CAA Checking for S/MIME Certificates
May 21, 2024
Introduction
CAA Checking is carried out to improve the strength of the PKI ecosystem with a control to restrict which CAs can issue certificates for a particular domain name. Certificate Authorities will be obligated to check for DNS CAA records and honor those preferences. If no DNS CAA record is present, any CA is allowed to issue a certificate for the domain. If a DNS CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. Also, when processing DNS CAA records, GlobalSign will process the issuemail property tags as specified in RFC 9495: Certification Authority Authorization (CAA) Processing for Email Addresses (rfc-editor.org)
Common Errors
Error Message |
Reason |
Solution |
issuer = other CA
|
Our system has detected that your DNS CAA records contain, entries, and "globalsign.com" is not one of them.
|
Add "globalsign.com" in your CAA entries, against “issuemail” property tag, and try again. Please note that this may take up to an hour to propagate so as to make sure the DNS CAA record cache has been cleared.
|
servfail
|
This issue stems from a DNSSEC validation chain failure. It could be that your domain zone is not signed, or is incorrectly signed.
|
You can try to use a DNSSEC Debugger to address the problem. If you have multiple nameservers, or master and slave nameservers, please make sure that all nameservers have the correct DNSKEY and RRSIGs.
Please contact your DNS provider to verify what causes the error, and work with them to resolve the issue. When your DNS server is properly set up, you can try again to verify your order. Please note that CAA check responses are cached for a maximum of one (1) hour.
Note: This DNS Debugger is not managed by GlobalSign. If you have issues using the tool, please contact them directly.
|
i/o timeout (non-responsive)
|
The timeout error implies that your nameservers are down. This error can only happen for DNSSEC enabled domains with non-responsive nameservers.
|
If you are presented with this error message, please make sure that your nameservers are up and running and externally reachable.
Please contact your DNS provider to verify what causes the failed response from the DNS server, and work with them to resolve the issue. In case there's a firewall in place, please make sure that this IP address is allowed access to your DNS records: 133.88.7.1 and/or 133.88.7.2. When your DNS server is properly set up, you can try again to verify your order. Please note that CAA check responses are cached for a maximum of one (1) hour.
|
|
|
|
What is CAA Checking?
CAA (Certificate Authority Authorization) Checking is a control to restrict which CAs can issue certificates for a particular domain name. By configuring the DNS CAA record, domain owners can specify which Certification Authorities are authorized to issue certificates to that domain name.
Note: If you have any issues or questions whether CAA is supported with your setup, contact your DNS manager for further details.
How does it work?
Domain owners create DNS CAA records that list the CAs they permit to issue certificates to the domain. If a domain has a DNS CAA record, only the CAs listed in the record(s) are allowed to issue certificates for that domain. If no DNS CAA record is present, any CA is allowed to issue certificates for that domain name.
What happens to the S/MIME certificates I already have?
This change doesn't affect existing S/MIME certificates. However, for new, reissues, and renewals, if a domain has a DNS CAA record(s) against “issuemail” property tag, and none of those records contained globalsign.com as a permitted issuer, then GlobalSign would be prohibited from reissuing a certificate to that domain (or subdomain).
Your DNS CAA record should contain "globalsign.com" as shown below.
globalsign.com 299 IN CAA 0 issuemail “globalsign.com”
Guidelines
DNS Services all have their own management interfaces and ways to add DNS CAA records. As such, you have to contact your DNS manager for details. However, we have listed the available guidelines below for your reference.
How to add update and remove a DNS CAA Record
Please refer to this external article for more information : please use “issuemail” tag and set globalsign.com against this.