DNS CAA record – everything you need to know

The DNS CAA record helps domain name owners to take control over SSL certificates. You can decide which CA is allowed to issue them and also what kind of type of certificate. 

The DNS CAA record was first described in 2013. From September 2017, Certificate Authorities are required to check it before issuing any certificate. So let’s explain a little bit more about it.

DNS CAA record explained

The short CAA stands for Certification Authority Authorization. The DNS CAA record is a Resource Record in DNS. With it, the owner of the domain name is capable of specifying which Certification Authorities (CAs) are allowed to issue a certificate for the domain. 

On the other hand, CAs are companies that are able to publish certificates for a domain, such as SSL, TLS, or another.

When domain owners want to improve their site’s security, they need to include and purchase a certificate.

Here comes the DNS CAA record. It provides better control of the issuing process. It also decreases the chance of mistakes in publishing the certificates of the domain. 

To view which exact part of the domain it applies to, you have to check inside the DNS CAA record. It could be implemented for the whole domain name or only for a subdomain.

A recommendation that should be well considered is to use the DNS CAA record with DNSSEC. When DNSSEC is enabled, you receive better security and higher trust from the side of the CA. 

What is the DNS CAA record structure?

When you want to create a new DNS CAA record, you will have to fill in some parameters. Make sure to do it correctly.   

Type: Here, you have the type of DNS record. In this case, it is CAA.

TTL: This is the TTL value for the CAA record. Since it won’t be changed so frequently, you can set it for a longer time. It could be 1800, 3200, 7200. 

Host: This is the name of the host. Here you place the domain name or the subdomain name for which the CAA records apply.

Flag: 0 or 128. 0 will tell the CA it is not critical to follow the rules. 128 will present critical, so the CA needs to match the rules.

Propery type: issue/issuewild/iodef

Issue – Allows the CA to issue a certificate.

Issuewild – Allows the CA to issue a wildcard certificate.

Iodef (incident object description exchange format) – This shows the CA where it can send a report. Such as for a questionable certificate that doesn’t fulfill the rules.

Value: Value which the chosen CA provides.

Why is it beneficial to use it?

When you use the CAA DNS records, you are taking control of Certificate Authorities, which are allowed to issue certificates for your domain. That happens without required cooperation from the certificate authority. Moreover, when globally using the CAA, it will enable certificate authorities to reach a domain owner. For cases, which are concerning a failed certificate issuance request. Based on that, website and domain owners will identify requests for false or fraudulent certificates. 

Also, we must mention that using DNS CAA records doesn’t limit you to only one specific certificate authority. When you are using many DNS CAA records, it will allow numerous certificate authorities to issue certificates for each domain you like.