| Internet-Draft | CATALOG: CAA DNS RR CT Log URI Binding | June 2025 |
| Weidner | Expires 5 December 2025 | [Page] |
This document proposes an extension to the Certification Authority Authorization (CAA) DNS Resource Record (RR) that enables the mandatory or optional binding of Certificate Transparency (CT) Log URIs directly within DNS. By embedding CT-Log endpoints in CAA RR, Certification Authorities (CAs) gain a standardized, discoverable mechanism for retrieving preferred and permitted CT-Log endpoint information, thereby enhancing the security and auditability of X.509 TLS certificate issuance. The extension defines the syntax and semantics for a new CAA property tag, "issuect", and introduces a parameter set consisting of "desc", "critical", "validfrom", "validtill", "cturi", "logid", and "pubkey". It outlines validation and processing rules, discusses deployment considerations, privacy implications, and interoperability with existing DNS, CA, and CT infrastructures. Additionally, the draft proposes an MTA-STS-like hardening mechanism, called CAA-CT-STS, for the new property to further strengthen the PKI ecosystem. Finally, it introduces the recursive acronym CATALOG (CATALOG Authorization Transparency And Log Overlay for Graph-based DNS) as a mnemonic for the overall extension framework.¶
TO BE REMOVED: This document is being collaborated on in Gitea at: https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git [1] The most recent working version of this document, open issues, and related resources are available there. The author gratefully accepts pull requests. The author's PGP key is available at: 7A83 41E5 F157 0319 D80F 4418 A11E 8851 9A3D 8CF6 [2].¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 5 December 2025.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Certification Authority Authorization (CAA) [RFC8659] RRs empower domain owners to specify, via DNS [RFC1035], which Certificate Authorities (CAs) in a Public Key Infrastructure [RFC5280] may or may not issue Certificates for their domains.¶
Similarly, the CAA RR Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding [RFC8657] extend the CAA grammar to introduce additional parameters for CAA RRs. These extensions enable or disable specified validation methods and bind a domain to specific accounts authorized to submit Certificate Signing Requests (CSRs) and retrieve end-entity Certificates.¶
Additionally, the Certification Authority Authorization (CAA) processing for Email Addresses [RFC9495] extends the established CAA RR mechanism by introducing a new property, "issuemail", to apply CAA controls to the issuance of S/MIME [RFC8551] Certificates.¶
Furthermore, Certificate Transparency (CT) Version 1 [RFC6962] (still in use), and Certificate Transparency (CT) Version 2 [RFC9162] (which obsoletes RFC6962), provide public, append-only ledgers of issued certificates, enabling domain owners and relying parties to detect misissuance.¶
Currently, there is no standardized, discoverable mechanism in DNS for a domain owner to declare, which Certificate Transparency (CT) Logs must or may record its Certificates. As a result, CAs rely on out-of-band configurations or hard-coded lists, increasing operational complexity and expanding the attack surface.¶
This extension introduces a new CAA Property Tag, "issuect", Section 3, with the following parameters: "critical", "desc", "validfrom", "validtill", "cturi", "logid", and "pubkey". Domain owners can embed as many CT-Log endpoints directly in their DNS zones. Each CAA "issuect" RR names a single URI for log submission and retrieval, specifies the time window during which whitelisted CAs may or must submit entries, and enumerates the authorized CT-Logs Public Keys. Because "issuect" lives alongside existing CAA tags in a DNSSEC [RFC9364] protected zone CAs can discover, validate, and enforce CT-Log policies without additional out-of-band trust anchors. To enforce secure-by-default behavior, "issuect" supports explicit whitelisting combined with default-deny semantics. Domain owners list only approved CT-Logs; any CT-Log not so listed is implicitly excluded. Furthermore, a special blacklist flag can be set, preventing all CT-Log operations unless explicitly permitted. An optional critical flag (when true) mandates that no Certificate may be issued without being logged to the specified CT-Log endpoint. These dual mechanisms guard against accidental use of unvetted logs, and mitigate risks from CT-Log Operator compromise, preventing downgrade or surprise attacks.¶
Google, for instance, maintains a publicly available "List of Trustworthy CT-Log Operators", CT-Truststore, including its Known CT-Logs [3], and a JSON list of Logs compliant with Chrome's CT Policy [4]. Apple similarly publishes its own CT-Truststore, detailed in its Certificate Transparency Policy [5], and a JSON list of Logs meeting Apple's CT requirements [6].¶
By republishing and allowlisting selected entries from these audited CT-Log lists, and any future community-maintained CT-Truststore, within the same DNS zone that hosts a domain's CAA RRs, domain owners gain a single, authoritative repository for:¶
Embedding curated CT-Log trust anchors directly in DNS consolidates trust management, reduces external dependencies for CAs, minimizes lookup latency, preserves privacy by limiting out-of-band queries, and surfaces misconfigurations or tampering at DNSSEC validation time.¶
CAA-CT-STS, Section 4, is a policy framework that combines the mechanisms of CAA, CT, and MTA-STS by which a domain holder can publish Certificate-Transparency enforcement requirements alongside CA Authorization (CAA) over a second secured channel. It mirrors the approach of SMTP MTA-STS [RFC8461], using DNS TXT RR, a specific subdomain and an HTTPS only served policy file. A special DNS TXT record "_caa-ct-sts" Section 4.1.1 lets clients discover the existence and version of the policy, and a policy file, retrieved from "https://caa-ct-sts.<domain>/.well-known/caa-ct-sts.txt", contains structured rules in a canonical key:value format. The before mentioned section defines the discovery mechanism, DNS TXT RR and policy format (with ABNF), and procedures for fetching, validating, and applying CAA-CT-STS policies.¶
Lastly, practical aspects such as a CA Processing Checklist, Appendix A, caching behavior Appendix E, and fallback, Section 6.1.1, strategies for non-DNSSEC zones are addressed. Throughout this document, the framework is referred to by the recursive acronym CATALOG (CATALOG Authorization Transparency And Log Overlay for Graph-based DNS).¶
The following sections specify the complete syntax and semantics of both of the CAA "issuect" Property Tag, Section 3, and CAA-CT-STS framework, Section 4, detail processing rules for CAs and resolvers for both of the CAA "issuect" Property Tag, Section 3.2, and CAA-CT-STS, Section 4.2, framework.¶
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119], [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
| CA | Certification Authority | An Issuer that issues Certificates in accordance with a specified Certificate Policy (CP). |
| CAA | Certification Authority Authorization | Allows a DNS domain name holder to specify one or more CAs authorized to issue Certificates for that domain name. See: [RFC8657], [RFC8659]. |
| CAA-CT-STS | CAA Certificate Transparency Strict Transport Security | CAA-CT-STS is a policy framework, by which a domain holder can publish Certificate-Transparency enforcement requirements alongside CA authorization (CAA). See: Section 4. |
| CAA-CT-STS Policy | CAA-CT-STS Policy File | The set of rules fetched via HTTPS from the Policy Domains "/.well-known/caa-ct-sts.txt". See: Section 4.1.3. |
| CATALOG | CATALOG Authorization Transparency And Log Overlay for Graph-based DNS | A Proposal to enrich DNS-based CAA RRs with Certificate Transparency URI bindings. This document: [URI1]. |
| CA-TS | Certification Authority Truststore | A CA-TS is the set of root certificates from Certificate Authorities that a platform (e.g., Mozilla, Apple, Microsoft, or the Java runtime) pre-loads and implicitly trusts when TLS Certificates are validated. It defines, which CAs are accepted by default and is maintained through regular audits and policy checks to remove or distrust any CA that fails to meet security or operational requirements. |
| CP | Certificate Policy | Specifies the criteria that a CA undertakes to meet in its issue of Certificates. See: [RFC3647]. |
| CPS | Certification Practices Statement | Specifies the means by which the criteria of the CP are met. In most cases, this will be the document against which the operations of the CA are audited. See: [RFC3647]. |
| CT | Certification Transparency | Certificate Transparency aims to mitigate the problem of misissued Certificates by providing append-only logs of issued Certificates. See: [RFC6962], [RFC9162]. |
| CT-TS | Certificate Transparency Truststore | A Certificate Transparency Truststore is a curated whitelist of public Certificate Transparency Logs, maintained primarily by Apple and Google, that are accepted as valid append-only repositories for issued TLS certificates. By requiring certificates to be submitted to one of these approved logs, the CT-TS ensures how could be verified that a Certificate has been publicly recorded, making misissuance or hidden Certificates easier to detect. |
| DANE | DNS-Based Authentication of Named Entities | TLSA RRs associate a Certificate or a public key of an end-entity or a trusted issuing authority with the corresponding Transport Layer Security (TLS) [RFC5246] or Datagram Transport Layer Security (DTLS) [RFC6347] transport endpoint. See: [RFC6698], [RFC7671]. |
| DNS | Domain Name System | The Internet naming system specified in [RFC1034], [RFC1035], [RFC9499], and any revisions to these specifications. |
| DNSSEC | DNS Security Extensions | Extensions to the DNS that provide authentication services as specified in [RFC4033], [RFC4034], [RFC4035], [RFC5155], [RFC9364], and any revisions to these specifications. |
| DT | DNSSEC DS RR Transparency | DNSSEC Transparency applies the Certificate Transparency model to DNSSEC by logging every Delegation Signer (DS) RR in an append-only Merkle tree, enabling cryptographic proofs of inclusion and consistent auditing of DNSSEC key delegations. This ensures that any unauthorized or missing DS updates become publicly detectable, strengthening trust in the DNS delegation chain. (This is still in the early stages of development before a first I-D is released.) |
| MTA-STS | SMTP MTA Strict Transport Security | SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections [RFC8461]. |
| RR | DNS Resource Record | A particular entry in the DNS, including the owner name, class, type, time to live, and data, as defined in [RFC1034], [RFC2181]. |
All syntax introduced in this draft is strictly in accordance with the CAA RR framework defined in [RFC8659], and [RFC8657] when and only when NOT stated otherwise.¶
This document defines the CAA "issuect" Property Tag.¶
The presence of one or more CAA "issuect" Properties in the relevant CAA Resource Record Set (RRSet) indicates that the domain is requesting that Certification Authorities restrict the submission of Certificates to specified Certification Transparency Logs only.¶
The CAA "issuect" Property Tag has the following sub-syntax (specified in ABNF as per [RFC5234]).¶
The production rules for¶
are defined in Appendix B.1 of [RFC5234].¶
In addition, absolute-URI is defined in Section 4.3 of [RFC3986].¶
ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
DIGIT = %x30-39 ; 0-9
SP = %x20 ; SPACE
DQUOTE = %x22 ; "
HEXDIG = DIGIT / %x41-46 / %x61-66 ; 0-9 / A-F / a-f
issuect-property = "issuect" SP DQUOTE issuect-value DQUOTE
issuect-value = issuer-domain-name ";" SP
critical-param ";" SP
desc-param ";" SP
validfrom-param ";" SP
validtill-param ";" SP
cturi-param ";" SP
logid-param ";" SP
pubkey-param ";"
issuer-domain-name = label *("." label)
label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT) )
critical-param = "critical" "=" ( "true" / "false" )
desc-param = "desc" "=" "'" desc-text "'"
desc-text = *( %x20-26 / %x28-7E ) ; printable ASCII without: '
validfrom-param = "validfrom" "=" date-time
validtill-param = "validtill" "=" date-time
date-time = date "T" time "Z"
date = 4DIGIT "-" 2DIGIT "-" 2DIGIT
time = 2DIGIT ":" 2DIGIT ":" 2DIGIT
cturi-param = "cturi" "=" uri
uri = absolute-URI
logid-param = "logid" "=" "'" b64-string "'"
pubkey-param = "pubkey" "=" "'" b64-string "'"
b64-char = ALPHA / DIGIT / "+" / "/"
b64-string = 1*( b64-char / "=" )
The meanings of each production rule within the issuect-value grammar are as follows:¶
The canonical presentation format of the CAA "issuect" Property Tag is:¶
issuect "<issuer-domain>; <critical>; <description>; <validfrom>; <validtill>; <uri>; <logid>; <pubkey>;"
Whereas¶
The CAA "issuect" Property Tag contains exactly eight elements, which MUST appear in the order listed below. Each element MUST be terminated by a semicolon (;) and a single space, except where noted.¶
Issuer Domain Name¶
The authorized Certification Authority's domain name, in LDH notation (ASCII letters, digits, hyphens), as defined in Section 3.1.¶
critical¶
A boolean flag enforcing mandatory logging.¶
desc¶
A human-readable description of the CT-Log.¶
validfrom¶
The start of the CT-Log acceptance window.¶
validtill¶
The end of the CT-Log acceptance window.¶
cturi¶
The absolute URI for CT-Log submissions and queries.¶
logid¶
The CT-Log's identifier.¶
key¶
The CT-Log's public key.¶
A CAA "issuect" RR containing only the terminating semicolon (;) and no parameters MUST be interpreted as a prohibition on all CT-Log submissions for the specified domain. In other words:¶
issuect ";"
indicates that no CT-Logs may be used. Because CAA authorizations are additive, if multiple CAA "issuect" RRs exist, any non-empty CAA "issuect" RR (with actual parameters) MUST take precedence over an empty one. Thus, the effective set of permitted CT-Logs is the union of all non-empty CAA "issuect" RRs, and an empty CAA "issuect" RR contributes no additional authorizations.¶
Prior to issuing a Certificate, a Certification Authority MUST obtain at least n + 1 unique CAA "issuect" RRs for each CA account, where n is the minimum number of Signed Certificate Timestamps (SCTs) Section 3.2 as per [RFC6962]. The value of n MAY vary based on the requested Certificate's validity period, CT-Log Operator Policies, the CA's CP/CPS, and the CA/Browser Forum Baseline Requirements. The additional "n + 1" RR provides redundancy to tolerate one CT-Log failure or unavailability.¶
Before issuing a Certificate that certifies a domain, the Certification Authority MUST check for the publication of a relevant RRSet. Discovery of the relevant RRSet MUST be performed according to the algorithm specified in Section 3 of [RFC8659]. If the relevant RRSet is empty or does not contain any "issuect" Properties, it is interpreted that the domain owner has not requested any restrictions regarding the submission to specific CT-Logs. If the Certificate certifies multiple domains (for example, in the Subject Alternative Name extension), the Certification Authority MUST perform the above procedure separately for each domain being certified. The presence of an "issuect" Property MUST NOT replace or supersede the required validation of the domain name as specified by the "issue" or "issuewild" Properties in the CAA RRSet, as outlined in the CAA specification [RFC8659]. Certification Authorities MUST still validate authorization according to the CAA "issue" and / or "issuewild" policies. For example, if a CAA issue Property authorizes "CA A" to issue Certificates, but the "issuect" Property references a CT-Log belonging to "CA B", this results in an unsatisfiable configuration. In such cases, issuance MUST NOT proceed. Furthermore, if the "issuect" Parameter Set is incorrectly formatted or contains invalid values, it MUST be treated as non-existent.¶
The internal handling of "issuect" parameters is left to each Certification Authority's implementation and is outside the scope of this document.¶
However, the following requirements MUST be met:¶
ABNF Conformance¶
Malformed RRs¶
CT-Log Policy Enforcement¶
The DNS "_caa-ct-sts" TXT RR is a DNS TXT RR named "_caa-ct-sts" at the Policy domain.¶
It must be encoded in US-ASCII and consists of semicolon-separated key/value pairs. The following fields are defined:¶
The record must begin with the "v="-field. The "id="-field is used by clients to detect policy updates (similar to MTA-STS).¶
If DNS returns multiple "_caa-ct-sts" TXT RR, or if none of them starts with "v=CAACTSTSv1", or if parsing fails, clients MUST assume no CAA-CT-STS policy is available. DNS CNAME RR are allowed: if "_caa-ct-sts" is a CNAME to another "_caa-ct-sts" RR, clients follow the alias (as in MTA-STS).¶
The DNS "_caa-ct-sts" TXT RR content has the following sub-syntax (specified in ABNF as per [RFC7405]):¶
issuect-text-record = issuect-version 1*(issuect-field-delim issuect-field) \
[issuect-field-delim]
issuect-field = issuect-id / issuect-extension
issuect-field-delim = *WSP ";" *WSP
issuect-version = %s"v=CAACTSTSv1"
issuect-id = %s"id=" 1*32(ALPHA / DIGIT)
issuect-extension = issuect-ext-name "=" issuect-ext-value
issuect-ext-name = (ALPHA / DIGIT) *31(ALPHA / DIGIT / "_" / "-" / ".")
issuect-ext-value = 1*(%x21-3A / %x3C / %x3E-7E)
; printable chars excluding "=" ";" and space
This mirrors the MTA-STS TXT ABNF. Clients accept a single TXT string (concatenating fragments if needed) and ignore extra semicolons. The id string has no semantics beyond change detection; it imposes no ordering.¶
Once a "_caa-ct-sts" RR indicates support, the "CAA-CT-STS" policy is fetched via HTTPS contains newline-separated "key:value"-pairs, similar to MTA-STS. The canonical policy fields are:¶
All fields appear as <key>:[space]*<value> on separate lines.¶
The "/.well-known/caa-ct-sts.txt" Policy File has the following sub-syntax (specified in ABNF as per [RFC7405]):¶
ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
DIGIT = %x30-39 ; 0-9
SP = %x20 ; SPACE
DQUOTE = %x22 ; "
SEMICOLON = %x3B ; ";"
LPAREN = %x28 ; "("
RPAREN = %x29 ; ")"
CRLF = %x0D.0A / %x0A ; CRLF or LF
b64-char = ALPHA / DIGIT / "+" / "/"
b64-string = 1*( b64-char / "=" )
date = 4DIGIT "-" 2DIGIT "-" 2DIGIT
time = 2DIGIT ":" 2DIGIT ":" 2DIGIT
date-time = date "T" time "Z"
uri = absolute-URI
issuect-value = issuer-domain-name ";" SP
"critical" "=" ( "true" / "false" ) ";" SP
"desc" "=" "'" desc-text "'" ";" SP
"validfrom" "=" date-time ";" SP
"validtill" "=" date-time ";" SP
"cturi" "=" uri ";" SP
"logid" "=" "'" b64-string "'" ";" SP
"pubkey" "=" "'" b64-string "'" ";"
issuer-domain-name = label *("." label)
label = (ALPHA / DIGIT) *( *( "-" ) (ALPHA / DIGIT) )
desc-text = *( %x20-26 / %x28-7E )
; printable ASCII except apostrophe
;----------------------------------------------------------------------------
; CAA-CT-STS Policy File Grammar
;----------------------------------------------------------------------------
caa-ct-sts-file = *WSP
version-line CRLF
mode-line CRLF
max-age-line CRLF
1*ct-policy-line
*WSP
version-line = "version:" SP "CAACTSTSv1"
max-age-line = "max_age:" SP 1*DIGIT
ct-policy-line = "ct_policy:" SP
LPAREN SP
DQUOTE issuect-value DQUOTE
SP RPAREN
WSP = *( SP / HTAB )
In the above, each policy field occupies an entire line and policy fields may appear in any order. Parsers MUST accept policies that are syntactically valid; unknown fields are treated as extensions and ignored. A policy with no "ct_log" entries (and "mode" not explicitly set to "none") is invalid. See Section TODO for policy validation.¶
The CAA-CT-STS Policy File is fetched via "HTTPS GET" via TLS1.3 [RFC8446], only, from¶
https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
where <domain> is the Policy Domain (e.g., example.com). This follows the well-known URI convention. The Policy Server MUST present a Certificate, that is valid for the "caa-ct-sts" DNS-ID (e.g., "caa-ct-sts.example.com"), chain to a Root CA that is trusted by the Certification Authority, which is asked to issue a new Certificate, as the Certification Authority rely on TLS security for policy integrity. Certification Authorities SHOULD verify that the HTTP Content-Type is "text/plain" (ignoring any parameters); other content types indicate an invalid policy file. Line separators must be either LF or CRLF; the file MUST be US-ASCII or UTF-8 without a byte-order mark. No authentication is performed beyond standard TLS trust. After fetching, Certification Authorities parse the file as above. If the HTTP request fails for whatever reason, (network error, invalid cert, status ≠ 200, or parse error), the policy is considered unavailable or invalid, and Certification Authorities fall back to "no policy". HTTP 3xx redirects MUST NOT be followed, and HTTP caching [RFC7234] MUST NOT be used. A new or updated Policy is identified when its content differs (e.g., a new "id" in DNS or new "version" in the Policy File); while the "max_age" field controls how long a policy may be cached. As in MTA-STS, Certification Authorities SHOULD check for updated policy via DNS before permanently acting on failures.¶
Before use, a retrieved Policy File by a Certification Authority MUST be checked for correct syntax and semantics:¶
If the policy file is malformed or has invalid values, it is rejected (treated as if no policy were present), as with MTA-STS.¶
Lastly the Runtime Processing as described in Section 3.2.3 is applicable, too.¶
The following IANA registration is requested.¶
According to [RFC8126] these information are provided:¶
IANA is asked to assign the property tag "issuect" to this subregistry, documenting its name, ABNF syntax, and reference to this specification.¶
| Tag | Meaning | Reference |
|---|---|---|
| issuect | Authorized CT-Log submission URI | (This document) |
The following IANA registration is requested.¶
According to [RFC8126] these information are provided:¶
IANA is asked to assign the "well-known" URI Suffix "caa-ct-sts.txt" to this registry, whose Change Controller is: IETF¶
| URI Suffix | Reference | Change Controller |
|---|---|---|
| caa-ct-sts.txt | (This document) | IETF |
The following IANA "Registry" registration is requested.¶
According to [RFC8126] these information are provided:¶
IANA is asked to create the before mentioned Registry.¶
| Field name | Description | Reference |
|---|---|---|
| v | Record version | This document |
| id | Policy instance ID | This document |
| Field name | Description | Reference |
|---|---|---|
| version | Policy version | This document |
| mode | Enforcement behavior | This document |
| max_age | Policy lifetime | This document |
| ct_policy | Unique CT-Log property string | This document |
This extension inherits and adapts security considerations from:¶
As an extension of the DNS-based CAA framework, this proposal generally falls within the Internet threat model defined by [RFC3552].¶
This specification augments the CAA RR framework by introducing finer-grained controls over both Certificate issuance and CT-Log submission. Domain owners can now explicitly authorize which CAs may issue Certificates and which CT-Log operators must or may record those Certificates. When used in tandem with compliant CAs and CT-Log operators, "issuect" significantly strengthens the issuance security posture for domains that opt in.¶
Using "critical=true" ensures that no Certificate is ever issued without logging to the specified CT-Log endpoints, preventing accidental or malicious bypass of transparency requirements.¶
By co-locating CT-Log authorization data within DNSSEC-protected CAA RRs, this extension also reduces reliance on out-of-band lists and third-party dependencies, thereby minimizing attack surface and improving resilience against CT-Log Operator compromise.¶
To further harden CAA "issuect" Policy discovery and protect against DNS manipulation, CAs SHOULD implement a CAA-CT-STS HTTPS fallback mechanism. This provides a second, TLS-authenticated channel for retrieving CAA "issuect" Policies directly from the domain owner.¶
The RECOMMENDED multi-stage retrieval process is:¶
By layering these channels, DNSSEC, well-known HTTPS, IP-only HTTPS, and finally ODoH-protected DNS, the CA dramatically reduces the attack surface for policy tampering, while still providing robust fallback when certain transports are unavailable.¶
Advantages: The HTTPS source prevents a DNS attacker from simply replacing or deleting the DNS CAA RR Extension "issuect", they would also have to manipulate the HTTPS connection. If the DNS (CA side) fails, for example, the CA can use this defined backup channel to determine which Logs to use. Since web servers are usually TLS-enabled anyway, the hurdle for domain owners would be relatively low.¶
Disadvantages: The domain owner needs a valid web certificate, which can initially be a "chicken and egg" problem (how does one provide "/.well-known/caa-ct-sts.txt" before one has a Certificate?). In addition, the CA must be configured to perform HTTPS retrieval in the first place, this is not provided for in the current CA/ACME implementations. Another point is that an attacker who is already performing MITM at the network level could manipulate both DNS and HTTPS, (e.g., via a fake Root Certificate), so that even the "/.well-known/caa-ct-sts.txt" approach only provides limited protection. MTA-STS solves this through HSTS and policy caching, among other things. Overall, HTTPS "/.well-known/caa-ct-sts.txt" would therefore be a useful additional measure that could serve as a secondary source of trust, especially in the absence of DNSSEC.¶
Let c be the number of critical CT-Logs and w be the number of whitelisted (non-critical) CT-Logs, then the following expression is strongly RECOMMENDED: |c| ≥ n + 1 ∧ |w| ≤ 2¶
While the "critical=true" flag in the CAA "issuect" Parameter enforces that every Certificate issuance must be logged to all specified CT-Logs, this strict requirement can introduce availability risks: if any one of those CT-Log endpoints becomes temporarily unreachable (maintenance, network partition, DDoS, etc.), the CA, per specification, must reject the Certificate Signing Request. To balance tamper-resistance against operational resilience, it is therefore strongly RECOMMENDED the following guardrails:¶
By embedding n + 1 redundancy and a + 2 non-critical whitelist, this framework simultaneously enforces strong, mandatory CT logging (protecting against malicious or erroneous omission) and maintains the operational flexibility necessary to keep issuance flowing even during intermittent CT-Log outages.¶
This extension empowers domain owners, who already maintain relationships with compliant CAs and CT-Log operators, to impose additional constraints on both Certificate issuance and log submission, provided those parties implement the "issuect" mechanism. It does not strengthen guarantees for any CA or CT-Log operator that does not support this extension: non-conforming entities retain their existing ability to issue Certificates or submit log entries regardless of "issuect" policy. Consequently, domains that authorize only participating CAs and CT-Log operators remain vulnerable to unauthorized issuance or logging by entities that ignore or merely advise upon CAA RRs. Even in DNSSEC-protected zones, the risk of misissuance persists if a CA or CT-Log operator fails to validate CAA RRs via a trusted, DNSSEC-validating resolver.¶
When a domain owner already employs DNSSEC, it is RECOMMENDED, that the HTTPS endpoint serving the CAA-CT-STS Policy be further bound via DANE/TLSA records. By publishing TLSA RR for both leaf and intermediate certificates, CAs retrieving "/.well-known/caa-ct-sts.txt" gain an additional multipath validation and out-of-band binding to the X.509 chain:¶
TLSA Usage¶
Here, TLSA-usage 3 (DANE-EE) and 2 (DANE-TA), selector 1 (SPKI), and matching types 1 (SHA-256) and 2 (SHA-512) ensure that CAs validate the exact certificates used by the policy host, preventing MITM.¶
SVCB / HTTPS Record¶
One can define a SVCB (or HTTPS) DNS RR for "caa-ct-sts.<domain>", advertising support for HTTP/3 (QUIC) and pointing to the same IP addresses as the A/AAAA records. This allows CAs to connect over the most modern, UDP-based transport with built-in encryption and connection resilience.¶
Strict TLS Configuration¶
The policy server should only accept TLS1.3 with strong cipher suites (e.g., AES_256_GCM) and elliptic-curve key exchange using X448, P-521, or P-384 (in this order). This ensures forward secrecy and resistance to known TLS attacks.¶
Optional DANE-Style Binding in the Policy File (NOT implemented in this draft)¶
For maximum end-to-end integrity, the "/.well-known/caa-ct-sts.txt" file itself may include DANE-like fields to bind a specific DNSSEC KZK. For example:¶
version: CAACTSTSv1 max_age: 60 kzk_id: 32768 kzk_hash: 'MII(...)' ct_policy: ( "example.ca; \ critical=true; \ desc='Example Log FunnyNameNet 2025'; \ validfrom=2025-01-01T00:00:00Z; \ validtill=2026-01-01T00:00:00Z; \ cturi=https://ct.example.net/logs/eu/funnynamenet2025; \ logid='sh4(...)'; \ pubkey='MFk(...)';" )
Whereas "kzk_id" would be an integer identifier of the Key-Id of the KZK of the domain, and "kzk_hash" would be a Base64-encoded hash of the KZK of the domain. By combining DNSSEC-protected TLSA and in-CAA-CT-STS-Policy kzk_hash and kzk_id values, CAs gain cryptographic assurance of both the CAA-CT-STS Policy files authenticity and the CT-Log endpoints identity, further reducing the risk of policy-fetch or logging interception attacks.¶
CAA allows a Certification Authority to pre-authorize an account, to request Certificates for a domain well before the actual issuance event. As a result, the CAA policy in effect at authorization time may differ from the policy published at issuance time. To mitigate this risk, CAs SHOULD adopt one or more of the following practices:¶
By limiting the window during which stale authorizations remain valid and by re-checking CAA RRs at issuance time, CAs reduce the likelihood of complying with outdated or revoked policy statements.¶
The standard domain-validation model does not protect against an adversary capable of intercepting all traffic to a domain (a "global man-in-the-middle" [MITM] attack). Such an attacker can hijack validation requests from any CA and thus impersonate domain control. When a domain is DNSSEC-signed, and the CA resolves DNS exclusively via a trusted DNSSEC-validating resolver, however, the authenticity and integrity of DNS data are assured.¶
To leverage this protection, a CA's validation process SHOULD either:¶
DNSSEC-secured¶
Not DNSSEC-secured¶
CAA RRs are discovered during validation by traversing up the DNS hierarchy until one or more RRs are located. Because of this lookup behavior, CAA RRs cannot reliably restrict or control Certificate issuance for subdomains whose DNS management has been delegated to another party (for example, via NS delegation or by granting limited DNS-editing rights for a subdomain).¶
Discover Relevant RRSet¶
Check for "issuect" Presence¶
Repeat for Each Domain¶
Validate issue / issuewild Authorization¶
Parse and Validate issuect Parameters¶
Enforce Whitelist and Default-Deny Semantics¶
Determine Required SCT Count¶
Proceed with Certificate Issuance¶
The following examples are provided for informational purposes only and are supplied "as is", without a warranty of any kind or liability. They illustrate relevant RRSets, and their expected processing semantics. Their BIND file notation format is defined in [RFC1035]. Parentheses are used to ignore a line break in DNS zone-file presentation format, as per Section 5.1 of [RFC1035].¶
The following shows a comprehensive and proper example DNS zone-file fragment of the "example.com" zone that nominates six distinguished CT-Log URIs for the "example.ca" Certification Authority, which must (n + 1) and could (+ 2) [redundancy rule Section 6.3], log any Certificates requested to the specified CT-Log, as authorized to log >180-day valid Certificates for the "sub.example.com" domain. The submission is limited to the critical CT-Logs "ct.example.net", "ct.example.org", "ct.example.sh", and "ct.example.xyz" and to the non-critical CT-Logs "ct.non-critical.net" and "ct.non-critical.org".¶
sub.example.com. 60 IN CAA 0 issuect ( "example.ca; \ critical=true; \ desc='Example Log FunnyNameNet 2025'; \ validfrom=2025-01-01T00:00:00Z; \ validtill=2026-01-01T00:00:00Z; \ cturi=https://ct.example.net/logs/eu/funnynamenet2025; \ logid='sh4(...)'; \ pubkey='MFk(...)';" ) sub.example.com. 60 IN CAA 0 issuect ( "example.ca; \ critical=true; \ desc='Example Log FunnyNameOrg 2025'; \ validfrom=2025-01-01T00:00:00Z; \ validtill=2026-01-01T00:00:00Z; \ cturi=https://ct.example.org/logs/eu/funnynameorg2025"; \ logid='sh4(...)'; \ pubkey='MFk(...)';" ) sub.example.com. 60 IN CAA 0 issuect ( "example.ca; \ critical=true; \ desc='Example Log FunnyNameSh 2025'; \ validfrom=2025-01-01T00:00:00Z; \ validtill=2026-01-01T00:00:00Z; \ cturi=https://ct.example.sh/logs/eu/funnynamesh2025; \ logid='sh4(...)'; \ pubkey='MFk(...)';" ) sub.example.com. 60 IN CAA 0 issuect ( "example.ca; \ critical=true; \ desc='Example Log FunnyNameXyz 2025'; \ validfrom=2025-01-01T00:00:00Z; \ validtill=2026-01-01T00:00:00Z; \ cturi=https://ct.example.xyz/logs/eu/funnynamexyz2025; \ logid='sh4(...)'; \ pubkey='MFk(...)';" ) sub.example.com. 60 IN CAA 0 issuect ( "example.ca; \ critical=false; \ desc='Example Log NonCriticalNet 2025'; \ validfrom=2025-01-01T00:00:00Z; \ validtill=2026-01-01T00:00:00Z; \ cturi=https://ct.non-critical.net/logs/eu/noncriticalnet2025; \ logid='sh4(...)'; \ pubkey='MFk(...)';" ) sub.example.com. 60 IN CAA 0 issuect ( "example.ca; \ critical=false; \ desc='Example Log NonCriticalOrg 2025'; \ validfrom=2025-01-01T00:00:00Z; \ validtill=2026-01-01T00:00:00Z; \ cturi=https://ct.non-critical.org/logs/eu/noncriticalorg2025; \ logid='sh4(...)'; \ pubkey='MFk(...)';" )
The following shows a no CT-Log submission at all example DNS zone-file fragments of the "example.com" zone that wishes to not submit their Certificates to any CT-Log.¶
sub.example.com. 60 IN CAA 0 issuect ";"
The following shows an erroneous example DNS zone-file fragment of the "example.com" zone that falsely set the Parameter Set, so that according to the Processing definitions, the erroneous Property will be treated as non-existent.¶
sub.example.com. 60 IN CAA 0 issuect ( "example.ca; \ critical=true; \ desc='Example Log FunnyNameXyz 2025'; \ validfrom=; \ validtill=; \ cturi=https://ct.example.xyz/logs/eu/funnynamexyz2025; \ logid='sh4(...)'; \ pubkey='MFk(...)';" )
_caa-ct-sts.example.com. 60 IN TXT "v=CAACTSTSv1; id=20250427121212Z;"
The following example indicates that Certificates for the domain must be logged in:¶
version: CAACTSTSv1 max_age: 60 ct_policy: ( "example.ca; \ critical=true; \ desc='Example Log FunnyNameNet 2025'; \ validfrom=2025-01-01T00:00:00Z; \ validtill=2026-01-01T00:00:00Z; \ cturi=https://ct.example.net/logs/eu/funnynamenet2025; \ logid='sh4(...)'; \ pubkey='MFk(...)';" ) ct_policy: ( "example.ca; \ critical=true; \ desc='Example Log FunnyNameOrg 2025'; \ validfrom=2025-01-01T00:00:00Z; \ validtill=2026-01-01T00:00:00Z; \ cturi=https://ct.example.org/logs/eu/funnynameorg2025"; \ logid='sh4(...)'; \ pubkey='MFk(...)';" ) ct_policy: ( "example.ca; \ critical=true; \ desc='Example Log FunnyNameSh 2025'; \ validfrom=2025-01-01T00:00:00Z; \ validtill=2026-01-01T00:00:00Z; \ cturi=https://ct.example.sh/logs/eu/funnynamesh2025; \ logid='sh4(...)'; \ pubkey='MFk(...)';" ) ct_policy: ( "example.ca; \ critical=true; \ desc='Example Log FunnyNameXyz 2025'; \ validfrom=2025-01-01T00:00:00Z; \ validtill=2026-01-01T00:00:00Z; \ cturi=https://ct.example.xyz/logs/eu/funnynamexyz2025; \ logid='sh4(...)'; \ pubkey='MFk(...)';" )
The following Shell scripts are provided for informational purposes only and are supplied "as is", without a warranty of any kind or liability.¶
The following POSIX [POSIX]-compliant shell script retrieves information from the regularly updated Google curated CT-Log-Operators file JSON List of CT-Logs that are currently compliant with Chromes CT policy [4] and generates zone-file compliant DNS RRs.¶
#!/bin/sh
set -eu
readonly OWN_DOMAIN="$1"
readonly CAA_DOMAIN="$2"
readonly CRIT__FLAG="$3"
readonly ZONE__FILE="zone_${OWN_DOMAIN}_CAA.txt"
case "${CRIT__FLAG}" in
true|false) ;;
*) echo "Error: CRIT_FLAG MUST be either 'true' or 'false'." >&2
exit 1
;;
esac
:> "${ZONE__FILE}"
JSON=$(curl -fsSL https://www.gstatic.com/ct/log_list/v3/log_list.json)
readonly JSON
echo "${JSON}" | awk -v OWN="${OWN_DOMAIN}" -v CA="${CAA_DOMAIN}" -v CRIT="${CRIT__FLAG}" -v OUT="${ZONE__FILE}" '
BEGIN { FS="\""; }
/{[[:space:]]*"description"/ {
desc=""; url=""; start=""; endt=""; logid=""; key="";
}
/"description":/ {
desc = $4
gsub(/\047/, "", desc)
}
/"url":/ {
url = $4
}
/"start_inclusive":/ {
start = $4
}
/"end_exclusive":/ {
endt = $4
}
/"log_id":/ {
logid = $4
}
/"key":/ {
key = $4
gsub(/\047/, "", key)
}
/"end_exclusive":/ {
if (desc != "" && url != "" && start != "" && logid != "" && key != "") {
printf "%s. 60 IN CAA 0 issuect ( \"%s; critical=%s; desc='\''%s'\''; validfrom=%s; validtill=%s; cturi=%s; logid='\''%s'\''; pubkey='\''%s'\'';\" )\n", \
OWN, CA, CRIT, desc, start, endt, url, logid, key \
>> OUT
}
}
'
The following POSIX [POSIX]-compliant shell script retrieves information from the regularly updated Google curated CT-Log-Operators file JSON List of CT-Logs that are currently compliant with Chromes CT policy [4] and generates a "caa-ct-sts.txt"-Policy file.¶
#!/bin/sh
set -eu
readonly OWN_DOMAIN="$1"
readonly CAA_DOMAIN="$2"
readonly CRIT__FLAG="$3"
readonly CAA_CTS_TS="caa-ct-sts.${OWN_DOMAIN}.txt"
case "${CRIT__FLAG}" in
true|false) ;;
*) echo "Error: CRIT_FLAG MUST be either 'true' or 'false'." >&2
exit 1 ;;
esac
:> "${CAA_CTS_TS}"
{ echo "version: CAACTSTSv1"
echo "max_age: 60"
} > "${CAA_CTS_TS}"
JSON=$(curl -fsSL https://www.gstatic.com/ct/log_list/v3/log_list.json)
readonly JSON
echo "${JSON}" | awk -v OWN="${OWN_DOMAIN}" -v CA="${CAA_DOMAIN}" -v CRIT="${CRIT__FLAG}" -v OUT="${CAA_CTS_TS}" '
BEGIN { FS="\""; }
/{[[:space:]]*"description"/ {
desc=""; url=""; start=""; endt=""; logid=""; key="";
}
/"description":/ {
desc = $4
gsub(/\047/, "", desc)
}
/"url":/ {
url = $4
}
/"start_inclusive":/ {
start = $4
}
/"end_exclusive":/ {
endt = $4
}
/"log_id":/ {
logid = $4
}
/"key":/ {
key = $4
gsub(/\047/, "", key)
}
/"end_exclusive":/ {
if (desc != "" && url != "" && start != "" && logid != "" && key != "") {
printf "ct_policy: ( \"%s; critical=%s; desc='\''%s'\''; validfrom=%s; validtill=%s; cturi=%s; logid='\''%s'\''; pubkey='\''%s'\'';\" )\n", \
CA, CRIT, desc, start, endt, url, logid, key \
>> OUT
}
}
'
It is RECOMMENDED to prefer very low TTL (60-300 s). In case of compromise or mistakes a real time reaction is still possible.¶
It is RECOMMENDED to prefer high TTL (86 400 s+) to minimize DNS-load and reduce resolver queries.¶
It is RECOMMENDED to use a medium TTL (e.g., 3 600 s / 1 h). It limits exposure to cache-poisoning and CA mis-issuance to an hour, while keeping query volume manageable.¶
Initial Version¶
This Draft uses extracts from templates written by Pekka Savola, Elwyn Davies, and Henrik Levkowetz.¶
The author gratefully acknowledges the contributors rigorous and professional critique, which materially improved the technical clarity and robustness of this draft. Their objective and insightful feedback has been invaluable in refining the specification.¶