CAA Test Suite

This is a test suite which checks compliance with CAA checking as defined in version 1.4.8 of the CA/Browser Forum Baseline Requirements. Effective September 8, 2017, a CA which issues a certificate in violation of a domain's CAA policy is in violation of the Baseline Requirements. CAs are encouraged to use this test suite to ensure that they are in compliance.

The zone files for caatestsuite.com are on GitHub. If you have any questions, please open an issue.

Deny Tests

No CA is allowed to issue for any of the following FQDNs:

FQDNTest Description
empty.basic.caatestsuite.com Tests proper processing of 0 issue ";"
deny.basic.caatestsuite.com Tests proper processing of 0 issue "caatestsuite.com"
big.basic.caatestsuite.com Tests proper processing of gigantic CAA record set (1001 records) containing 0 issue "caatestsuite.com"
critical1.basic.caatestsuite.com Tests proper processing of an unknown critical property: 128 caatestsuitedummyproperty "test"
critical2.basic.caatestsuite.com Tests proper processing of an unknown critical property when another flag is set: 130 caatestsuitedummyproperty "test"
sub1.deny.basic.caatestsuite.com Tests basic tree climbing, when CAA record exists at parent
sub2.sub1.deny.basic.caatestsuite.com Tests basic tree climbing, when CAA record exists at grandparent
*.deny.basic.caatestsuite.com Tests proper application of issue property to a wildcard FQDN
*.deny-wild.basic.caatestsuite.com Tests proper application of issuewild property to a wildcard FQDN
cname-deny.basic.caatestsuite.com Tests proper processing of a CNAME, when CAA record exists at CNAME target
cname-cname-deny.basic.caatestsuite.com Tests proper processing of a CNAME-to-a-CNAME, when CAA record exists at ultimate CNAME target
sub1.cname-deny.basic.caatestsuite.com Tests proper processing of a CNAME, when parent is a CNAME and CAA record exists at CNAME target
deny.permit.basic.caatestsuite.com Tests proper rejection when parent name (permit.basic.caatestsuite.com) contains a permissible CAA record set
ipv6only.caatestsuite.com Tests proper processing of CAA record at an IPv6-only authoritative name server
expired.caatestsuite-dnssec.com Tests rejection when there is no CAA record but the DNSSEC signatures are expired
missing.caatestsuite-dnssec.com Tests rejection when there is no CAA record but the DNSSEC signatures are missing
blackhole.caatestsuite-dnssec.com Tests rejection when there is a DNSSEC validation chain to a nonresponsive name server
servfail.caatestsuite-dnssec.com Tests rejection when there is a DNSSEC validation chain to a name server returning SERVFAIL
refused.caatestsuite-dnssec.com Tests rejection when there is a DNSSEC validation chain to a name server returning REFUSED
xss.caatestsuite.com Tests rejection when the issue property contains HTML and JavaScript. Makes sure there are no XSS vulnerabilities in the CA's website.

Special Tests

These tests only apply to some CAs. Check the description for details.

FQDNTest Description
auto-www-san.caatestsuite.com All CAs are allowed to issue for auto-www-san.caatestsuite.com, but only the CA caatestsuite.com is allowed to issue for www.auto-www-san.caatestsuite.com. This test makes sure CAA is checked for a SAN that is automatically added for the www sub-domain.
www.auto-base-san.caatestsuite.com All CAs are allowed to issue for www.auto-base-san.caatestsuite.com, but only the CA caatestsuite.com is allowed to issue for auto-base-san.caatestsuite.com. This test makes sure CAA is checked for a SAN that is automatically added for the base domain.

Informational Tests

Issuing for these FQDNs would technically be a misissuance by a strict reading of RFC 6844, but that may change in the near future (see test description for details):

FQDNTest Description
dname-deny.basic.caatestsuite.com Tests proper processing of a DNAME, when CAA record exists at DNAME target (note: this test would be modified by erratum 5097 to RFC 6844)
cname-deny-sub.basic.caatestsuite.com Tests proper processing of a CNAME, when CAA record exists at parent of CNAME target (note: this test would be modified by erratum 5065 to RFC 6844)

Change Log