This is a test suite which checks compliance with CAA checking as defined in version 1.4.8 of the CA/Browser Forum Baseline Requirements. Effective September 8, 2017, a CA which issues a certificate in violation of a domain's CAA policy is in violation of the Baseline Requirements. CAs are encouraged to use this test suite to ensure that they are in compliance.
The zone files for caatestsuite.com are on GitHub. If you have any questions, please open an issue.
No CA is allowed to issue for any of the following FQDNs:
FQDN | Test Description |
---|---|
empty.basic.caatestsuite.com | Tests proper processing of 0 issue ";" |
deny.basic.caatestsuite.com | Tests proper processing of 0 issue "caatestsuite.com" |
uppercase-deny.basic.caatestsuite.com | Tests proper processing when issue tag is uppercase (0 ISSUE "caatestsuite.com" ) |
mixedcase-deny.basic.caatestsuite.com | Tests proper processing when issue tag is mixedcase (0 IsSuE "caatestsuite.com" ) |
big.basic.caatestsuite.com | Tests proper processing of gigantic CAA record set (1001 records) containing 0 issue "caatestsuite.com" |
critical1.basic.caatestsuite.com | Tests proper processing of an unknown critical property: 128 caatestsuitedummyproperty "test" |
critical2.basic.caatestsuite.com | Tests proper processing of an unknown critical property when another flag is set: 130 caatestsuitedummyproperty "test" |
sub1.deny.basic.caatestsuite.com | Tests basic tree climbing, when CAA record exists at parent |
sub2.sub1.deny.basic.caatestsuite.com | Tests basic tree climbing, when CAA record exists at grandparent |
*.deny.basic.caatestsuite.com | Tests proper application of issue property to a wildcard FQDN |
*.deny-wild.basic.caatestsuite.com | Tests proper application of issuewild property to a wildcard FQDN |
cname-deny.basic.caatestsuite.com | Tests proper processing of a CNAME, when CAA record exists at CNAME target |
cname-cname-deny.basic.caatestsuite.com | Tests proper processing of a CNAME-to-a-CNAME, when CAA record exists at ultimate CNAME target |
sub1.cname-deny.basic.caatestsuite.com | Tests proper processing of a CNAME, when parent is a CNAME and CAA record exists at CNAME target |
deny.permit.basic.caatestsuite.com | Tests proper rejection when parent name (permit.basic.caatestsuite.com ) contains a permissible CAA record set |
ipv6only.caatestsuite.com | Tests proper processing of CAA record at an IPv6-only authoritative name server |
expired.caatestsuite-dnssec.com | Tests rejection when there is no CAA record but the DNSSEC signatures are expired |
missing.caatestsuite-dnssec.com | Tests rejection when there is no CAA record but the DNSSEC signatures are missing |
blackhole.caatestsuite-dnssec.com | Tests rejection when there is a DNSSEC validation chain to a nonresponsive name server |
servfail.caatestsuite-dnssec.com | Tests rejection when there is a DNSSEC validation chain to a name server returning SERVFAIL |
refused.caatestsuite-dnssec.com | Tests rejection when there is a DNSSEC validation chain to a name server returning REFUSED |
xss.caatestsuite.com | Tests rejection when the issue property contains HTML and JavaScript. Makes sure there are no XSS vulnerabilities in the CA's website. |
These tests only apply to some CAs. Check the description for details.
FQDN | Test Description |
---|---|
auto-www-san.caatestsuite.com | All CAs are allowed to issue for auto-www-san.caatestsuite.com , but only the CA caatestsuite.com is allowed to issue for www.auto-www-san.caatestsuite.com . This test makes sure CAA is checked for a SAN that is automatically added for the www sub-domain. |
www.auto-base-san.caatestsuite.com | All CAs are allowed to issue for www.auto-base-san.caatestsuite.com , but only the CA caatestsuite.com is allowed to issue for auto-base-san.caatestsuite.com . This test makes sure CAA is checked for a SAN that is automatically added for the base domain. |
Issuing for these FQDNs would technically be a misissuance by a strict reading of RFC 6844, but that may change in the near future (see test description for details):
FQDN | Test Description |
---|---|
dname-deny.basic.caatestsuite.com | Tests proper processing of a DNAME, when CAA record exists at DNAME target (note: this test would be modified by erratum 5097 to RFC 6844) |
cname-deny-sub.basic.caatestsuite.com | Tests proper processing of a CNAME, when CAA record exists at parent of CNAME target (note: this test would be modified by erratum 5065 to RFC 6844) |
servfail.caatestsuite-dnssec.com
and refused.caatestsuite-dnssec.com
.cname-loop.basic.caatestsuite.com
.auto-www-san.caatestsuite.com
, www.auto-base-san.caatestsuite.com
, and xss.caatestsuite.com
.deny.permit.basic.caatestsuite.com
.dname-deny.basic.caatestsuite.com
and cname-deny-sub.basic.caatestsuite.com
to Informational section, since they are affected by errata.uppercase-deny.basic.caatestsuite.com
and mixedcase-deny.basic.caatestsuite.com