RRPproxy Homepage
RRPproxy Homepage

Example: Using KeyDNS as Primary and a own Nameserver as Secondary

CAA records

As of now KeyDNS is capable of managing CAA records via API and in our RRPproxy web interface.

The purpose of the CAA (Certification Authority Authorization) record is to allow domain owners to specify which certificate authorities are allowed to issue a SSL certificate for a domain. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that host name. Thus a CAA record is optional for customers to set, but mandatory for certificate authorities to check.

For reference: RFC 6844 for CAA records

API Command Examples

Allow the Certificate Authority Symantec to issue SSL certificates for example.com:

Command

command = adddnszone
dnszone = example.com
rr0 = @ IN CAA 0 issue symantec.com

Allow the Certificate Authority Symantec to issue SSL wildcard certificates for example.com:

Command

command = modifydnszone
dnszone = example.com
rr0 = @ IN CAA 0 issuewild symantec.com

Allow the Certificate Authority Symantec to issue SSL wildcard certificates for example.com, but disallow single domain SSL certificates:

Command

command = modifydnszone
dnszone = example.com
rr0 = @ IN CAA 0 issue ";"
rr1 = @ IN CAA 0 issuewild symantec.com

Define email address to send incident reports to:

Command

command = modifydnszone
dnszone = example.com
rr0 = @ IN CAA 0 iodef mailto:info@example.com

Define URL to send incident reports to:

Command

command = modifydnszone
dnszone = example.com
rr0 = @ IN CAA 0 iodef http://www.example.com/script.php
Note

There's currently no standard format for receiving incident reports. And it might not be supported by all Certificate Authorities.

Certificate Authorities offered at RRPproxy

Certificate Authority used by our RRPproxy hosting (HOMER)

Wedomains :)