CAA Record: Control Your SSL Certificates

The CAA record lets you specify which Certificate Authorities can issue certificates for your domain.

The CAA (Certificate Authority Authorization) record is a DNS record that lets you publicly declare which Certificate Authorities (CAs) are authorized to issue SSL/TLS certificates for your domain. Without CAA, any CA can theoretically issue a certificate for any domain, which creates a vulnerability: a malicious actor could obtain a fraudulent certificate from a permissive CA.

Since September 2017, all CAs must check CAA records before issuing a certificate (RFC 6844, updated by RFC 8659). If a CAA record exists and doesn't authorize this CA, it must refuse to issue. This simple mechanism significantly reduces the attack surface for certificate-based attacks.

CAA is complementary to DNSSEC: DNSSEC ensures CAA records aren't modified in transit, and CAA ensures only legitimate CAs can issue. Together, they strengthen your PKI security posture.

How CAA Records Work

A CAA record contains three components:

  • Flag: Value 0 (normal) or 128 (critical). With flag 128, if the CA doesn't understand the tag, it must refuse to issue.
  • Tag: Three standard tags: "issue" (authorize standard certificates), "issuewild" (authorize wildcard certificates), "iodef" (contact email for reports).
  • Value: The CA domain identifier (e.g., "letsencrypt.org", "digicert.com") or email address for iodef.
  • Inheritance: CAA is hierarchical: if subdomain.example.com has no CAA, the CA checks example.com. An empty CAA on the subdomain blocks this inheritance.

Why Use CAA Records

CAA adds an important layer of protection to your PKI:

  • Fraud prevention: Blocks fraudulent certificates from unauthorized CAs. Even if an attacker compromises a permissive CA, they can't get a certificate for your domain.
  • Policy control: Document and enforce your certificate policy. Only your chosen CA can issue, preventing well-intentioned shadow IT from using alternate providers.
  • Compliance audit: CAA provides an auditable record of your certificate policy. Security auditors can verify that CAA records match your documented security policy.
  • Wildcard restriction: You can authorize a CA for standard certificates but not wildcards, limiting risk. Wildcard compromise is more severe than single domain.

Configure CAA Records

Here's how to set up CAA step by step:

  1. Identify your CAs: List all CAs that legitimately issue certificates for your domain. Check CT logs (crt.sh) to see existing certificates.
  2. Add issue records: Add a CAA record for each authorized CA. For Let's Encrypt: 0 issue "letsencrypt.org". For DigiCert: 0 issue "digicert.com".
  3. Handle wildcards: Add issuewild records if needed. To block wildcards entirely: 0 issuewild ";". To authorize only one CA for wildcards.
  4. Set up iodef: Add an iodef record to receive reports from CAs that reject issuance. Useful for detecting fraud attempts.

CAA Record Configuration Examples

Here are common configurations:

; Authorize only Let's Encrypt
example.com.  IN CAA 0 issue "letsencrypt.org"
example.com.  IN CAA 0 issuewild "letsencrypt.org"
example.com.  IN CAA 0 iodef "mailto:[email protected]"

; Authorize Let's Encrypt and DigiCert, block wildcards
example.com.  IN CAA 0 issue "letsencrypt.org"
example.com.  IN CAA 0 issue "digicert.com"
example.com.  IN CAA 0 issuewild ";"

; Block all certificate issuance for a subdomain
internal.example.com.  IN CAA 0 issue ";"
internal.example.com.  IN CAA 0 issuewild ";"

# Query CAA with dig
$ dig CAA example.com +short
0 issue "letsencrypt.org"
0 issuewild "letsencrypt.org"
0 iodef "mailto:[email protected]"

# Via Certificate Transparency logs
$ curl -s "https://crt.sh/?q=example.com&output=json" | jq '.[0]'

The semicolon ";" value explicitly prohibits issuance. This is useful for subdomains that should never have certificates (internal APIs, staging without public access).

CAA Best Practices

Maximize the effectiveness of your CAA records:

  • Start restrictive: Only authorize CAs you actually use. It's easier to add a CA later than discover you were compromised by an unauthorized one.
  • Monitor CT logs: CAA doesn't stop all fraud (compromised CA, CT log delays). Monitor CT logs with MoniTao or crt.sh alerts for early detection.
  • Combine with DNSSEC: Without DNSSEC, an attacker could spoof CAA responses. DNSSEC ensures CAA integrity, closing this attack vector.
  • Document iodef: Configure iodef and monitor the mailbox. Issuance refusal reports indicate fraud attempts or legitimate configuration issues.

CAA Implementation Checklist

  • CAs used in production inventoried
  • CAA records added for each legitimate CA
  • Wildcard issuance explicitly controlled
  • iodef configured for issuance reports
  • DNSSEC enabled to protect CAA integrity
  • CAA propagation verified via dig or DNS tools

FAQ - CAA Records

What if I don't have CAA records?

Without CAA records, any CA can issue certificates for your domain. This is the default behavior, but it's a security risk for sensitive domains.

Does CAA block certificate renewal?

Yes, CAA is checked at every issuance, including renewals. Make sure your renewal CA is authorized before adding CAA records.

Can I use multiple CAs?

Yes, add one CAA record per authorized CA. CAs interpret multiple issue records as "OR" logic - any of them can issue.

Does CAA affect subdomains?

Yes, CAA is inherited by subdomains without their own CAA records. To override inheritance, add explicit CAA records on the subdomain.

Can I test CAA before applying?

Use the SSL Labs server test or Qualys SSL checker - they verify CAA and warn about issues before they impact production.

Does MoniTao monitor CAA?

Yes, MoniTao monitors your DNS records including CAA. We alert you if CAA records change unexpectedly or are removed.

Protect Your Certificate Policy

CAA is a simple yet powerful tool to control SSL certificate issuance for your domain. By restricting which CAs can issue certificates, you significantly reduce the risk of fraudulent certificate attacks.

Start by auditing your current CAs, add restrictive CAA records, enable DNSSEC, and monitor with MoniTao. These layers of defense protect your users and your reputation against certificate-based attacks.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing