8/29/2017
Hello everyone!
We have added support for a new type of DNS record, the CAA.
A CAA (Certification Authority Authorization) record is used to specify the certification authorities that are allowed to issue SSL/TLS certificates for a certain domain name or sub-domain.
Beginning on September 8, 2017, every certification authority will be required to strictly follow the instructions in the domain-name or sub-domain CAA records for which the issuance of a certificate is requested.
Using a CAA record makes it possible to increase the level of security in an Internet network and to decrease the instances of unauthorized receipt of certificates for outside domain names.
For your convenience, we have launched an on-line CAA record generator that will help correctly format the CAA records needed for your domain name — caa.zilore.com.
We have prepared detailed instructions explaining CAA record options and the format for using it.
CAA <flags> <tag> <value>
The value of the CAA record consists of three elements separated by a space:
The flag element is an 8-bit number, the most significant bit of which denotes how critical it is for the certification authority to understand the record. At this time, the following values are permitted:
0
If the tag element is not supported or recognized by the certification authority, the certification authority is authorized to issue a certificate for a domain name or sub-domain as it deems fit.
128
If the tag element is not supported or recognized by the certification authority, the certification authority should not issue a certificate for the domain name or sub-domain.
The tag element can take one of the following values:
issue
Identifies the certification authority authorized to issue a certificate for the domain-name or sub-domain record used in the name.
issuewild
Identifies the certification authority authorized to issue a wildcard certificate for the domain-name or sub-domain record used in the name. The certificate applies directly to the domain name or sub-domain and to all of its sub-domains.
iodef
Identifies the e-mail address or URL (in compliance with Standard RFC 5070) that the certification authority must use for notifications in the event it receives a request for issuance of a certificate in violation of certain rules defined by the CAA record for the domain name.
The value element depends on the tag and should be included in quotation marks ("").
Some certification authorities allow the use of additional parameters for the value element. In that case, the parameters must be separated by a semicolon (;).
Example: 0 issue "comodoca.com; account=12345"
Where tag = issue
The domain name of the certification authority authorized to issue a certificate for the domain-name or sub-domain record used in the name.
Example: example.com. CAA 0 issue "comodoca.com"
To keep any certification authorities from issuing a certificate for the domain-name or sub-domain record in the name, you must use a semicolon (;) instead of the domain name for the certification authority.
Example: example.com. CAA 0 issue ";"
Where tag = issuewild
Same as when tag = issue, except that the rule applies to wildcard certificates.
Example: example.com. CAA 0 issuewild "comodoca.com"
Example: example.com. CAA 0 issuewild ";"
Where tag = iodef
The e-mail address ("mailto:abuse@example.com") or URL ("http(s)://URL") the certification authority must use in the event of receipt of an unauthorized request for issuance of a certificate for the domain-name or sub-domain record used in the name.
Example: example.com. CAA 0 iodef "mailto:abuse@example.com"
dig zilore.com caa
Zilore Team.