Function trust_dns_proto::rr::rdata::caa::read_issuer

source · [−]

pub fn read_issuer(bytes: &[u8]) -> ProtoResult<(Option<Name>, Vec<KeyValue>)>

Expand description

Reads the issuer field according to the spec

RFC 6844, DNS Certification Authority Authorization, January 2013

5.2.  CAA issue Property

   The issue property tag is used to request that certificate issuers
   perform CAA issue restriction processing for the domain and to grant
   authorization to specific certificate issuers.

   The CAA issue property value has the following sub-syntax (specified
   in ABNF as per [RFC5234]).

   issuevalue  = space [domain] space [";" *(space parameter) space]

   domain = label *("." label)
   label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))

   space = *(SP / HTAB)

   parameter =  tag "=" value

   tag = 1*(ALPHA / DIGIT)

   value = *VCHAR

   For consistency with other aspects of DNS administration, domain name
   values are specified in letter-digit-hyphen Label (LDH-Label) form.

   A CAA record with an issue parameter tag that does not specify a
   domain name is a request that certificate issuers perform CAA issue
   restriction processing for the corresponding domain without granting
   authorization to any certificate issuer.

   This form of issue restriction would be appropriate to specify that
   no certificates are to be issued for the domain in question.

   For example, the following CAA record set requests that no
   certificates be issued for the domain 'nocerts.example.com' by any
   certificate issuer.

   nocerts.example.com       CAA 0 issue ";"

   A CAA record with an issue parameter tag that specifies a domain name
   is a request that certificate issuers perform CAA issue restriction
   processing for the corresponding domain and grants authorization to
   the certificate issuer specified by the domain name.

   For example, the following CAA record set requests that no
   certificates be issued for the domain 'certs.example.com' by any
   certificate issuer other than the example.net certificate issuer.

   certs.example.com       CAA 0 issue "example.net"

   CAA authorizations are additive; thus, the result of specifying both
   the empty issuer and a specified issuer is the same as specifying
   just the specified issuer alone.

   An issuer MAY choose to specify issuer-parameters that further
   constrain the issue of certificates by that issuer, for example,
   specifying that certificates are to be subject to specific validation
   polices, billed to certain accounts, or issued under specific trust
   anchors.

   The semantics of issuer-parameters are determined by the issuer
   alone.

Updated parsing rules:

RFC 6844bis, CAA Resource Record, May 2018 RFC 6844, CAA Record Extensions, May 2018

This explicitly allows - in key names, diverging from the original RFC. To support this, key names will allow - as non-starting characters. Additionally, this significantly relaxes the characters allowed in the value to allow URL like characters (it does not validate URL syntax).