Feature request: More granular CAA record check

[thorsheim]

CAA record check now says "Your domain has a valid, sufficiently protective CAA.", as long as you have a valid CAA with a list of 1 or more CAs to issue certificates for a given domain. The test explanation also mentions issuemail (S/MIME) & issuevmc (BIMI), but lack of these doesn't change the scoring.

I would suggest to make this a bit granular like this in the scoring, not just in test explanation:

red: no CAA
orange (?): CAA record exist, but (probably) only has issue records, with/out mailto:, no DNSSEC
yellow: CAA record exist, with issue + mailto configured, but missing issuemail & issuevmc, DNSSEC enabled for domain
green: CAA with issue, issuemail & issuevmc + mailto configured, and any iodef contains https (secure) link, and dnssec is enabled for domain.

CA/Browser Forum also successfully voted for contactemail & contactphone as additional entries into CAA records as alternatives to missing WHOIS information, but I cannot find precise info on this in any RFC. However the wikipedia article on CAA mentions these options https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization, and Hetzner has it in their documentation: https://docs.hetzner.com/networking/dns/record-types/caa-record/

[WKobes]

CA/Browser Forum also successfully voted for contactemail & contactphone as additional entries into CAA records as alternatives to missing WHOIS information, but I cannot find precise info on this in any RFC.

These are records submitted to the IANA registry, see: https://www.iana.org/assignments/pkix-parameters/pkix-parameters.xhtml. Adding records to the registry does not specifically require a RFC.

[bwbroersma]

@thorsheim: currently what is included in the scoring is based on what is required by Dutch regulations. CAA is not a required standard, and therefore not included in the scoring. Red would mean it's included in the scoring. And currently there is only ⚠️ warning, no orange/yellow difference.

There were some CAA parsing ideas, regarding testing for a common CAA identifier. It's however a valid point to also take into account to cover all certificate types, and include best practices.

Note: the current CAA implementation already parses contactemail, contactphone and checks if iodef contains a https or mailto link, see:

• Internet.nl/checks/caa/parser.py

  Lines 146 to 147 in ae9bc4d

  	def validate_property_iodef(value: str):
  	"""Validate iodef value per RFC8659 4.4"""

• Internet.nl/checks/caa/parser.py

  Lines 170 to 172 in ae9bc4d

  	class PhoneNumberRule(_Rule):
  	"""
  	Grammar for phone numbers per RFC3966.

Related:

• Fix #194 - Add CAA test #1624 (comment)
• Test domains for CAA record [website test] #194 (comment)

[thorsheim]

@bwbroersma yeah, and this is the nagging part for expanding features/configuration/reporting in such a way that results can be seen in regard to different recommendations / laws in different countries. Yes, I know that is asking a lot. But hey, just changing the output to specifically list the additional CAA as part of the result but not scoring them is still an improvement imho.