CAA Record - Certification Authority Authorization
What is CAA?
CAA is a standard that lets you control what certificate authorities (CAs) are allowed to issue certificates for your domain. You can use CAA to reduce your exposure to vulnerabilities in certificate authority validation systems and to enforce certificate procurement policies.
To use CAA, you publish a set of CAA records in your domain's DNS that list the CAs which you authorize to issue certificates. Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed.
What is a CAA record?
A Certification Authority Authorization (CAA) record is a standard that lets you specify which certificate authorites (CAs) are allowed to issue certificates for your domain.
The purpose of the CAA record is to allow domain owners to authorize which certificate authorities are allowed to issue a certificate for a domain. Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed. If no CAA record is present, any CA is allowed to issue a certificate for the domain.
CAA records can set policy for the entire domain, or for specific hostnames. CAA records are also inherited by subdomains. CAA records can regulate the issuance single-name certificates, wildcard certificates, or both.
All CA's will be mandated to check CAA DNS records starting in late 2017 (Sep 8 to be precise). Comodo, however, has been supporting this on ALL certificates for the last 12+ months.
We recognize the following domain names in issue and issuewild property tags as permitting us to issue: comodo.com comodoca.com usertrust.com trust-provider.com
The following DNS servers support CAA records:
Standard BIND Zone File
For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0
Example: comodo.com. IN CAA 0 issue "comodoca.com"
For Google Cloud DNS, DNSimple
Additional Reference Information: https://tools.ietf.org/html/rfc6844