at 16:43
  • It looks like I need to convert dots to hyphens. I don't know what this is supposed to do. Where can you complain? Sure, my CA should first become RFC-compliant. But why are there no wildcard certificates that allow multiple deeply nested subdomains? – uav Nov 23 '19 at 16:55
  • I didn't follow you on "It looks as if my CA is not RFC compliant." as I do not know what you mean. If you have other questions please open a new separate post on the site. – Patrick Mevzek Nov 23 '19 at 17:46
  • "But why are there no wildcard certificates that allow multiple deeply nested subdomains? " Same problems as cookies in the web. One can not know when an administrative boundary is crossed (it is not automatically a dot). – Patrick Mevzek Nov 23 '19 at 17:46