What Is a CAA Record in DNS?
A Certificate Authority Authorization (CAA) record helps identify the list of certificate authorities allowed to issue certificates for a given domain.
What's the Purpose of CAA Records in DNS?
The Certificate Authority Authorization record helps a domain owner restrict the list of certificate authorities allowed to issue a certificate for a hostname. On top of that, it also helps domain owners stay informed when a certificate is requested from an unauthorized authority.
What Are The Advantages & Disadvantages of Using CAA Records?
A CAA record has a wide set of security benefits:
- Whitelisting Certificate Authorities: The domain owner clearly understands the authorities that issue certificates for a domain. If a CAA record is not specified, any authority can issue certificates.
- Offers Fine-Grained Certification Issuing: A domain administrator can configure CAA records at the top and sub-domain levels. For example, if an administrator has specified a CA for the hostname
example.com, all its subdomains will use the same CA. However, administrators can implicitly provide CAA records for a given subdomain to provide a more granular approach to certificate issuing.
On the other hand, using CAA records creates major disadvantages:
- Compliance: Certain certificate authorities are not required to comply with the regulations specified in your CAA record.
- Changeability: It is difficult to change settings in your DNS configuration as you may need to consult external entities when making changes within your DNS to ensure that it does not affect the CAA records.
CAA Record Example - What Does The Format Look Like?
A CAA record has three main elements:
- Flag: The flag attribute currently supports only two unsigned integers: 1 and 0. Its level of importance is defined in RFC standards.
- Tag: There can be three values as defined by RFC: "issue", "issuewild", and "iodef". The most commonly used value is "issue", specifying that the certificate authority can only issue an SSL certificate for the given domain. However, you may use "issuewild" if you wish to allow a certificate authority to issue wild card certificates for the domain.
- Value: This holds the domain name of the certificate authority that will be authorized to issue certificates.
A typical CAA record is depicted below:
Figure - Sample CAA record
The figure below illustrates the domain
shop.example.com having a CAA record, allowing the
comodoca.com certificate authority to issue a certificate.
To find the list of CAA records for a given domain,
- Navigate to the tool.
- Provide the domain where you wish to find the CAA records.
- Click "Enter". The tool will display a list of CAA records if it finds any. If not, it will display a message indicating no CAA records associated with the domain.
How do I add a CAA record?
Adding a CAA record can differ based on your DNS provider. For example, if you were using Route53, you can add a CAA record by:
- Navigating to your hosted zone (DNS configuration file)
- Clicking "New Record"
- Selecting "CAA" and providing the subdomain/domain and the domain name of the Certificate authority.
Is CAA records required?
No, it is not mandatory to attach CAA records to a domain. A domain with no CAA records lets any certificate authority issue certificates for it.
Can you have multiple CAA records?
Yes, a domain can have multiple CAA records, as a domain can have a list of trusted certificate authorities that it can use to issue certificates.