octodns.zone.caa

Classes

CaaZoneValidator(id[, presence, sets])

Comprehensive best-practice validator for CAA records.

class octodns.zone.caa.CaaZoneValidator(id, presence='optional', sets=None)

Bases: ZoneValidator

Comprehensive best-practice validator for CAA records.

Checks:

1. Presence of ``issue`` or ``issuewild`` — At least one CAA record must contain an issue or issuewild tag to explicitly authorize which Certificate Authorities may issue certificates.

2. Explicit wildcard policy — If an issue tag is present but no issuewild tag exists, wildcard certificate issuance falls back to the issue policy. This validator recommends adding an explicit issuewild record to make the wildcard-issuance policy clear.

Can operate in two modes: ‘optional’ (default) and ‘required’. In ‘optional’ mode, the validator only runs if CAA records are present. In ‘required’ mode, a CAA record MUST be present at the zone apex.

Regardless of mode, if CAA records are found (at the apex or at sub-domains) they will be validated against best practices.

Enabled as part of the best-practice validator set:

manager:
  enabled:
    - best-practice

Examples:

Common configuration for Let’s Encrypt:

- flags: 0
  tag: issue
  value: letsencrypt.org
- flags: 0
  tag: issuewild
  value: letsencrypt.org

Configuration for non-issuance (restricting all issuance):

- flags: 0
  tag: issue
  value: ";"

References:

• https://datatracker.ietf.org/doc/html/rfc8659

• https://datatracker.ietf.org/doc/html/rfc9495

__init__(id, presence='optional', sets=None)

Parameters:

• id – Non-empty identifier for this validator instance.

• sets – Iterable of set names, or None to always activate.

validate(zone)

Validate a fully populated zone.

Parameters:

zone – The Zone to validate.

Returns:

list[ValidationReason] of reason objects; empty when valid.