The DNS records are the instructions that clients and servers are searching for a particular domain. The common ones are the A records for a domain name to IP address resolution, the CNAME for redirecting subdomain to the domain name, MX for incoming mail servers, etc. But the DNS CAA record is not so well-known, so now we will explain it to you.
What is a DNS CAA record?
The DNS CAA record (Certification Authority Authorization) is a record that the DNS administrator of a domain can add to clarify which Certificate Authorities (CAs) can issue SSL or TLS certificates for the particular domain. The CA are external organizations that you, as a domain owner, can choose to issue cryptographic certificates like SSL or TLS for your domain name.
The cryptographic certificate is used to validate the domain owner and to encrypt the communication with that domain. That way, it protects sensitive data.
With the CAA, the domain owner will have improved control over the process of issuing certificates. He or she can clearly state who is permitted to issue certificates and lower the number of miss-issued certificated for that domain. The CAA record can be used for the whole domain, or chosen subdomains only, depending on how you set it up.
One common requirement for using CAA records is to first enable DNSSEC. That is required for better security and trust from the side of the CA.
What is the content of the DNS CAA record?
If you want to create a new DNS CAA record, you will need to fill in the following parameters to function correctly.
Type: CAA. Here you don’t have anything to consider.
TTL: the TTL value for the CAA record. It could be 1800, 3200, 7200. You can set a longer time since it won’t be changed often.
Host: The name of the host. Here you put the domain name or the subdomain name for which the CAA records refer.
Flag: 0 or 128. 0 will show that it is not critical for the CA to follow the rules. 128 will show critical, so the CA must follow the rules.
Propery type: issue/issuewild/iodef
Issue will allow the issuing of a certificate to the CA.
Issuewild – will allow the issuing of a wildcard certificate to the CA.
Iodef (incident object description exchange format) indicates to the CA where it can send a report for a suspicious certificate that doesn’t obey the rules.
Value: Value provided by the chosen CA.
Why should you start using DNS CAA records today?
Start using DNS CAA records so you can finally stop the abuse and clearly define who can issue certificates for your domain. Say no to the fake certificates that others create for your domain, with the sole purpose of abusing and conduct scams.
How the CAs check the DNS CAA records?
Before any CA issues a new certificate for a particular domain, the first step will perform a special CAA query for this domain. If it finds such a DNS record, it will see the rules and policies and obey them.
If the CA sees that it can issue a new certificate, it will finally do it.
Now you have added one more DNS record to the DNS record types you know. The DNS CAA record is helpful for reducing miss-issued certificated and to better manage the certificates for your domain.