What is a CAA record? | Information & tips
A CAA record defines which certification authorities (CAs) are allowed to issue certificates for a particular domain or subdomain. Since September 2017, issuers of SSL certificates have been required to check CAA entries of the domains to be validated.
Published by
Simone Catania
Date
The CAA record is the latest version of previous DNS records, including CNAME, MX, and A. The abbreviation CAA stands for Certificate Authority Authorization. The CAA record ensures that only certain certificate authorities are allowed to issue valid certificates. As the domain owner, you decide which CA may issue such a certificate. It therefore requires an explicit prior approval for the certificates.
CAA records are considered security contributions that give domain owners authority over how certificates are handled. Previously, the issuing of domain certificates was less regulated and comparatively liberal.
For a long time, it was sufficient if the domain pointed to a correct email address. However, this simple form of regulation had vulnerabilities: hackers could reroute users through man-in-the-middle attacks and a valid certificate, and they remained in good faith of following a secure [URL=]SSL connection[/URL]. With the CAA record such attacks should be prevented or at least made much more difficult.
Structure and components of a CAA record
CAA records follow a specific structure. In the Domain Name System CAA records are stored as
[URL=https://tools.ietf.org/html/rfc6844]resource records (RR)[/ URL]
.
These correspond to the type 257. It is possible for multiple CAA records to be listed per domain. CAA records have a property and a flag. This property makes it possible to select different types of a CAA record. The flag determines how the record is to be interpreted.
Of particular importance is the flag type “issuer critical flag”. Once this flag is set, certification authorities cannot issue a certificate for the corresponding domain if they are not able to evaluate the CAA record entries.
Apart from the flag, the properties “issue“, “issuewild” and “iodef” are specified.
issue
The property “issue” allows a CA that has been specified in the “value” field to issue a certificate for the domain in question.issuewild
The “issuewild” property has a similar purpose as “issue”, but it focuses on wildcard certificates only. If you use the entry “issuewild”, all entries under “issue” will be ignored.iodef
The property “iodef” allows the domain owner to optionally provide contact data for certification authorities. However, it should be noted that not allvcertification authorities support this feature.
Mandatory audit
Although the CAA record already existed before, it was not compulsory. Therefore, its meaning was limited. As a user, you had no clue as to which certification bodies adhered to the voluntary scheme. Especially smaller CAs could ignore the CAA record – a risk for domain owners.
In the past, the option to implement CAA was voluntary. Certification authorities could decide voluntarily if they want to check a record. The mandatory audit decision was made by the CA / Browser Forum. This volunteer consortium of CAs and providers announced in March 2017 that certification authorities would need to review records as of September 9, 2017.
The members of the CA / Browser Forum commit themselves to comply in a document called
[URL=https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/]Ballot 187 [/url]
.
The record has gained relevance due to this commitment and is therefore receiving support from more and more providers.
You can easily create CAA records in the DNS settings in AutoDNS!