CAA (from Certification Authority Authorization) is a special DNS-record that is used to specify which certification authorities are allowed to issue SSL/TLS certificates. The CAA-record is defined in RFC 6844.
Starting from September 8, 2017 all Certification authorities must verify CAA records to make sure that requests for SSL/TLS-certificates are sent by domain owner.
The purpose of this decision is to prevent the issuance of rogue or unauthorized certificates in case a CA is compromised or domain is hacked, so that a fraudulent user can request for a valid certificate for compromised domain from any CA and use it for MITM attacks and redirect users to fishing sites.
About CAA records
example.com requests an SSL-certificate from a CA, the CA checks CAA records of the domain. If no CAA records are found, the certificate will be issued.
If several CAA records are found, for example, DNS zone contains the CAA record with
example.com. CAA 0 issue "letsencrypt.org" example.com. CAA 0 issue "startssl.com"
A CA tries to find its name in there. If the name is found, the certificate will be issued, otherwise - rejected.
The CAA record for domain name or subdomain is applied to all its subdomains unless stated otherwise.
issue, the CAA record contains the
issuewild tag for wildcard certificates, and the
iodef tag that specifies an URL for feedback.
Therefore, CAA gives DNS owners the ability to determine which Certification Authorities are authorized to issue certificates on behalf of that domain name.
Support of CAA records by DNS servers
ISPmanager Lite and DNSmanager allow to choose which DNS-server to set up: BIND or PowerDNS. ISPmanager Business uses only PowerDNS.
BIND introduced support of CAA records starting from version 9.9.6. PowerDNS supports CAA records from version 4.0.0 beta 1.
In older versions of BIND and PowerDNS CAA records can be added only as "unknown record" format (RFC 3597) "TYPE257".
You can use this online Helper from SSLmate to generate valid CAA records.
How add CAA records
Navigate to "Domains" --> "Domain names" --> select a domain --> click "Record". On the page that will open click "Add" --> Type --> CAA.
The CAA record consists of a flags byte and a tag-value pair referred. Multiple properties may be associated with the same domain name by publishing multiple CAA records at that domain name.
Flags byte can be either 0 or 128. 128 is a critical property for CAs. If the CA doesn't know it, it is now allowed to issue certificates.
0 is a non-critical property. If the CAA doesn't understand the property, it still can issue a certificate.
3 tags are defined for CAA record:
issue— allows a domain owner specified in the record, to issue a certificate for the hostname.
issuewild— allows a domain owner specified in the record, to issue a wildcard certificate for the hostname.
iodef— allows to specify email or URL that can be used to report invalid certificate requests to the domain owner. iodef post messages use a standard format called the Incident Object Description Exchange Format or IODEF.
- In addition to
issuewild, CAs can define values separated by semicolons
;. For example, the
ca.example.netCA asks its client to specify 230123 for his account. The CAA record will look like this
ca.example.net; account=230123. Specifying only
;in the CA record will forbid all CAs to issue SSL-certificates .
iodefdefines Email or URL of a feedback page, and cannot use additional parameters.
Examples and notes
Using critical bit in flags
The critical flag in CAA records is intended to permit future versions CAA to introduce new semantics that must be understood for correct processing of the record, preventing conforming CAs that do not recognize the new semantics.
In the following example, the record with the
tbs tag is flagged as critical:
$ORIGIN example.com . CAA 0 issue "ca.example.net; policy=ev" . CAA 128 tbs "Unknown"
ca.example.net, nor any other CA is authorized to issue under either policy unless the processing rules for the
tbs property tag are understood.
Please note: the above restrictions only apply at certificate issue. Since a certificate is normally issued for a year or more, it is quite possible that the CAA records will change after the certificate was issued. Changes will not affect the already issued certificate, but can influence domain validation by third-parties.
Querying CAA record for a domain
You can query the CAA record for a domain with dig:
dig example.com caa
We can not identify you and respond to your message.