CAA (Certification Authority Authorization) records are a key security feature in the Domain Name System (DNS) that allow domain owners to control which Certificate Authorities (CAs) can issue SSL/TLS certificates for their domains.
A CAA record is a specialized DNS record that specifies which Certificate Authorities (CAs) are authorized to issue certificates for a domain. It enhances security by preventing unauthorized CAs from issuing certificates, which could enable attacks like man-in-the-middle exploits. For example, a CAA record might state that only "letsencrypt.org" can issue certificates, blocking all other CAs.
Introduced in RFC 6844 in 2013, CAA records are a vital part of modern DNS security practices, giving domain owners greater control over their certificate ecosystem.
CAA records are activated when a CA receives a certificate request for a domain. The CA checks the DNS for CAA records, starting at the requested domain (e.g., "sub.example.com") and moving up the hierarchy (e.g., "example.com") until it finds a record or reaches the root. The first CAA record found dictates the authorization rules.
These records use tags like "issue" (e.g., "issue 'letsencrypt.org'") to permit standard certificates, "issuewild" for wildcard certificates, or "iodef" for reporting violations. For example, example.com. IN CAA 0 issue "letsencrypt.org" restricts issuance to Let’s Encrypt, and other CAs should be blocked. Without a CAA record, any CA can issue a certificate, making them critical to set up.
You can configure multiple CAA records via your DNS provider’s interface to authorize several CAs or set distinct rules, adding flexibility. This setup, often using syntax like [domain] IN CAA [flags] [tag] [value], helps safeguard your domain by reducing unauthorized certificate risks.
Get occasional updates about new features, integrations, and future plans to your inbox.
We will send a confirmation opt-in email to your inbox. Privacy Policy.
