3. Relevant Resource Record Set (相关资源记录集)

3. Relevant Resource Record Set (相关资源记录集)

在颁发证书之前, 合规的 CA 必须检查是否发布了相关 RRset (Relevant RRset)。如果存在这样的 RRset, 则 CA 绝对不能颁发证书, 除非 CA 确定 (1) 证书请求与适用的 CAA RRset 一致, 或 (2) 相关 CP 或 CPS 中规定的例外适用。若 FQDN 或通配符域名的相关 RRset 不包含限制颁发的属性标签 (例如, 仅包含 iodef 属性标签或仅包含 CA 无法识别的属性标签), 则 CAA 不限制颁发。

证书请求可以指定多个 FQDN, 也可以指定通配符域名。颁发者必须验证请求中所指定的所有 FQDN 和通配符域名的授权。

对 CAA RRset 的查找从指定标签沿 DNS 名称树向上攀升至 (但不包括) DNS 根 ".", 直到找到 CAA RRset。

给定对特定 FQDN X 的请求或对通配符域名 *.X 的请求, 相关 RRset RelevantCAASet(X) 按如下方式确定 (伪代码):

Let CAA(X) be the RRset returned by performing a CAA record query
for the FQDN X, according to the lookup algorithm specified in
Section 4.3.2 of [RFC1034] (in particular, chasing aliases). Let
Parent(X) be the FQDN produced by removing the leftmost label of
X.

RelevantCAASet(domain):
  while domain is not ".":
    if CAA(domain) is not Empty:
      return CAA(domain)
    domain = Parent(domain)
  return Empty

For example, processing CAA for the FQDN "X.Y.Z" where there are
no CAA records at any level in the tree RelevantCAASet would have
the following steps:

CAA("X.Y.Z.") = Empty; domain = Parent("X.Y.Z.") = "Y.Z."
CAA("Y.Z.")   = Empty; domain = Parent("Y.Z.")   = "Z."
CAA("Z.")     = Empty; domain = Parent("Z.")     = "."
return Empty

Processing CAA for the FQDN "A.B.C" where there is a CAA record
"issue example.com" at "B.C" would terminate early upon finding
the CAA record:

CAA("A.B.C.") = Empty; domain = Parent("A.B.C.") = "B.C."
CAA("B.C.")   = "issue example.com"
return "issue example.com"