CAA (Certification Authority Authorization) is a new type of DNS record designed to identify certification authorities that are allowed to issue SSL / TLS certificates for a specific domain name or subdomain.
The largest and most popular certificate authorities agreed that starting from September 8, 2017, it is mandatory to strictly follow the instructions specified in the CAA records of the domain name or subdomain for which certificate issuance is requested.
Using a CAA record will increase the level of security on the Internet and reduce the occurrence of unauthorized obtaining certificates for third-party domain names.
Here is a detailed instruction that explains the capabilities of the CAA record and the format of its use.
Record Format
The CAA record value consists of three parts, separated by a space:
CAA <flags> <tag> <value>
<flag>
The flag value is an 8-bit number, the high bit of which indicates the criticality of the record by the certification authority. The following values are currently valid:
0 - If the tag value is not supported or not recognized by the certification authority, then the certification authority is allowed to issue a certificate for the domain name or subdomain at its discretion.
128 - If the tag value is not supported or is not recognized by the certification authority, then the certification authority should not issue a certificate for a domain name or subdomain.
<tag>
The tag value can take one of the following values:
issue - Defines the certification authority that is allowed to issue the certificate for the domain name or subdomain used in the name of the entry.
issuewild - Defines a certification authority that is allowed to issue a wildcard certificate for the domain name or subdomain record used in the name. The certificate applies to the domain name or subdomain directly and to all its subdomains.
iodef - Defines the email address or URL (complying with RFC 5070) that a certification authority should use for notifications if it receives a request for a certificate in violation of the rules for a domain name defined by a CAA record.
<value>
The value depends on the tag value and must be enclosed in double quotation marks (""). Some certificate authorities allow you to use additional parameters for the value. In this case, the parameters must be separated by a semicolon (;).
Example: 0 issue "sectigo.com; account = 12345"
In case tag = issue - Domain name of the certification authority, which is allowed to issue a certificate for the domain name or subdomain specified in the title. To prohibit the issuance of a certificate for all certificate authorities for the domain name or subdomain specified in the name of the record, you must use a semicolon (;) instead of the domain name of the certificate authority.
Example: example.tld. CAA 0 issue "sectigo.com" Example: example.tld. CAA 0 issue ";"
In case tag = issuewild - Similar to the case when tag = issue, except that the rule applies to wildcard certificates.
Example: example.tld. CAA 0 issuewild "sectigo.com" Example: example.tld. CAA 0 issuewild ";"
In case tag = iodef - Email address ("mailto: [email protected]") or URL ("http (s): // URL"), which the certification authority should use in case of receiving an unauthorized request for issuing a certificate for the domain name or subdomain used in the name of the entry.
Example: example.tld. CAA 0 iodef "mailto: [email protected]"
Features:
The record value for a domain name or subdomain is inherited to all its subdomains unless explicitly specified otherwise.
To define two or more certificate authorities for a single domain name or subdomain, you must use several CAA records.
The absence of a CAA record will be interpreted by any certificate authority as permission to issue a certificate.
The full CAA record specification is available in RFC 6844.
How to check?
Here are the most common methods to check CAA records:
dig example.tld caa
