CAA Record
A DNS Certification Authority Authorization (CAA) record is a type of DNS resource record that allows domain owners to explicitly declare which Certificate Authorities (CAs) are authorized to issue SSL/TLS certificates for their domain or specific hostnames. It acts as a security policy mechanism that provides an additional layer of protection against unauthorized certificate issuance.
How it works
By default, every public Certificate Authority is allowed to issue certificates for any domain name in the public DNS, provided they validate control of that domain name. CAA records change this by allowing domain owners to create a whitelist of authorized CAs, preventing mis-issuance of certificates which could otherwise be exploited for malicious activities like phishing or man-in-the-middle attacks.
When a Certificate Authority receives a request to issue a certificate, it must perform a DNS lookup for CAA resource records. If any CAA records are found, the CA must ensure that it is listed as an authorized party in at least one of those records before proceeding with certificate issuance.
The process works as follows:
1. Someone requests an SSL/TLS certificate for your domain from a CA
2. The CA performs a DNS lookup for CAA records on your domain
3. If no CAA record is found for a subdomain, the CA checks the parent domain hierarchically
4. If a CAA record exists, the CA checks if it is listed as authorized
5. If authorized, the CA proceeds with certificate issuance; otherwise, it must refuse
CAA records include a flag, a tag, and a value. The flag (typically 0) indicates how critical the property is. The tag-value pair forms a property that specifies authorization rules.
Key Points
- CAA records prevent unauthorized CAs from issuing certificates for your domain
- Certificate Authorities are required by industry standards to check CAA records before issuing certificates
- CAA records are checked hierarchically - if not found on a subdomain, the parent domain is checked
- The record format is:
flags tag "value"(e.g.,0 issue "letsencrypt.org") - CAA was standardized in 2019 by RFC 8659 and RFC 8657, making it a relatively modern security mechanism
Common Use Cases
- Certificate Authority Whitelisting: Explicitly authorize only specific CAs (like Let's Encrypt or DigiCert) to issue certificates for your domain, blocking all others
- Wildcard Certificate Control: Use the
issuewildtag to specify different authorization rules for wildcard certificates versus regular certificates - Security Incident Reporting: Use the
iodeftag to specify a URL where CAs can report security policy violations concerning unauthorized certificate requests - Subdomain-Specific Authorization: Set different CAA policies for different subdomains, allowing tighter control over certificate issuance across your infrastructure
code Example Configuration
| Type | Host / Name | Value / Points to | TTL |
|---|---|---|---|
| CAA | @ | 0 issue "letsencrypt.org" | 3600 |
| CAA | @ | 0 issuewild "digicert.com" | 3600 |
| CAA | @ | 0 iodef "mailto:security@example.com" | 3600 |
| CAA | no-ssl | 0 issue ";" | 3600 |
* CAA records specify which Certificate Authorities can issue certificates. The flag is typically 0, and common tags are 'issue', 'issuewild', and 'iodef'.
Frequently Asked Questions
Are Certificate Authorities required to check CAA records?expand_more
Yes. As of September 2017, all Certificate Authorities are required by the CA/Browser Forum Baseline Requirements to check CAA records before issuing a certificate. If a CAA record exists and the CA is not listed as authorized, the CA must refuse to issue the certificate. This makes CAA records an effective security mechanism.
What happens if I don't have a CAA record?expand_more
If you don't have a CAA record, any Certificate Authority can issue certificates for your domain (subject to their own validation processes). This is the default behavior. While not having a CAA record doesn't make your domain insecure, adding one provides an extra layer of protection against unauthorized certificate issuance.
How do I allow multiple Certificate Authorities?expand_more
You can add multiple CAA records to your DNS zone, one for each Certificate Authority you want to authorize. For example, you might have one record for Let's Encrypt and another for DigiCert. As long as a CA finds at least one CAA record that authorizes it, it can proceed with certificate issuance.
What does the flag value in a CAA record mean?expand_more
The flag is a number (typically 0) that indicates how critical the property is. A flag of 0 means the property is non-critical. A flag of 128 (the 'issuer critical' flag) means that if a CA doesn't understand the property tag, it must refuse to issue the certificate. In practice, most CAA records use a flag value of 0.
Can I prevent all certificate issuance for a domain?expand_more
Yes. You can create a CAA record with an empty value (semicolon only) like
0 issue ";" which tells all CAs that no one is authorized to issue certificates for that domain. This is useful for subdomains or internal domains where you never want SSL/TLS certificates to be issued.