1. DNS/CAA
について、ここに記述してください。
DNSを用いたサーバー証明書の発行制御 https://jprs.jp/related-info/guide/024.pdf
DNS検索における注意点 CAがCAAリソースレコードをDNS検索する場合、 DNSの階層構造をさかのぼる形でTLDまで順に検索し、 最初に見つかったCAAリソースレコードを設定結果として用います。
https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
1.1. DNS Certification Authority Authorization
This is not intended to support additional cross-checking at the client end of Transport Layer Security (TLS) connections (rather, DNS-based Authentication of Named Entities – DANE – is intended to be used for that purpose),
but as a check for CAs to carry out as part of their issuance procedures. CAA records are intended to allow CAs to avoid mis-issuing certificates in some circumstances, while DANE records are intended to allow relying applications (TLS clients) to avoid relying on mis-issued certificates in some circumstances.[1]
DNS Certification Authority Authorization is specified by RFC 6844.
It defines a new "CAA" DNS resource record type for name-value pairs that can carry a wide range of information to be used as part of the CA authorization process.
It may also be possible for certificate evaluators to use CAA records to detect possible mis-issued certificates.
However, the certificate evaluator should consider that the CAA records may have changed between the time the certificate was issued and the time the certificate is observed by the evaluator.[1]
1.2. what
https://help.dnsmadeeasy.com/managed-dns/dns-record-types/caa-records/
DNS CAA Resource Record Check