Domain Name Service. FAQs. Issue 07 Date HUAWEI TECHNOLOGIES CO., LTD.

Issue 07 Date 2019-03-05 HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2019. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Email: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. i

Contents Contents 1 What Are the Private DNS Server Addresses Provided by the DNS Service?...1 2 Why Does My Record Set Not Take Effect?...3 3 How Many Domain Name Levels Does the DNS Service Support?...5 4 How Do I Switch to a Private DNS Server?... 6 5 Is the DNS Service Charged?... 8 6 How Many Zones/Record Set/PTR Records Can I Create?... 9 7 Why Is the Email Address Format Changed in the SOA Record?... 10 8 Are Wildcard DNS Record Sets Supported?...11 9 How Zones Are Queried to Resolve a Domain Name?...12 10 What Are the DNS Servers Provided by HUAWEI CLOUD DNS?... 13 11 What Is TTL?... 14 12 What Is the Priority in an MX Record Used for?... 15 13 How Do I Test Whether a Record Set Is Working?...16 14 Why Does the System Prompt Me That My Record Set Is in Conflict with an Existing One?...17 15 When Will a Record Set Take Effect After I Create It?... 19 16 When Will a Record Set Modification Take Effect?... 20 17 If a VPC Associated with a Private Zone Is Deleted, Will It Be Automatically Disassociated from the Zone?... 21 18 Do I Need to Register Private Domain Names?... 22 19 Are the Private DNS Server Addresses for All Users the Same or Different?... 23 20 Can I Modify a Created DNS Zone?... 24 21 How Is a Domain Name Resolved When a Record Set Has Multiple Values?...25 22 How Can I Access an ECS Using Its Host Name?... 26 23 How Can I Configure a PTR Record for an ECS Private IP Address?... 28 Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. ii

Contents 24 What Is CAA?... 33 25 What Are the Restrictions on Private DNS Request Traffic?... 35 26 Change History... 36 Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. iii

1 What Are the Private DNS Server Addresses Provided by the DNS Service? 1 What Are the Private DNS Server Addresses Provided by the DNS Service? Private DNS servers are used in VPCs to: Resolve private domain names and internal domain names of other cloud services, such as OBS and Workspace. Forward domain name requests to public DNS servers. Compared with the public DNS server 114.114.114.114, private DNS servers provided by the DNS service have the following advantages: Resolve private domain names created within VPCs. Access internal addresses of cloud services like OBS and SFS. Allow ECSs not assigned with EIPs to access the public network. Table 1-1 lists private DNS server addresses provided by the DNS service in different regions. Table 1-1 Private DNS server addresses Region Private DNS Server CN North-Beijing1 100.125.1.250 100.125.21.250 CN North-Beijng4 100.125.1.250 100.125.129.250 CN Southwest- Guiyang1 CN South- Guangzhou 100.125.1.250 100.125.129.250 100.125.1.250 100.125.136.29 CN East-Shanghai2 100.125.17.29 Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 1

1 What Are the Private DNS Server Addresses Provided by the DNS Service? Region Private DNS Server 100.125.135.29 AP-Hong Kong 100.125.1.250 100.125.3.250 AP-Bangkok 100.125.1.250 Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 2

2 Why Does My Record Set Not Take Effect? 2 Why Does My Record Set Not Take Effect? If an IP address cannot be returned when you ping a domain name, the record set is not working. The reasons may be the following: The network is faulty. The record set is abnormal. The record set is modified or cached by the DNS server. You can perform the following operations to locate the fault for your domain name, for example, example.com: 1. Check the local network. Check whether you can successfully ping another domain name. If yes, the network is well connected. Go to step 2. If no, the local network is faulty. Contact the broadband carrier to rectify the fault. 2. Check whether the record set takes effect. a. Run the dig example.com @ns1.hwclouds-dns.com or dig example.com @ns1.hwclouds-dns.net command. If the command output shows that the record set does not take effect, go to step 2.b. Otherwise, the DNS server is normal. In this case, go to step 3. b. Log in to the DNS console, check whether the record set is available or in normal status. If the record set is not available, add it and perform step 2.a again. If the record set is not in normal status, delete the record set and re-create it. Then, perform step 2.a again. If the record set is available and normal, submit a service ticket to get service support. 3. Check whether the record set is modified or cached. a. Check whether the DNS server has been changed. Changing the DNS server will take effect in 24 to 48 hours. b. Check whether the record set is cached by the local computer. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 3

2 Why Does My Record Set Not Take Effect? For a Windows OS, run the ipconfig /flushdns command to refresh DNS cache. A Linux or Unix OS does not cache DNS records. However, if the NSCD service is installed, run the service nscd restart command to refresh DNS cache. c. Check whether the record set is cached by the local DNS server provided by the carrier. DNS records are usually cached for less than an hour. Therefore, you can run the ping command to check whether the record set takes effect an hour later. d. Check whether the local DNS server has been spoofed. (If so, the DNS record set may have been changed.) Change your local DNS server to a public DNS server, for example, 8.8.8.8 or 114.114.114.114, and run the dig example.com@8.8.8.8 or dig example.com@114.114.114.114 command to check whether the record set takes effect. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 4

3 How Many Domain Name Levels Does the DNS Service Support? 3 How Many Domain Name Levels Does the DNS Service Support? The DNS service supports the following levels for domain names suffixed with.com: Second level, such as example.com Third level, such as www.example.com The DNS service supports the following levels for domain names suffixed with.com.cn: Third level, such as example.com.cn Fourth level, such as www.example.com.cn Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 5

4 How Do I Switch to a Private DNS Server? 4 How Do I Switch to a Private DNS Server? The public DNS server 114.114.114.114 is configured for ECSs by default. Switching to a private DNS server not only allows you to access domain names on the public network from ECSs, but also enables you to access internal cloud service addresses, such as OBS and SMN. Therefore, we recommend that you use the private DNS server for your ECSs. For detailed addresses of the private DNS servers, see section 1 What Are the Private DNS Server Addresses Provided by the DNS Service? Changing the DNS Server for VPC Subnets 1. Log in to the management console. 2. In the Network category, click Virtual Private Cloud. The VPC console is displayed. 3. In the navigation pane on the left, choose Virtual Private Cloud. The Virtual Private Cloud page is displayed. 4. Click the name of the VPC for which the subnet is to be modified. 5. On the Subnets tab, locate the required subnet and click Modify to change the DNS server addresses. For example, in the South China region, you need to change the DNS server addresses of a VPC subnet to 100.125.1.250 and 100.125.136.29. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 6

4 How Do I Switch to a Private DNS Server? Figure 4-1 Modify Subnet Updating DNS Server Addresses for ECSs After you change the DNS server addresses of a VPC subnet, the DNS server addresses of ECSs in the subnet are not updated immediately. You can use either of the following methods to update the DNS server addresses for an ECS: Restart the OS. The ECS will then obtain the new DNS server addresses from the DHCP server. Restarting the OS will interrupt services on the ECS. You are advised to do it during offpeak hours. After the DHCP lease time (12 hours by default) ends, the ECS will update the IP address and DNS server address with the DHCP server. Manually change DNS configurations of the ECS. If the DHCP function is disabled on the ECS, you need to manually update DNS configurations. For example, in a Linux OS, change DNS configurations in the /etc/resolv.conf file. The method varies for different OSs. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 7

5 Is the DNS Service Charged? 5 Is the DNS Service Charged? No. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 8

6 How Many Zones/Record Set/PTR Records Can I Create? 6 How Many Zones/Record Set/PTR Records Can I Create? By default, you can create a maximum of 50 public zones, 50 private zone, 50 PTR records, and 500 record sets. If the quotas do not meet your service requirements, you can contact the service support to apply for more resources. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 9

7 Why Is the Email Address Format Changed in the SOA Record? 7 Why Is the Email Address Format Changed in the SOA Record? The email address you entered when creating a zone is used to receive error or problem reports about the zone. You can specify an email address you frequently use as the zone administrator's mailbox. However, according to RFC 2142, we strongly recommend you to preferentially use HOSTMASTER@Domain name as the email address. After the zone is created, the email you specified is displayed in the SOA record set of the zone. You must note that the "@" sign in the SOA record set has other meanings. Therefore, the system replaces @ in the email address with a dot (.). If there is already a dot before @, the system replaces the dot with a backslash (\). However, emails are still sent to the email address you specified. For more details, see RFC 1035. Take test.hostmaster@example.com as an example. If you have specified test.hostmaster@example.com when creating the zone, the email address displayed in the SOA record set is test\.hostmaster.example.com. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 10

8 Are Wildcard DNS Record Sets Supported? 8 Are Wildcard DNS Record Sets Supported? Yes. You can use an asterisk (*) as the host name in a domain name to create a wildcard record set. For more details, see RFC 4592. Currently, you can create a wildcard DNS record set of the A, AAAA, MX, CNAME, TXT, and SRV types. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 11

9 How Zones Are Queried to Resolve a Domain Name? 9 How Zones Are Queried to Resolve a Domain Name? When a domain name resolution request is initiated, the domain name is first queried in the zone of a subdomain if there is any. If the zone has been created, the system returns the result from the zone configuration file. Otherwise, the system queries the domain name from the zone configuration file of a higher-level domain name. For example: For example, you have created a zone for example.com and add an A record set for www.example.com, and also, you have created a zone for www.example.com and have not added an A record set for it. In this case, if a visitor tries to access www.example.com, it is first queried in the configuration file of the www.example.com zone. However, because you have not added an A record set in the zone, no result will be returned. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 12

10 What Are the DNS Servers Provided by HUAWEI CLOUD DNS? 10 What Are the DNS Servers Provided by HUAWEI CLOUD DNS? The DNS servers provided by the DNS service are ns1.hwclouds-dns.com and ns1.hwclouds-dns.net. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 13

11 What Is TTL? 11 What Is TTL? TTL is short for time to live, which specifies the cache period of resource records on a local DNS server. The local DNS server is connected with the client computer. By default, its address is assigned by the broadband carrier. You can also choose a public DNS server, for example, 114.114.114.114 and 8.8.8.8, as your local DNS server. When the local DNS server receives a resolution request of a domain name, it asks the authoritative DNS server of the domain name for the required resource record, and then caches the record for a period of time. During this period, if the local DNS server receives resolution requests of this domain name again, it does not request the record from the authoritative DNS server, but directly returns a result from the record in its cache. The time period during which resource records are cached on the local DNS server is specified by the TTL value. You can set it when adding record sets in public or private zones. For details, see Managing Record Sets. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 14

12 What Is the Priority in an MX Record Used for? 12 What Is the Priority in an MX Record Used for? The priority in an MX record specifies the sequence for an email server to receive emails. A smaller value indicates a higher priority. If there is only one MX record on the DNS server, the priority does not work. If multiple MX records have been created, the DNS server of the email sender preferentially sends emails to the email server with the highest priority. Once this email server becomes faulty, the DNS server of the sender automatically sends emails to the email server with the second highest priority. You can set the priority when creating MX record sets in public or private zones. For details, see Managing Record Sets. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 15

13 How Do I Test Whether a Record Set Is Working? 13 How Do I Test Whether a Record Set Is Working? You can run the following command in the DOS window on a PC connected to the Internet: ping Domain name nslookup [-qt= Type] Target domain name Authoritative DNS server dig Type Target domain name @Authoritative DNS server NOTE Set Type in the nslookup and dig commands to the record type, for example, A, CNAME, TXT, or MX, to check whether the record of that type works. If you do not specify a type, the system queries the A record by default. If the PC does not support the dig command, you need to manually install it first. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 16

14 Why Does the System Prompt Me That My Record Set Is in Conflict with an Existing One? 14 Why Does the System Prompt Me That My Record Set Is in Conflict with an Existing One? The record set you are trying to create is in conflict with or the same as an existing record set. Table 14-1 lists the restrictions on two types of record sets when their names and resolution lines are the same. Table 14-1 Whether there is a conflict between two record types NS CNA ME A AAA A MX TXT PTR SRV CAA NS No repeat Yes No No No No No No No CNA ME Yes No repeat Yes Yes Yes Yes Yes Yes Yes A No Yes No repeat No No No No No No AAA A No Yes No No repeat No No No No No MX No Yes No No No repeat No No No No TXT No Yes No No No No repeat No No No PTR No Yes No No No No No repeat No No SRV No Yes No No No No No No repeat No CAA No Yes No No No No No No No repeat Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 17

14 Why Does the System Prompt Me That My Record Set Is in Conflict with an Existing One? The rules are as follows: Yes: The two types of record sets cannot be created at the same time. No repeat: A record set cannot be added repeatedly. No: The two types of record sets can coexist without restrictions. For example, if you have added an NS record set in the China Telecom line for the domain name www.example.com, the rules take effect as follows: You cannot not add the NS record set of the same name in the China Telecom line. You cannot create a CNAME record set of the same name in the China Telecom line. You can add A, AAAA, MX, TXT, PTR, SRV, and CAA record sets without any restrictions. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 18

15 When Will a Record Set Take Effect After I Create It? 15 When Will a Record Set Take Effect After I Create It? If the record set is created for the first time, it takes effect immediately. If you delete a record set and add it again, it takes effect after the time period specified in the TTL of the previous record set. In some cases, however, the carrier may prolong the cache period of a domain name. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 19

16 When Will a Record Set Modification Take Effect? 16 When Will a Record Set Modification Take Effect? After you modify a record set, the modification takes effect after the cache period specified in the TTL of the record set. In some cases, however, the carrier may prolong the cache period of a domain name. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 20

17 If a VPC Associated with a Private Zone Is Deleted, Will It Be Automatically Disassociated from the Zone? 17 If a VPC Associated with a Private Zone Is Deleted, Will It Be Automatically Disassociated from the Zone? No. If a VPC is deleted, you need to manually disassociate it from the private zone. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 21

18 Do I Need to Register Private Domain Names? 18 Do I Need to Register Private Domain Names? Private domain names you created in HUAWEI CLOUD DNS take effect only in associated VPCs. Therefore, you do not need to register them nor submit them for ICP license. You can customize any private domain names (except com) as long as them comply with domain name specifications. All private domain names are free of charge. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 22

19 Are the Private DNS Server Addresses for All Users the Same or Different? 19 Are the Private DNS Server Addresses for All Users the Same or Different? Private DNS server addresses are the same for all tenants in the same AZ, and private domain names of different tenants are logically isolated. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 23

20 Can I Modify a Created DNS Zone? 20 Can I Modify a Created DNS Zone? After a zone is created, you cannot change its name, but can update its email address and description. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 24

21 How Is a Domain Name Resolved When a Record Set Has Multiple Values? 21 How Is a Domain Name Resolved When a Record Set Has Multiple Values? When a record set has multiple values, an IP address is randomly returned for each query. According to statistics, the probability for returning each IP address is technically the same. Currently, the DNS service does not support polling query based on weights. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 25

22 How Can I Access an ECS Using Its Host Name? 22 How Can I Access an ECS Using Its Host Name? Procedure The DNS service allows you to create private zones for any top-level domain names except com in private networks. When you buy an ECS, you set a host name for it, for example, ecs01. Then, you can create a private zone ecs01 in the DNS service and add an A record to map the domain name ecs01 to the private IP address of the ECS so that the ECS can be accessed using its host name. 1. Log in to the management console. 2. In the Network category, click. The DNS console is displayed. 3. In the navigation pane, choose DNS Resolution > Private Zones. The Private Zones page is displayed. 4. Click on the upper left and select the desired region and project. 5. Click Create Private Zone. Specify the zone name to ECS host name ecs01. 6. Click OK. You can query information about the private zone you created on the Private Zones page. 7. In the zone list on the Private Zones page, click the name of the private zone you created. The record set page is displayed. 8. Click Add Record Set. Add an A record set in the ecs01 zone. Set Type to A Map domains to IPv4 addresses. Leave the Name field blank. Set Value to the private IP address of the ECS, for example, 192.168.1.10. 9. Click OK. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 26

22 How Can I Access an ECS Using Its Host Name? After the record set is created, you can use the domain name ecs01 to access the ECS whose private IP address is 192.168.1.10 from the associated VPC. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 27

23 How Can I Configure a PTR Record for an ECS Private IP Address? 23 How Can I Configure a PTR Record for an ECS Private IP Address? PTR records enable visitors to query domain names based on IP addresses. On the PTR Records page on the console, you can configure PTR records for EIPs. If you want to add PTR records for ECS private IP addresses, create a private zone and create PTR records in the zone. The domain name in a PTR record is specified in the x.x.x.x.in-addr.arpa format. NOTE Creating a Private Zone in-addr.arpa is the domain name suffix for reverse resolution. For example, if the private IP address is 192.168.1.10, its domain name in the PTR record is 10.1.168.192.in-addr.arpa. In this case, you need to create a private zone 192.in-addr.arpa and add a PTR record 10.1.168.192.inaddr.arpa. 1. Log in to the management console. 2. In the Network category, click. The DNS console is displayed. 3. In the navigation pane, choose DNS Resolution > Private Zones. The Private Zones page is displayed. 4. Click on the upper left and select the desired region and project. 5. Click Create Private Zone. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 28

23 How Can I Configure a PTR Record for an ECS Private IP Address? Figure 23-1 Create Private Zone 6. Configure the parameters according to Table 23-1. Table 23-1 Parameters required for creating a private zone Parameter Description Example Value Name VPC Email Domain name Set the domain name suffix to in-addr.arpa. VPC to be associated with the private zone (Optional) Email address of the administrator managing the private zone It is recommended that you set the email address to HOSTMASTER@Domai n name. For more details about the email address, see 7 Why Is the Email Address Format Changed in the SOA Record? 192.in-addr.arpa - HOSTMASTER@exampl e.com Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 29

23 How Can I Configure a PTR Record for an ECS Private IP Address? Parameter Description Example Value Tag Description (Optional) Identifier of a resource. Each tag contains a key and a value. You can add 10 tags at most to a zone. For details about tag key and value requirements, see Table 23-2. (Optional) Description of the domain name, which cannot exceed 255 characters example_key1 example_value1 This is a private zone. Table 23-2 Tag key and value requirements Parameter Requirement Example Value Key Value Cannot be left blank. Must be unique for each resource. Consists of at most 36 characters. Cannot start or end with a space or contain =*<>\, / and Unicode characters. Cannot be left blank. Consists of at most 43 characters. Cannot start or end with a space or contain =*<>\, / and Unicode characters. example_key1 example_value1 7. Click OK. Adding a PTR Record You can query information about the private zone you created on the Private Zones page. NOTE Click the zone name to query detailed zone information. The system has created record sets of the SOA type and NS type in the zone. The SOA record set determines the DNS server that is the authoritative information source for a particular domain name. The NS record set defines authoritative DNS servers for a zone. 1. In the zone list on the Private Zones page, click the name of the private zone you created. The record set page is displayed. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 30

23 How Can I Configure a PTR Record for an ECS Private IP Address? 2. Click Add Record Set. The Add Record Set box is displayed. Figure 23-2 Add Record Set 3. Configure the parameters according to Table 23-3. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 31

23 How Can I Configure a PTR Record for an ECS Private IP Address? Table 23-3 Parameters required for adding a record set of the PTR type Parameter Description Example Value Name IP address in the PTR record (typed in reverse order) 10.1.168 For example, if the IP address is 192.168.1.10, the name of the PTR record is 10.1.168.192.inaddr.arpa. If the private zone name is 192.inaddr.arpa, enter 10.1.168 in the box. If the private zone name is 1.168.192.inaddr.arpa, enter 10 in the box. Type Type of the record set PTR Map IP addresses to domains TTL (s) Value Tag Description Caching period of the record set (in seconds) Domain name mapped to the IP address You can enter only one name at a time. (Optional) Identifier of a resource. Each tag contains a key and a value. You can add 10 tags at most to a record set. This item is displayed when you switch on Other Settings. For details about tag key and value requirements, see Table 23-2. (Optional) Description of the PTR record. This item is displayed when you switch on Other Settings. The default value is 300s, that is, 5 min. mail.example.com example_key1 example_value1 The PTR record is for reverse resolution. 4. Click OK. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 32

24 What Is CAA? 24 What Is CAA? CAA Specifications CAA Record Certification Authority Authorization (CAA) is a way to ensure that HTTPS certificates are issued by authorized certificate authorities (CAs). It is in compliance with IETF RFC 6844 standards. Since September 8, 2017, all CAs are required to check CAA records before issuing certificates. Domain name owners can create CAA records to specify that authorized CAs issue certificates for their domain names. In the world, hundreds of CAs have the right to issue HTTPS certificates to verify identity of a website. CAA allows you to specify CAs that are authorized to issue HTTPS certificates for particular website domain names to prevent possibly fraudulent certificates. Setting CAA records is a way to enhance security for your websites. CAs will perform a DNS lookup for CAA records when they issue certificates. If a CA does not find any CAA record, it can issue a certificate for the domain name. Any other CAs are also able to issue certificates for this domain name, bringing risks of certificate mis-issuing. If the CA finds a CAA record that authorizes it to issue certificates, it will issue a certificate for the domain name. If the CA finds a CAA record but the record does not authorize it to issue certificates, the CA will not be able to issue HTTPS certificates for the domain name. In this case, HTTPS certificates will not be mis-issued. A CAA record consists of a flag byte [flag], a property tag, and a property value [tag]- [value]. You can create multiple CAA records for a domain name. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 33

24 What Is CAA? Table 24-1 Configuration of CAA records Function Example Description Configure a CAA record for one domain name. Configure that the CA reports to the domain name holder. Authorize a CA to issue wildcard certificates. Configuratio n example domain.com. CAA 0 issue "ca.example.com" domain.com. CAA 0 issue ";" domain.com. CAA 0 iodef "mailto:admin@domain.com" domain.com. CAA 0 iodef "http:// domain.com/log/" domain.com. CAA 0 iodef "https:// domain.com/log/" domain.com. CAA 0 issuewild "ca.example.com" domain.com. CAA 0 issue "ca.abc.com" domain.com. CAA 0 issuewild "ca.def.com" domain.com. CAA 0 iodef "mailto:admin@domain.com" Only the specified CA (ca.example.com) can issue certificates for a particular domain name (domain.com). Requests to issue certificates for the domain name by other CAs will be rejected. No CA is allowed to issue certificates for the domain name domain.com. When a certificate is requested that violates the CAA record, the CA will notify the domain name holder of the violation. Requests to issue certificates by unauthorized CAs will be recorded. The specified CA (ca.example.com) can issue wildcard certificates for the domain name. The example configures a CAA record for the domain name domain.com. Only CA ca.abc.com can issue certificates of all types. Only CA ca.def.com can issue wildcard certificates. Any other CAs are not allowed to issue certificates. When a violation occurs, the CA sends a notification to admin@domain.com. Checking Whether a CAA Record Takes Effect You can run the dig command to check whether the CAA record has taken effect. The command format is: dig [Type] [Domain name] +trace. For example: dig caa www.example.com +trace NOTE If the OS does not support the dig command, you need to manually install it first. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 34

25 What Are the Restrictions on Private DNS Request Traffic? 25 What Are the Restrictions on Private DNS Request Traffic? To ensure lookup efficiency of private domain names, the private DNS servers will limit traffic issued from source IP addresses. If a server initiates DNS query requests in an overwhelmingly high frequency that exceeds normal service demands, for example, the QPS reaching 2000, the private DNS servers will suspend processing of DNS queries from that IP address. If your services do generate enormous concurrent requests, we suggest that you enable DNS caching to improve lookup efficiency. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 35

26 Change History 26 Change History Released On Description 2019-03-05 This issue is the seventh official release, which incorporates the following changes: Updated the screenshots. Added DNS server addresses in different regions in section 1 What Are the Private DNS Server Addresses Provided by the DNS Service? 2018-11-15 This issue is the sixth official release, which incorporates the following changes: Updated the screenshots. 2018-09-15 This issue is the fifth official release, which incorporates the following changes: Added the following section: 25 What Are the Restrictions on Private DNS Request Traffic? Updated the screenshots. 2018-08-15 This issue is the fourth official release, which incorporates the following changes: Updated the screenshots. Modified description of parameter Type for adding a record set. Added private DNS servers for the Hong Kong region in section 1 What Are the Private DNS Server Addresses Provided by the DNS Service? 2018-06-30 This issue is the third official release, which incorporates the following changes: Updated the screenshots. Changed the tag character set range. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 36

26 Change History Released On Description 2018-05-15 This issue is the second official release, which incorporates the following changes: Modified description of parameter Type for adding a record set in section 22 How Can I Access an ECS Using Its Host Name? 2018-04-10 This issue is the first official release. Issue 07 (2019-03-05) Copyright Huawei Technologies Co., Ltd. 37