[−][src]Struct trust_dns_proto::rr::rdata::caa::CAA
The CAA RR Type
RFC 6844, DNS Certification Authority Authorization, January 2013
3. The CAA RR Type
A CAA RR consists of a flags byte and a tag-value pair referred to as
a property. Multiple properties MAY be associated with the same
domain name by publishing multiple CAA RRs at that domain name. The
following flag is defined:
Issuer Critical: If set to '1', indicates that the corresponding
property tag MUST be understood if the semantics of the CAA record
are to be correctly interpreted by an issuer.
Issuers MUST NOT issue certificates for a domain if the relevant
CAA Resource Record set contains unknown property tags that have
the Critical bit set.
The following property tags are defined:
issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property
entry authorizes the holder of the domain name <Issuer Domain
Name> or a party acting under the explicit authority of the holder
of that domain name to issue certificates for the domain in which
the property is published.
issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild
property entry authorizes the holder of the domain name <Issuer
Domain Name> or a party acting under the explicit authority of the
holder of that domain name to issue wildcard certificates for the
domain in which the property is published.
iodef <URL> : Specifies a URL to which an issuer MAY report
certificate issue requests that are inconsistent with the issuer's
Certification Practices or Certificate Policy, or that a
Certificate Evaluator may use to report observation of a possible
policy violation. The Incident Object Description Exchange Format
(IODEF) format is used [RFC5070].
The following example is a DNS zone file (see [RFC1035]) that informs
CAs that certificates are not to be issued except by the holder of
the domain name 'ca.example.net' or an authorized agent thereof.
This policy applies to all subordinate domains under example.com.
$ORIGIN example.com
. CAA 0 issue "ca.example.net"
If the domain name holder specifies one or more iodef properties, a
certificate issuer MAY report invalid certificate requests to that
address. In the following example, the domain name holder specifies
that reports may be made by means of email with the IODEF data as an
attachment, a Web service [RFC6546], or both:
$ORIGIN example.com
. CAA 0 issue "ca.example.net"
. CAA 0 iodef "mailto:security@example.com"
. CAA 0 iodef "http://iodef.example.com/"
A certificate issuer MAY specify additional parameters that allow
customers to specify additional parameters governing certificate
issuance. This might be the Certificate Policy under which the
certificate is to be issued, the authentication process to be used
might be specified, or an account number specified by the CA to
enable these parameters to be retrieved.
For example, the CA 'ca.example.net' has requested its customer
'example.com' to specify the CA's account number '230123' in each of
the customer's CAA records.
$ORIGIN example.com
. CAA 0 issue "ca.example.net; account=230123"
The syntax of additional parameters is a sequence of name-value pairs
as defined in Section 5.2. The semantics of such parameters is left
to site policy and is outside the scope of this document.
The critical flag is intended to permit future versions CAA to
introduce new semantics that MUST be understood for correct
processing of the record, preventing conforming CAs that do not
recognize the new semantics from issuing certificates for the
indicated domains.
In the following example, the property 'tbs' is flagged as critical.
Neither the example.net CA nor any other issuer is authorized to
issue under either policy unless the processing rules for the 'tbs'
property tag are understood.
$ORIGIN example.com
. CAA 0 issue "ca.example.net; policy=ev"
. CAA 128 tbs "Unknown"
Note that the above restrictions only apply at certificate issue.
Since the validity of an end entity certificate is typically a year
or more, it is quite possible that the CAA records published at a
domain will change between the time a certificate was issued and
validation by a relying party.
Methods
impl CAA
[src]
pub fn new_issue(
issuer_critical: bool,
name: Option<Name>,
options: Vec<KeyValue>
) -> Self
[src]
issuer_critical: bool,
name: Option<Name>,
options: Vec<KeyValue>
) -> Self
Creates a new CAA issue record data, the tag is issue
Arguments
issuer_critical
- indicates that the corresponding property tag MUST be understood if the semantics of the CAA record are to be correctly interpreted by an issuername
- authorized to issue certificates for the associated record labeloptions
- additional options for the issuer, e.g. 'account', etc.
pub fn new_issuewild(
issuer_critical: bool,
name: Option<Name>,
options: Vec<KeyValue>
) -> Self
[src]
issuer_critical: bool,
name: Option<Name>,
options: Vec<KeyValue>
) -> Self
Creates a new CAA issue record data, the tag is issuewild
Arguments
issuer_critical
- indicates that the corresponding property tag MUST be understood if the semantics of the CAA record are to be correctly interpreted by an issuername
- authorized to issue certificates for the associated record labeloptions
- additional options for the issuer, e.g. 'account', etc.
pub fn new_iodef(issuer_critical: bool, url: Url) -> Self
[src]
Creates a new CAA issue record data, the tag is iodef
Arguments
issuer_critical
- indicates that the corresponding property tag MUST be understood if the semantics of the CAA record are to be correctly interpreted by an issuerurl
- Url where issuer errors should be reported
Panics
If value
is not Value::Issuer
pub fn issuer_critical(&self) -> bool
[src]
Indicates that the corresponding property tag MUST be understood if the semantics of the CAA record are to be correctly interpreted by an issuer
pub fn tag(&self) -> &Property
[src]
The property tag, see struct documentation
pub fn value(&self) -> &Value
[src]
a potentially associated value with the property tag, see struct documentation
Trait Implementations
impl PartialEq<CAA> for CAA
[src]
impl Clone for CAA
[src]
fn clone(&self) -> CAA
[src]
fn clone_from(&mut self, source: &Self)
1.0.0[src]
Performs copy-assignment from source
. Read more
impl Eq for CAA
[src]
impl Debug for CAA
[src]
impl Hash for CAA
[src]
Auto Trait Implementations
Blanket Implementations
impl<T> From<T> for T
[src]
impl<T> ToOwned for T where
T: Clone,
[src]
T: Clone,
type Owned = T
The resulting type after obtaining ownership.
fn to_owned(&self) -> T
[src]
fn clone_into(&self, target: &mut T)
[src]
impl<T, U> Into<U> for T where
U: From<T>,
[src]
U: From<T>,
impl<T, U> TryFrom<U> for T where
U: Into<T>,
[src]
U: Into<T>,
type Error = Infallible
The type returned in the event of a conversion error.
fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>
[src]
impl<T, U> TryInto<U> for T where
U: TryFrom<T>,
[src]
U: TryFrom<T>,
type Error = <U as TryFrom<T>>::Error
The type returned in the event of a conversion error.
fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>
[src]
impl<T> Borrow<T> for T where
T: ?Sized,
[src]
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
[src]
T: ?Sized,
fn borrow_mut(&mut self) -> &mut T
[src]
impl<T> Any for T where
T: 'static + ?Sized,
[src]
T: 'static + ?Sized,