Affordable Bulk DNS Hosting Services

  

World Wide DNS Hosting Services

Sign-up Now!

CAA - Certification Authority Authorization

Return to FAQ/Help System menu

Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name.

You can find out more on WikiPedia.

Certificate authorities implementing CAA perform a DNS lookup for CAA resource records, and if any are found, ensure that they are listed as an authorized party before issuing a digital certificate. Each CAA resource record consists of the following components, separated by whitespace:

domain IN CAA flag tag value

  • flag: A flag byte which implements an extensible signaling system for future use. As of 2018, only the issuer critical flag has been defined, which instructs certificate authorities that they must understand the corresponding property tag before issuing a certificate. This flag allows the protocol to be extended in the future with mandatory extensions, similar to critical extensions in X.509 certificates.

  • tag: One of the following properties.
    • issue - This property authorizes the holder of the domain specified in associated property value to issue certificates for the domain for which the property is published.
    • issuewild - This property acts like issue but only authorizes the issuance of wildcard certificates, and takes precedence over the issue property for wildcard certificate requests.
    • iodef - This property specifies a method for certificate authorities to report invalid certificate requests to the domain name holder using the Incident Object Description Exchange Format. As of 2018, not all certificate authorities support this tag, so there is no guarantee that all certificate issuances will be reported.
  • value: The value associated with the chosen property tag.


The lack of any CAA records authorizes normal unrestricted issuance, and the presence of a single blank issue tag disallows all issuance.

Third parties monitoring certificate authority behavior might check newly issued certificates against the domain's CAA records, but must be aware that a domain's CAA records may have changed between the time the certificate was issued and the time the third-party checks them. Clients must not use CAA as part of their certificate validation process.


Here is an example if we want to limit the issuance of SSL certificates to the Let's Encrypt certificate authority for the root and all subdomains. letsencrypt.org can issue any type of certificate including a wildcard certificate.

@ IN CAA 0 issue "letsencrypt.org"


Here is an example if we want to limit the issuance of SSL certificates to the Let's Encrypt certificate authority and RapidSSL for the root and all subdomains. letsencrypt.org and rapidssl.com can issue any type of certificate including a wildcard certificate.

@ IN CAA 0 issue "letsencrypt.org"
@ IN CAA 0 issue "rapidssl.com"


Here is an example if we want to limit the issuance of root and subdomain certificates to letsencrypt.org and wildcard SSL certificates to rapidssl.com. letsencrypt.org can issue root and subdomain certificates but is restricted from issuing wildcard certificates. rapidssl.com can issue a wildcard certificate but is restricted from issuing root and subdomain certificates.

@ IN CAA 0 issue "letsencrypt.org"
@ IN CAA 0 issuewild "rapidssl.com""


Here is an example if we do not want to allow anyone to issue SSL certificates.

@ IN CAA 0 issue ";"


Return to FAQ/Help System menu