CAA (Certification Authority Authorization) is a new type of DNS record designed to identify certification authorities that are allowed to issue SSL / TLS certificates for a specific domain name or subdomain.
The largest and most popular certificate authorities
agreed that starting from September 8, 2017 it is imperative to strictly follow the instructions specified in the CAA records of the domain name or subdomain for which the certificate is requested.
Using CAA-records will increase the level of security on the Internet and reduce the cases of unauthorized obtaining of certificates for third-party domain names.
')
I have prepared a detailed instruction that explains the possibilities of CAA records and the format for its use.
Record format:
CAA <flags> <tag> <value>
The value of a CAA record consists of three parts, separated by a space:
flag
The
flag value is an 8-bit number, the most significant bit of which indicates the criticality of understanding of a record by a certification authority. The following values are currently valid:
- 0 - If the tag value is not supported or not recognized by a certificate authority, then the certificate authority is allowed to issue a certificate for a domain name or subdomain at its discretion.
- 128 - If the tag value is not supported or recognized by a certification authority, the certification authority should not issue a certificate for the domain name or subdomain.
tag
The
tag value can be one of the following values:
- issue — Specifies the certification authority that is authorized to issue a certificate for the domain name or subdomain record used in the title.
- issuewild - Specifies the certification authority that is allowed to issue a wildcard certificate for the domain name or subdomain record used in the title. The certificate applies to the domain name or subdomain directly and to all its subdomains.
- iodef — Specifies the email address or URL (compliant with RFC 5070 ) that the certification authority should use for notifications when it receives a request to issue a certificate in violation of the rules set by the CAA record for the domain name.
value
The
value value depends on the
tag value and must be enclosed in double quotes (
"" ).
Some certificate authorities allow you to use advanced parameters for the value
value . In this case, the parameters must be separated by a semicolon (
; ).
Example: 0 issue "comodoca.com; account = 12345"
- In case tag = issue - Domain name of the certification authority that is allowed to issue a certificate for the domain name or subdomain specified in the name of the record. To prohibit the issuance of a certificate for all certification authorities for the domain name or subdomain that is specified in the name, you must use a semicolon (;) instead of the domain name of the certification authority.
Example: example.com. CAA 0 issue "comodoca.com"
Example: example.com. CAA 0 issue ";"
- In case tag = issuewild - Same as when tag = issue , except that the rule applies to wildcard certificates.
Example: example.com. CAA 0 issuewild "comodoca.com"
Example: example.com. CAA 0 issuewild ";"
- In case tag = iodef - E-mail address ("mailto: abuse@example.com") or URL ("http (s): // URL"), which the CA should use when receiving an unauthorized request to issue a certificate for the domain name or subdomain entry used in the title.
Example: example.com. CAA 0 iodef "mailto: abuse@example.com"
Features:
- The value of an entry for a domain name or subdomain is inherited to all its subdomains, unless explicitly specified otherwise.
- To define two or more certificate authorities for a single domain name or subdomain, you need to use several CAA records.
- The absence of CAA records will be interpreted by any certification authority as permission to issue a certificate.
- The full specification of CAA records is available in RFC 6844 .
How to check?
dig example.com caa
Who supports?
CAA record is not supported by all DNS providers. Actual list as of August 30, 2017 in alphabetical order:
Afraid.org Free DNS
Amazon Route 53
Buddyns
Cloudflare
ClouDNS
Constellix DNS
DNSimple
DNS Made Easy
Dyn Managed DNS
Domeneshop
Google Cloud DNS
Gandi
Hurricane Electric Free DNS
Neustar UltraDNS
NS1
Zilore
Online generators?
You can use
this or
this online generator to correctly and quickly create the necessary CAA records.