• Domain Name Service

dns
  1. Help Center
  2. Domain Name Service
  3. User Guide
  4. FAQs
  5. What Is CAA?

What Is CAA?

Certification Authority Authorization (CAA) is a way to ensure that HTTPS certificates are issued by authorized certificate authorities (CAs). It is in compliance with IETF RFC 6844 standards. Since September 8, 2017, all CAs are required to check CAA records before issuing certificates.

CAA Specifications

Domain name owners can create CAA records to specify that authorized CAs issue certificates for their domain names.

In the world, hundreds of CAs have the right to issue HTTPS certificates to verify identity of a website. CAA allows you to specify CAs that are authorized to issue HTTPS certificates for particular website domain names to prevent possibly fraudulent certificates. Setting CAA records is a way to enhance security for your websites.

CAs will perform a DNS lookup for CAA records when they issue certificates.

  • If a CA does not find any CAA record, it can issue a certificate for the domain name.

    Any other CAs are also able to issue certificates for this domain name, bringing risks of certificate mis-issuing.

  • If the CA finds a CAA record that authorizes it to issue certificates, it will issue a certificate for the domain name.
  • If the CA finds a CAA record but the record does not authorize it to issue certificates, the CA will not be able to issue HTTPS certificates for the domain name. In this case, HTTPS certificates will not be mis-issued.

CAA Record

A CAA record consists of a flag byte [flag], a property tag, and a property value [tag]-[value]. You can create multiple CAA records for a domain name.

Table 1 Configuration of CAA records

Function

Example

Description

Configure a CAA record for one domain name.

domain.com. CAA 0 issue "ca.example.com"

Only the specified CA (ca.example.com) can issue certificates for a particular domain name (domain.com). Requests to issue certificates for the domain name by other CAs will be rejected.

domain.com. CAA 0 issue ";"

No CA is allowed to issue certificates for the domain name domain.com.

Configure that the CA reports to the domain name holder.

domain.com. CAA 0 iodef "mailto:admin@domain.com"

When a certificate is requested that violates the CAA record, the CA will notify the domain name holder of the violation.

domain.com. CAA 0 iodef "http:// domain.com/log/"

domain.com. CAA 0 iodef "https:// domain.com/log/"

Requests to issue certificates by unauthorized CAs will be recorded.

Authorize a CA to issue wildcard certificates.

domain.com. CAA 0 issuewild "ca.example.com"

The specified CA (ca.example.com) can issue wildcard certificates for the domain name.

Configuration example

domain.com. CAA 0 issue "ca.abc.com"

domain.com. CAA 0 issuewild "ca.def.com"

domain.com. CAA 0 iodef "mailto:admin@domain.com"

The example configures a CAA record for the domain name domain.com.

  • Only CA ca.abc.com can issue certificates of all types.
  • Only CA ca.def.com can issue wildcard certificates.
  • Any other CAs are not allowed to issue certificates.
  • When a violation occurs, the CA sends a notification to admin@domain.com.

Checking Whether a CAA Record Takes Effect

You can run the dig command to check whether the CAA record has taken effect.

The command format is: dig [Type] [Domain name] +trace.

For example:

dig caa www.example.com +trace

NOTE:

If the OS does not support the dig command, you need to manually install it first.