How does CAA record work?
CAA record is a type of DNS record that allows domain owners to specify which Certificate Authorities (CAs) are allowed to issue certificates for that domain. By default, every public CA is allowed to issue certificates for any domain name if they are able to validate the requester's ownership of the domain name. If a CA receives an order for a certificate for a domain with a CAA record and that CA isn’t listed as an authorized issuer, they are prohibited from issuing the certificate to that domain or any subdomain.
CAA record format
A typical CAA record looks like the following in standard BIND format:
$ORIGIN example.com. @ 10800 IN CAA 0 issue "comodoca.com"An anatomy of the CNAME Record
@ 10800 IN CAA 0 issue "comodoca.com"looks like the below:
|Host Label||TTL||Record Class||Record Type||Flag||Tag||Value|
It defines the hostname of a record and whether the hostname will be appended to the label. Fully qualified hostnames terminated by a period will not append the origin.
The time-to-live in seconds. This is the amount of time the record is allowed to be cached by an outside DNS server.
Mainly 3 classes of DNS records exist:
- IN (Internet) – default and generally what internet uses.
- CH (Chaosnet) – used for querying DNS server versions.
- HS (Hesiod) – uses DNS functionality to provide access to databases of information that change infrequently.
The record format is defined using this field. Common record types are A, AAAA, CNAME, CAA, TXT etc. In the case of a CAA record, the record type is CAA.
Flags have only two strictly defined states currently: 0 (non-critical and default) and 1 (critical). Issuer Critical flag tells the CA that it must completely understand the property tag to proceed and RFC 6844 leaves other possibilities open for user-defined flag use.
3 tags are currently defined in the RFC:
- issue: authorizes a single certificate authority to issue certificates for the domain in which the property is published.
- issuewild: authorizes a single certificate authority to issue wildcard certificates for the domain in which the property is published.
- iodef: specifies a URL to which an issuer may report certificate issue requests that are inconsistent with the issuer's Certification Practices or Certificate Policy.
The field contains strings associated with tags. For the issue and issuewild tags, the value is typically the domain name of the CA authorized by the record, for example, comodoca.com. For iodef tag, you’ll supply a URL where policy violations should be reported. It is usually in the format of mailto:email@example.com.
CAA record restrictions
Multiple CAA records
A domain owner can choose to allow multiple CAs to issue certificates for their domain name. The above records limit SSL certificate issuance for example.com to three CAs (Comodo, Let's Encrypt and Entrust).
@ 10800 IN CAA 0 issue "comodoca.com"
@ 10800 IN CAA 0 issue "letsencrypt.org"
@ 10800 IN CAA 0 issue "entrust.com"
The issue tag also authorizes the authorized CA to issue certificates for any subdomains of the specified domain such as www.example.com, mail.example.com, randomname.example.com etc.
The issuewild tag lets the domain owner define what CAs can issue certificates for wildcards separately from the main domain or other subdomains. issuewild tags take precedence over any issue tags. Therefore, Comodo is not allowed to issue wildcard certificates in the above example.
Comodo is the default CA for example.com; Both Comodo and Entrust can issue certificates for www.comodo.com; If a non-defined subdomain such as mail.example.com comes into question, it falls into the category of wildcard and only Let's Encrypt is the authorized CA for it.
$ORIGIN example.com. @ 10800 IN CAA 0 issue "comodoca.com" www 10800 IN CAA 0 issue "comodoca.com" www 10800 IN CAA 0 issue "entrust.com" @ 10800 IN CAA 0 issuewild "letsencrypt.org"
CAA record glossary
CA (Certificate Authority)
Certificate Authority is a trusted entity that issues digital SSL certificates and manages identification, public keys for encrypting information.
Berkeley Internet Name Daemon - is the most commonly used DNS software on the Internet and Dynu observes BIND format.
A wildcard DNS record is a record in a DNS zone that will match requests for non-existent domain names.