{"id":3001,"date":"2018-07-30T20:00:22","date_gmt":"2018-07-30T18:00:22","guid":{"rendered":"http:\/\/www.unicoda.com\/?p=3001"},"modified":"2018-07-19T14:00:58","modified_gmt":"2018-07-19T12:00:58","slug":"ajout-du-champ-certification-authority-authorization-caa-a-la-zone-dns","status":"publish","type":"post","link":"https:\/\/www.unicoda.com\/?p=3001","title":{"rendered":"Ajout du champ Certification Authority Authorization (CAA) \u00e0 la zone DNS"},"content":{"rendered":"<p>Je m&rsquo;\u00e9tais int\u00e9ress\u00e9 il y a de cela plusieurs semaines aux ent\u00eates de s\u00e9curit\u00e9 du protocole http et j&rsquo;en avais \u00e9galement profit\u00e9 pour regarder du c\u00f4t\u00e9 de la zone DNS. Je m&rsquo;\u00e9tais donc occup\u00e9 d&rsquo;ajouter un champ CAA, pour <a href=\"https:\/\/blog.qualys.com\/ssllabs\/2017\/03\/13\/caa-mandated-by-cabrowser-forum\" target=\"_blank\" rel=\"noopener\">Certification Authority Authorisation<\/a> \u00e0 la zone DNS de mon domaine.<\/p>\n<p>Quelques mots sur le champ en question. Le but est d&rsquo;indiquer publiquement quelles autorit\u00e9s de certification sont aptes \u00e0 g\u00e9n\u00e9rer un certificat pour le domaine concern\u00e9 (z\u00e9ro, une ou plusieurs). Si une tentative de g\u00e9n\u00e9ration d&rsquo;un certificat devait \u00eatre tent\u00e9 par une autre autorit\u00e9, celle-ci devrait \u00e9chouer car ne figurant pas comme autorit\u00e9 autoris\u00e9e. A condition bien s\u00fbr que l&rsquo;autorit\u00e9 de certification prenne en compte le champ CAA et le respecte. L&rsquo;objectif \u00e9tant de r\u00e9duire le risque que quelqu&rsquo;un demande et obtienne un certificat pour votre domaine sans y \u00eatre autoris\u00e9.<\/p>\n<p>Pour la mise en place sur unicoda.com, cela nous donne la configuration suivante :<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-3035 size-large\" src=\"http:\/\/www.unicoda.com\/wp-content\/uploads\/2018\/03\/unicoda-CAA-1024x165.png\" alt=\"\" width=\"840\" height=\"135\" srcset=\"https:\/\/www.unicoda.com\/wp-content\/uploads\/2018\/03\/unicoda-CAA-1024x165.png 1024w, https:\/\/www.unicoda.com\/wp-content\/uploads\/2018\/03\/unicoda-CAA-300x48.png 300w, https:\/\/www.unicoda.com\/wp-content\/uploads\/2018\/03\/unicoda-CAA-768x124.png 768w, https:\/\/www.unicoda.com\/wp-content\/uploads\/2018\/03\/unicoda-CAA.png 1176w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/p>\n<p>Trois param\u00e8tres possibles: <em>issue<\/em>, <em>issuewild<\/em> et <em>iodef<\/em>. Dans l&rsquo;ordre, <em>issue<\/em> restreint la g\u00e9n\u00e9ration des certificats pour le domaine, <em>issuewild<\/em> restreint la g\u00e9n\u00e9ration de certificat \u00ab\u00a0wildcard\u00a0\u00bb (et ignore tout autre champ comportant <em>issue<\/em>). Enfin, <em>iodef<\/em> permet de sp\u00e9cifier un moyen de communication (<em>mailto<\/em>, <em>http<\/em> ou <em>https<\/em>) pour signaler une violation du champ CAA.<\/p>\n<p>Pour davantage d&rsquo;informations, rien de mieux que d&rsquo;aller lire directement la RFC : <a href=\"https:\/\/tools.ietf.org\/html\/rfc6844\" target=\"_blank\" rel=\"noopener\">RFC 6844<\/a>. On peut \u00e9galement consulter les <a href=\"https:\/\/letsencrypt.org\/docs\/caa\/\" target=\"_blank\" rel=\"noopener\">explications de Let&rsquo;s Encrypt<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Je m&rsquo;\u00e9tais int\u00e9ress\u00e9 il y a de cela plusieurs semaines aux ent\u00eates de s\u00e9curit\u00e9 du protocole http et j&rsquo;en avais \u00e9galement profit\u00e9 pour regarder du c\u00f4t\u00e9 de la zone DNS. Je m&rsquo;\u00e9tais donc occup\u00e9 d&rsquo;ajouter un champ CAA, pour Certification Authority Authorisation \u00e0 la zone DNS de mon domaine. Quelques mots sur le champ en &hellip; <a href=\"https:\/\/www.unicoda.com\/?p=3001\" class=\"more-link\">Continuer la lecture<span class=\"screen-reader-text\"> de &laquo;&nbsp;Ajout du champ Certification Authority Authorization (CAA) \u00e0 la zone DNS&nbsp;&raquo;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[316],"tags":[373,372],"class_list":["post-3001","post","type-post","status-publish","format-standard","hentry","category-configuration","tag-caa","tag-dns"],"_links":{"self":[{"href":"https:\/\/www.unicoda.com\/index.php?rest_route=\/wp\/v2\/posts\/3001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.unicoda.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.unicoda.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.unicoda.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.unicoda.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3001"}],"version-history":[{"count":3,"href":"https:\/\/www.unicoda.com\/index.php?rest_route=\/wp\/v2\/posts\/3001\/revisions"}],"predecessor-version":[{"id":3129,"href":"https:\/\/www.unicoda.com\/index.php?rest_route=\/wp\/v2\/posts\/3001\/revisions\/3129"}],"wp:attachment":[{"href":"https:\/\/www.unicoda.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.unicoda.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.unicoda.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}