Back to Home

DNS CAA record. Why is it needed and how to use it?

dns · caa · ssl · tls · dig · rfc6844 · rfc5070

DNS CAA record. Why is it needed and how to use it?

  • Tutorial
CAA (Certification Authority Authorization) is a new type of DNS record designed to identify certification authorities that are allowed to issue SSL / TLS certificates for a specific domain name or subdomain.

The largest and most popular certificate authorities agreed that starting from September 8, 2017, it is mandatory to strictly follow the instructions specified in the CAA records of the domain name or subdomain for which certificate issuance is requested.

Using a CAA record will increase the level of security on the Internet and reduce the occurrence of unauthorized obtaining certificates for third-party domain names.

I prepared a detailed instruction that explains the capabilities of the CAA record and the format of its use.

Recording Format:

CAA

CAA-value record consists of three parts, separated by spaces:

flag

value flag is an 8-bit number whose MSB indicates the criticality of understanding recording certification authority. The following values ​​are currently valid:

  • 0 - If the tag value is not supported or not recognized by the certification authority, then the certification authority is allowed to issue a certificate for the domain name or subdomain at its discretion.
  • 128 - If the tag value is not supported or is not recognized by the certification authority, then the certification authority should not issue a certificate for a domain name or subdomain.

tag

value tag may take one of the following values:

  • issue - Defines the certification authority that is allowed to issue the certificate for the domain name or subdomain record used in the name.
  • issuewild - Defines a certification authority that is allowed to issue a wildcard certificate for the domain name or subdomain record used in the name. The certificate applies to the domain name or subdomain directly and to all its subdomains.
  • iodef - Defines the email address or URL (complying with RFC 5070 ) that a certification authority should use for notifications if it receives a request to issue a certificate in violation of the rules for the domain name specified by the CAA record.

value

The value value depends on the tag value and must be enclosed in double quotation marks ( "" ).

Some certificate authorities allow you to use additional parameters for the value value . In this case, the parameters must be separated by a semicolon ( ; ).

Example: 0 issue "comodoca.com; account = 12345"

  • In case tag = issue - Domain name of the certification authority that is allowed to issue a certificate for the domain name or subdomain specified in the name of the entry. To prohibit the issuance of a certificate for all certificate authorities for the domain name or subdomain specified in the name of the record, you must use a semicolon (;) instead of the certificate authority's domain name.
    Example: example.com. CAA 0 issue "comodoca.com"
    Example: example.com. CAA 0 issue ";"
  • In case tag = issuewild - Similar to the case when tag = issue , except that the rule applies to wildcard certificates.
    Example: example.com. CAA 0 issuewild "comodoca.com"
    Example: example.com. CAA 0 issuewild ";"
  • In case tag = iodef - Email address ("mailto: [email protected]") or URL ("http (s): // URL"), which the certification authority should use in case of receiving an unauthorized request for issuing a certificate for the domain name or subdomain used in the name of the entry.
    Example: example.com. CAA 0 iodef "mailto: [email protected]"

Features:

  • The record value for a domain name or subdomain is inherited to all its subdomains, unless explicitly specified otherwise.
  • To define two or more certificate authorities for a single domain name or subdomain, you must use several CAA records.
  • The absence of a CAA record will be interpreted by any certificate authority as permission to issue a certificate.
  • The full CAA record specification is available in RFC 6844 .

How to check?
dig example.com caa

Who is supporting?

Not all DNS providers support the CAA record. Current listing as of August 30, 2017 in alphabetical order:

Afraid.org Free DNS
Amazon Route 53
BuddyNS
Cloudflare
ClouDNS
Constellix DNS
DNSimple
DNS Made Easy
Dyn Managed DNS
Domeneshop
Google Cloud DNS
Gandi
Hurricane Electric Free DNS
Neustar UltraDNS
NS1
Zilore

Online Generators?

You can use this or this online generator to correctly and quickly create the necessary CAA records.

Read Next