A Certificate Authority Authorization record, or CAA DNS record, is designed to allow domain owners to specify which CA root certificate may be used to sign certificates for the domain in question. Because this certificate belongs to a certain certificate authority, it can effectively indicate which certificates may be issued for a domain. This prevents issuing a certificate by another CA that the chosen CA can do.
How do I set up CAA?
CAA is a unique DNS record type, which requires support from the DNS administrator. In many cases, this is the registrar (the party where your domain is registered) or the hosting party where your website is hosted. Unfortunately, many parties still use outdated DNS software without support for CAA, but there is a clear upward trend in the support of hosting parties for CAA and thus the use of CAA records.
The structure of a CAA record is as follows:
flag tag approx
- The 'flag' can only be the value 0 or 128. In almost all cases, however, '0' is correct. We therefore advise you to stick to this.
- The 'tag' indicates what type of CAA record it concerns. Possible values are issue, issuewild or iodesf. Here you have the following options;
- 'issue' indicates that only a 'normal' SSL certificate may be issued by the relevant CA.
- 'issuewild' indicates that a wildcard certificate may be issued by the CA.
- 'iodef' is used for failed certificate issuance notifications to the specified email address.
- The 'ca' indicates which certificate authority(ies) are allowed to issue certificates.
- It is also possible to set an extra policy for a domain name. Here you can, for example, indicate that only EV SSL certificates may be issued for a specific domain name.
In practice, for our DNS this means that you must enter the following:
- TYPE : CAA
- Name : [domain name] (don't change anything)
- Content : issue "the name of the CA"
- TTL : 3600
- Prior : 0
If you want to specify two (or more) certificate authorities, create a new record for each CA.
Comments
0 comments
Article is closed for comments.