Function trust_dns_proto::rr::rdata::caa::read_issuer
source · [−]Expand description
Reads the issuer field according to the spec
RFC 6844, DNS Certification Authority Authorization, January 2013
5.2. CAA issue Property
The issue property tag is used to request that certificate issuers
perform CAA issue restriction processing for the domain and to grant
authorization to specific certificate issuers.
The CAA issue property value has the following sub-syntax (specified
in ABNF as per [RFC5234]).
issuevalue = space [domain] space [";" *(space parameter) space]
domain = label *("." label)
label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))
space = *(SP / HTAB)
parameter = tag "=" value
tag = 1*(ALPHA / DIGIT)
value = *VCHAR
For consistency with other aspects of DNS administration, domain name
values are specified in letter-digit-hyphen Label (LDH-Label) form.
A CAA record with an issue parameter tag that does not specify a
domain name is a request that certificate issuers perform CAA issue
restriction processing for the corresponding domain without granting
authorization to any certificate issuer.
This form of issue restriction would be appropriate to specify that
no certificates are to be issued for the domain in question.
For example, the following CAA record set requests that no
certificates be issued for the domain 'nocerts.example.com' by any
certificate issuer.
nocerts.example.com CAA 0 issue ";"
A CAA record with an issue parameter tag that specifies a domain name
is a request that certificate issuers perform CAA issue restriction
processing for the corresponding domain and grants authorization to
the certificate issuer specified by the domain name.
For example, the following CAA record set requests that no
certificates be issued for the domain 'certs.example.com' by any
certificate issuer other than the example.net certificate issuer.
certs.example.com CAA 0 issue "example.net"
CAA authorizations are additive; thus, the result of specifying both
the empty issuer and a specified issuer is the same as specifying
just the specified issuer alone.
An issuer MAY choose to specify issuer-parameters that further
constrain the issue of certificates by that issuer, for example,
specifying that certificates are to be subject to specific validation
polices, billed to certain accounts, or issued under specific trust
anchors.
The semantics of issuer-parameters are determined by the issuer
alone.
Updated parsing rules:
RFC 6844bis, CAA Resource Record, May 2018 RFC 6844, CAA Record Extensions, May 2018
This explicitly allows -
in key names, diverging from the original RFC. To support this, key names will
allow -
as non-starting characters. Additionally, this significantly relaxes the characters allowed in the value
to allow URL like characters (it does not validate URL syntax).