CAA Record
The expansion of CAA record is “A Certificate Authority Authorization”. The CAA record is used to allow domain owners to declare which certificate authorities can issue a certificate for a domain. They also provide a mean for indicating notification rules in case someone requests a certificate from a non-authorized certificate authority.
Uses of CAA Record
CAA is used to reduce your exposure to vulnerabilities in certificate authority validation systems and to enforce certificate procurement policies.
To use CAA, you publish a set of CAA records in your domain’s DNS that list the CAs which you authorize to issue certificates. The CA checks your CAA records and blocks the request if they are not listed in before issuing a certificate.
If a CAA record is absent, any CA can issue a certificate for the domain but if a CAA record is present, only the CAs listed in the record(s) can issue certificates for that hostname.
CAA records can control the issuance of single-name certificates, wildcard certificates, or both.
Benefits of CAA Record
The benefit of CAA record is that it checks uniformly deployed method of communicating policy to CAs. All CAs will be required to check and abide by CAA records.
Another positive is that the speed at which CAA record checking occurs. The checking of CAA record takes about 7ms per record, which isn’t a heavy tax on most systems. Customers with the most complicated FQDNs will likely not see longer issuance times, assuming their CAA records are correctly configured.
CAA Record Format
The CAA record is represented by the following elements:
flag: It is currently used to represent the critical flag, that has a specific meaning per RFC which has an unsigned integer between 0-255 which is
tag: An ASCII string that represents the identifier of the property represented by the record.
value: The value is associated with the tag.
The canonical representation is:
CAA <flags> <tag> <value>
The following DNS server software supports CAA records:
- NSD (Prior to version 4.0.1 use RFC 3597 syntax)
- PowerDNS ≥4.0.0
- Knot DNS ≥2.2.0
- Simple DNS Plus ≥6.0
- Windows Server 2016 (use RFC 3597 syntax)
- tinydns (use generic record syntax)
- ldns ≥1.6.17
- OpenDNSSEC (with ldns ≥1.6.17)
- BIND (Prior to version 9.9.6 use RFC 3597 syntax)
The following DNS services support CAA records:
- Google Cloud DNS (but not Google Domains DNS)
- DNSimple
- DNS Made Easy
- Constellix DNS
- CloudFlare (in beta; ask support to enable)
- Dyn Managed DNS
- ClouDNS
- Afraid.org Free DNS
- Neustar UltraDNS
- Gandi
- Domeneshop (Domainnameshop)
- Hurricane Electric Free DNS
- BuddyNS
- NS1
- Amazon Route 5