What is a CAA Record? Control SSL Issuance

The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA records can set policy for the entire domain, or for specific hostnames. They are also inherited by subdomains, therefore a CAA record set on domain.com will also apply to any subdomain, such as subdomain.domain.com (unless overridden). CAA records can control the issuance of single-name certificates, wildcard certificates, or both.

Why do you need a CAA record?

CAA records allow you to determine which certification authorities may issue certificates for your domain and subdomains. For that reason, it is always a good idea to control this via proper CAA record(s). CAA record helps CAs to better control the process of issuing certificates and to reduce the possibility of mis-issue certificates for the domain. Additionally, by adding such a DNS record, you limit the abuse and prevent issuing fake certificates for your domain.

How to create a DNS CAA record?

Log in your ClouDNS account, enter your DNS zone management page, and click on Add new record. For Type choose CAA and type as follow:

  • Type: CAA
  • TTL: 1 Hour
  • Host: Domain name/Subdomain
  • Flag: 0/182
  • Type: issue/issuewild/iode
  • Value: The value given from the preferred CA

Example of the CAA record in your ClouDNS Control Panel:

Host Type Points to: TTL
hostname.com CAAA 0 issue "letsencrypt.org" 1 Hour

Structure of the CAA record

Every CAA record includes the following components:

  • Flag

All records will have the default issuer critical value of 0, which means they are not critical. Flag 128 is used for critical

  • Type

Type allows you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair.

issue: Explicitly authorizes a single certificate authority to issue a certificate (any type) for the hostname.

issuewild: Authorization to issue certificates that specify a wildcard domain. Please note: issuewild properties take precedence over issue properties when specified.

iodef: (Incident Description Exchange Format) Specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.

  • Value

Specify the domain name of the CA provider to which the CAA record applies. 

How to add a CAA record - Step by Step video:

How to start managing CAA records for your domain name?

  1. Open free trial account from here - free forever
  2. Verify your e-mail address
  3. Log into your control panel
  4. Create new Master DNS from the [add new] button - read more here
  5. Add the CAA record(s) you need as it is described in this article

What are the advantages of the CAA record?

Here are the main benefits of adding CAA records to your domain name: 

  • With CAA records, you take control of which certificate authorities are allowed to issue certificates for your domain.
  • Certificate authorities can contact a domain owner regarding a failed certificate issuance request. That way, domain owners are informed about false or fraudulent certificate requests. 
  • With it, you can show your preference and support to a precise Certificate Authority. However, note that using CAA records doesn’t limit you to one exact certificate authority. 
  • Creating several CAA records permits multiple certificate authorities to issue certificates for your domain name.

How to check the CAA record?

It is actually really easy to check your CAA record. Here is how to do it in several different ways depending on your operating system (OS):

  • macOS & Linux

If you are a macOS or Linux user, you can use the Dig command to check your CAA record. Open the Terminal and type the following command: 

dig example.com caa 

  • Windows

If you are using Windows, we recommend you to check your CAA record with our Free DNS tool.

Addressing CAA Record Errors

Common errors in CAA record configurations, like incorrect syntax or DNS propagation delays, can impede SSL/TLS certificate issuance. Errors often arise from format issues—misplaced quotation marks or wrongly specified CA domain names—leading to DNS resolver failures. To resolve these, first, ensure the CAA record adheres to the correct format using DNS lookup tools such as ClouDNS Free DNS tool. Then, after updating CAA records, check for DNS propagation consistency across various resolvers using tools like dig or nslookup. This approach helps maintain alignment between certificate issuance and security policies.

Support of CAA records

ClouDNS provides full support for CAA records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your CAA records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.

FAQ

Question: What should my CAA record look like if I purchase an SSL certificate from ClouDNS?

Answer: The Certificate Authority we work with is Sectigo. They recognizes the following domain names in issue and issuewild property tags as permitting them to issue:

  • comodoca.com
  • usertrust.com
  • trust-provider.com
  • sectigo.com

Question: Does a CAA record affect the SSL/TLS certificates I already have?
Answer: No, CAA records do not affect existing SSL/TLS certificates. They only come into play when a Certificate Authority (CA) is attempting to issue a new certificate. Existing certificates remain valid until they expire, regardless of the CAA record's contents.

Question: Can I specify multiple CAs in CAA records?
Answer: Yes, you can specify multiple CAs in your CAA records. You can do this by creating multiple CAA records for your domain, each with a different CA's domain name.


Last modified: 2024-09-24
Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more