CAA DNS Record

Control who can issue certificates for your domain.

CAA (Certification Authority Authorization) records allow specifying which certificate authorities are authorized to issue SSL certificates for your domain.

Since 2017, CAs are required to check CAA records before issuing a certificate. It's an additional security layer against fraudulent issuance.

This guide explains how to configure and maintain your CAA records.

Understanding CAA

How CAA records work:

  • issue: specifies CAs authorized to issue standard certificates.
  • issuewild: specifies CAs authorized to issue wildcard certificates.
  • iodef: email or URL to receive violation reports.
  • Absence: without CAA, all CAs are authorized by default.

CAA Benefits

Why configure CAA records:

  • Strict control: only specified CAs can issue certificates.
  • Protection: prevents issuance by compromised or unauthorized CAs.
  • Compliance: demonstrates security governance for audits.
  • Alerts: with iodef, be notified of unauthorized attempts.

Configure CAA

Steps to set up CAA records:

  1. Identify your CAs: list the CAs you use (Let's Encrypt, DigiCert, etc.).
  2. Create records: add CAA records in your DNS zone.
  3. Test: verify records are correct with dig or nslookup.
  4. Maintain: update if you change CAs.

CAA Record Examples

Typical configuration:

# Authorize Let's Encrypt and DigiCert
example.com.  CAA 0 issue "letsencrypt.org"
example.com.  CAA 0 issue "digicert.com"

# Only authorize Let's Encrypt for wildcards
example.com.  CAA 0 issuewild "letsencrypt.org"

# Block all wildcard issuance
example.com.  CAA 0 issuewild ";"

# Receive violation reports
example.com.  CAA 0 iodef "mailto:[email protected]"

# Verification with dig
dig CAA example.com

Flag 0 indicates the record is not critical. 128 would make it critical.

CAA Best Practices

Tips for optimal configuration:

  • List all your CAs: don't forget internal or test certificates.
  • Configure iodef: be notified of unauthorized attempts.
  • Test before prod: ensure your renewals work.
  • Document: maintain documentation of authorized CAs and why.

CAA Checklist

  • Current CAs identified
  • Issue records configured
  • Issuewild records if applicable
  • iodef configured
  • Records verified with dig
  • Renewals tested

Frequently Asked Questions

What happens without CAA?

All CAs are authorized by default to issue certificates for your domain.

Does CAA block attacks?

It prevents issuance by unauthorized CAs. Against compromised CAs, combine with CT.

Do I need to configure issuewild separately?

Yes, issue and issuewild are independent. Without issuewild, wildcards follow issue.

Do CAs really check?

Yes, it's mandatory since September 2017 (CA/B Forum).

Does CAA work with subdomains?

Subdomains inherit parent's CAA if they don't have their own. You can override them.

How do I know if my CA is compatible?

All public CAs are required to check CAA. Consult their documentation for the exact name.

CAA: First Line of Defense

CAA records are a simple but effective measure to control certificate issuance for your domains.

Combine CAA with Certificate Transparency and MoniTao monitoring for complete SSL security.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing