News
Knowledgebase
CAA Record - Certification Authority Authorization

What is CAA?

CAA is a standard that lets you control what certificate authorities (CAs) are allowed to issue certificates for your domain. You can use CAA to reduce your exposure to vulnerabilities in certificate authority validation systems and to enforce certificate procurement policies.

To use CAA, you publish a set of CAA records in your domain's DNS that list the CAs which you authorize to issue certificates. Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed.

What is a CAA record?

A Certification Authority Authorization (CAA) record is a standard that lets you specify which certificate authorites (CAs) are allowed to issue certificates for your domain.

The purpose of the CAA record is to allow domain owners to authorize which certificate authorities are allowed to issue a certificate for a domain. Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed.  If no CAA record is present, any CA is allowed to issue a certificate for the domain. 

CAA records can set policy for the entire domain, or for specific hostnames. CAA records are also inherited by subdomains. CAA records can regulate the issuance single-name certificates, wildcard certificates, or both.

All CA's will be mandated to check CAA DNS records starting in late 2017 (Sep 8 to be precise). Comodo, however, has been supporting this on ALL certificates for the last 12+ months. 

We recognize the following domain names in issue and issuewild property tags as permitting us to issue: comodo.com          comodoca.com         usertrust.com              trust-provider.com

The following DNS servers support CAA records:

  • BIND (Prior to version 9.9.6 use RFC 3597 syntax)
  • NSD (Prior to version 4.0.1 use RFC 3597 syntax)
  • PowerDNS ≥4.0.0
  • Knot DNS ≥2.2.0
  • Google Cloud DNS
  • DNSimple

Standard BIND Zone File

For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0

Example: comodo.com.        IN          CAA        0 issue "comodoca.com"

Generic

For Google Cloud DNS, DNSimple

  • 0 issue "comodoca.com"

Additional Reference Information: https://tools.ietf.org/html/rfc6844

(21 vote(s))
Helpful
Not helpful

Comments (0)