Certification Authority Authorization (CAA) Validation for IP AddressesISRGroland@letsencrypt.org
General
The Certification Authority Authorization (CAA) RFC specifies a method for users
to restrict which Certificate Authorities (CAs) are authorized to issue certificates
for their DNS domain names. This document extends that specification to provide
a method for holders of IP addresses to do the same.This document describes an extension to RFC 6844 which allows for
the use of Certification Authority Authorization DNS Records to be used to
restrict issuance of certificates to IP addresses instead of just DNS names.
This is done by defining a new lookup mechanism for IPv4 and IPv6 addresses
as previously a mechanism only existed for DNS names.In this document, the key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL
NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be
interpreted as described in BCP 14, RFC 2119 .Before issuing a certificate containing a IP address a compliant CA MUST check
for the relevant CAA Resource Record set. If such a record set exists a CA MUST
NOT issue a certificate unless the records in the set are consistent with the
request and the policies of the CA.A certificate request MAY specify more than one IP address in which case CAs
MUST verify the CA Resource Record set for all the IP addresses specified in
the request.As defined in RFC 2818 IP addresses in certificates must match
exactly with the requested URI so CAs MUST NOT consider CAA records with the
“issuewild” tag to be part of the relevant Resource Record set for a IP
address.Unlike the mechanism defined in RFC 6844 this mechanism doesn’t
involve climbing the DNS tree and only requires querying a single DNS name. The
relevant Resource Record set for a given IP address is found by querying the
reverse mapping zone for the IP for CAA records.Given a certificate request containing the IPv6 address “2001:db8::1” the relevant
query for the reverse mapping within the IP6.ARPA zone would be:And for a request containing the IPv4 address “192.0.2.1” the relevant query for
the reverse mapping within the IN-ADDR.ARPA zone would be:When doing queries CAs SHOULD either use a resolver that chases CNAME records or
manually chase CNAMEs themselves in order to allow for zone delegations .Change the contents of the Meaning column for the “issue” Tag to say
“Authorization Entry by Domain or IP address” and add “draft-shoemaker-caa-ip” to the
References column.Domain names - concepts and facilitiesThis RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Classless IN-ADDR.ARPA delegationThis document describes a way to do IN-ADDR.ARPA delegation on non-octet boundaries for address spaces covering fewer than 256 addresses. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.HTTP Over TLSThis memo describes how to use Transport Layer Security (TLS) to secure Hypertext Transfer Protocol (HTTP) connections over the Internet. This memo provides information for the Internet community.DNS Extensions to Support IP Version 6This document defines the changes that need to be made to the Domain Name System (DNS) to support hosts running IP version 6 (IPv6). The changes include a resource record type to store an IPv6 address, a domain to support lookups based on an IPv6 address, and updated definitions of existing query types that return Internet addresses as part of additional section processing. The extensions are designed to be compatible with existing applications and, in particular, DNS implementations themselves. [STANDARDS-TRACK]DNS Certification Authority Authorization (CAA) Resource RecordThe Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA Resource Records allow a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue. This document defines the syntax of the CAA record and rules for processing CAA records by certificate issuers. [STANDARDS-TRACK]