DNS CAA记录治理（issue/issuewild/iodef）最佳实践

背景与价值CAA记录可限制允许颁发证书的CA并配置报告地址。正确配置能防止未经授权的证书签发并提升可审计性。统一规范issue：允许特定CA为该域颁发证书。issuewild：允许特定CA为通配证书颁发（默认不建议）。iodef：配置违规报告端点（mailto/https）。核心实现解析与校验（示意）type CaaTag = 'issue' | 'issuewild' | 'iodef' type CaaRecord = { tag: CaaTag; value: string } const allowCa = new Set(['letsencrypt.org','digicert.com']) function parseCaa(txt: string): CaaRecord[] { const out: CaaRecord[] = [] for (const line of txt.split(/\r?\n/)) { const m = line.trim().match(/^(issue|issuewild|iodef)\s+"([^"]+)"$/) if (m) out.push({ tag: m[1] as CaaTag, value: m[2] }) } return out } function validIssue(value: string): boolean { const d = value.split(';')[0].trim(); return allowCa.has(d) } function validIodef(value: string): boolean { return /^mailto:[^\s@]+@[^\s@]+\.[^\s]+$/.test(value) || /^https:\/\//.test(value) } function auditCaa(records: CaaRecord[]): { ok: boolean; problems: CaaRecord[] } { const problems: CaaRecord[] = [] for (const r of records) { if (r.tag === 'issue' && !validIssue(r.value)) problems.push(r) if (r.tag === 'issuewild' && !validIssue(r.value)) problems.push(r) if (r.tag === 'iodef' && !validIodef(r.value)) problems.push(r) } return { ok: problems.length === 0, problems } } 落地建议将允许颁发的CA收敛到白名单；慎用issuewild，默认不启用通配证书。配置iodef为mailto或https端点，启用违规报告与审计。验证清单CA是否命中白名单；报告端点格式是否有效；是否避免启用通配证书颁发。