DNS – CAA-Type Records

  DNS

This article discusses the CAA-type DNS record in detail. You can find general instructions for DNS record management using the customer administration panel in the article DNS – Domain records.

In this article, you will learn:

CAA-Type Records

The Certification Authority Authorization (CAA) record allows you to specify which certification authorities (CA) are allowed to issue an SSL certificate to a domain. The record also allows you to define rules on how and to whom the issuing CA will notify when someone tries to issue a certificate to the domain by a certificate authority that is not authorized by the record.

If a domain or subdomain has no CAA record set, any CA can issue a certificate for it without restrictions. The CA also does not have to support CAA records – in which case it behaves as if they did not exist.

CAA records set for the main domain also apply to all subdomains that do not have their own CAA record set with different rules.

Adding CAA Records

You can find general instructions for DNS record management using the customer administration panel in the article DNS – Domain records.

If the domain uses different DNS servers, neither automatic nor manual changes to WEDOS records will affect its behavior.

The CAA record data consists of the following parts:

  1. Flag: an integer with a value from 0 to 255 (usually 0)
  2. Tag: defines the CAA record property
  3. Value: the tag’s assigned value

The supported tags are:

  • issue: authorizes the defined CA to issue any type of certificate
  • issuewild: authorizes the defined CA to issue only a wildcard certificate
  • iodef: specifies a URL to which the issuing CA reports violations of the CAA record rules

Follow these rules when enterings a CAA record:

  • Assign exactly one tag-value rule to each record.
  • To enter multiple rules, divide them up into separate records.
  • Enter tag values in quotation marks.

A generic CAA record looks like this:

Name                         TTL    Type  Data
(domain or subdomain name) 300 CAA 0 (flag) "(value)"

CAA Record Examples

Example: The domain allows the issuance of certificates from letsencrypt.org. If another authority tries to issue the certificate, it will send information about this by e-mail to info@wds-test.eu.

WEDOS Sample CAA records with issue and iodef tags
Sample CAA records with issue and iodef tags

FAQ

Question: Is setting CAA records for a domain necessary?
Answer: No, most domains work fine even without CAA records.

Děkujeme za zpětnou vazbu!