pub fn read_issuer(
bytes: &[u8],
) -> Result<(Option<Name>, Vec<KeyValue>), ProtoError>Expand description
Reads the issuer field according to the spec
RFC 8659, DNS Certification Authority Authorization, November 2019, and errata 7139
4.2. CAA issue Property
If the issue Property Tag is present in the Relevant RRset for an
FQDN, it is a request that Issuers:
1. Perform CAA issue restriction processing for the FQDN, and
2. Grant authorization to issue certificates containing that FQDN to
the holder of the issuer-domain-name or a party acting under the
explicit authority of the holder of the issuer-domain-name.
The CAA issue Property Value has the following sub-syntax (specified
in ABNF as per [RFC5234]).
issue-value = *WSP [issuer-domain-name *WSP]
[";" *WSP [parameters *WSP]]
issuer-domain-name = label *("." label)
label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))
parameters = (parameter *WSP ";" *WSP parameters) / parameter
parameter = parameter-tag *WSP "=" *WSP parameter-value
parameter-tag = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))
parameter-value = *(%x21-3A / %x3C-7E)
For consistency with other aspects of DNS administration, FQDN values
are specified in letter-digit-hyphen Label (LDH-Label) form.
The following CAA RRset requests that no certificates be issued for
the FQDN "certs.example.com" by any Issuer other than ca1.example.net
or ca2.example.org.
certs.example.com CAA 0 issue "ca1.example.net"
certs.example.com CAA 0 issue "ca2.example.org"
Because the presence of an issue Property Tag in the Relevant RRset
for an FQDN restricts issuance, FQDN owners can use an issue Property
Tag with no issuer-domain-name to request no issuance.
For example, the following RRset requests that no certificates be
issued for the FQDN "nocerts.example.com" by any Issuer.
nocerts.example.com CAA 0 issue ";"
An issue Property Tag where the issue-value does not match the ABNF
grammar MUST be treated the same as one specifying an empty
issuer-domain-name. For example, the following malformed CAA RRset
forbids issuance:
malformed.example.com CAA 0 issue "%%%%%"
CAA authorizations are additive; thus, the result of specifying both
an empty issuer-domain-name and a non-empty issuer-domain-name is the
same as specifying just the non-empty issuer-domain-name.
An Issuer MAY choose to specify parameters that further constrain the
issue of certificates by that Issuer -- for example, specifying that
certificates are to be subject to specific validation policies,
billed to certain accounts, or issued under specific trust anchors.
For example, if ca1.example.net has requested that its customer
account.example.com specify their account number "230123" in each of
the customer's CAA records using the (CA-defined) "account"
parameter, it would look like this:
account.example.com CAA 0 issue "ca1.example.net; account=230123"
The semantics of parameters to the issue Property Tag are determined
by the Issuer alone.Updated parsing rules:
RFC8659 Canonical presentation form and ABNF
This explicitly allows - in property tags, diverging from the original RFC. To support this,
property tags will allow - as non-starting characters. Additionally, this significantly
relaxes the characters allowed in the value to allow URL like characters (it does not validate
URL syntax).