From 41c7dd0c1eb7ea41a7c92b1876a38549749d70bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Charaoui?= <jerome@riseup.net>
Date: Thu, 30 Nov 2023 20:33:27 -0500
Subject: [PATCH] howto/tls: document caa records

---
 howto/tls.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/howto/tls.md b/howto/tls.md
index 635c5c9d..16153b57 100644
--- a/howto/tls.md
+++ b/howto/tls.md
@@ -297,6 +297,17 @@ time of writing (2020-04-15):
 
 See also the [alternative certificate authorities we could consider](#other-certificate-authorities).
 
+### Certificate Authority Authorization (CAA)
+
+`torproject.org` and `torproject.net` implement CAA records in DNS to restrict
+which certificate authorities are allowed to issue certificates for these
+domains and under what restrictions.
+
+For Let's Encrypt domains, the CAA record also specifies which account is
+allowed to request certificates. This is represented by an "account uri", and
+is found among `certbot` and `dehydrated` configuration files. Typically, the
+file is named `account_id.json`.
+
 ### Internal auto-ca
 
 The internal "auto-ca" is a standalone certificate authority running
-- 
GitLab