CAA Records to Secure Domain and Subdomain

Started by Hitesh Patel, Oct 10, 2022, 03:45 AM

Previous topic - Next topic

Hitesh PatelTopic starter

The CAA record is a DNS record used to specify the certification authorities that are authorized to issue SSL/TLS certificates for a domain or subdomain. From September 8th, 2017, major certification authorities enforce strict adherence to the UGA records of the domain/subdomain in question when issuing certificates. The use of CAA records improves internet security and mitigates unauthorized certificate issuance.

The CAA record format consists of three parts: flag, tag, and value. The flag value is an 8-bit number indicating the criticality of understanding the record by the certification authority. The following flag values are valid: 0 and 128. The tag value can be one of three: issue, issuewild, or iodef.

The value depends on the tag and must be enclosed in double quotes; some certification authorities allow for additional parameters in the value separated by semicolons. To prohibit certificate issuance, use a semicolon instead of the domain of the certification authority. An iodef tag specifies the email address or URL the certification authority should use in cases of unauthorized certificate requests.

Here are some key features of the CAA record: the value of a record is inherited to all subdomains unless otherwise specified; multiple CAA records must be used to define more than one certificate authority for a domain or subdomain; the absence of a CAA record grants permission to issue a certificate by any certification authority; and the full specification of the CAA record is available in RFC 6844.

To check the CAA record for a domain or subdomain, use the command "dig caa". However, not all DNS providers support CAA records. The current list of providers that support it as of August 30, 2017 includes Free DNS, Amazon Route 53, Buddhins, Cloud Flash, The clouds, DNS Constellix, Dn Simple, DNS Has Become Easier, Dyn Managed DNS, Domaineshop, Google Cloud DNS, Gandhi, Hurricane Electric Free DNS, Neustar UltraDNS, NS1, and Zilor.

Online generators like and can be used to create CAA records easily and correctly.


During my research on this topic, I found no evidence suggesting that the browser is required to verify these records. The record is only necessary for the UC during the certificate issuance process. Although browsers can verify the record's existence, the RFC does not outline what should be done if the record is not found - even if the certificate is still valid.

Are there any guidelines regarding Let's Encrypt and CAA Records? Are there any sample records available for issuing certificates with Let's Encrypt?


Clients have the option to add CAA records, and the CA/B Forum only requires certification centers to carry out CAA verification. To ensure proper issuance of certificates: verify DNS servers, add a CAA record for the chosen certification authority, and disable DNSSEC for the domain(s).

There are still questions surrounding mandatory CAA verification policies, such as how it will work with CNAME records in CAA and who is responsible for controlling the release of certificates when two certification centers are specified. Additionally, there is currently no software support at the DNS and CC level, which could be difficult for smaller certification centers without proper tools.

Despite being a relatively new addition to DNS, CAA implementation is made easy by modern infrastructure, but third-party DNS providers may not support CAA. With time until September, all parties involved can adapt to the new requirements.


CAA (Certification Authority Authorization) records are crucial for securing a domain and its subdomains by specifying which certificate authorities are allowed to issue SSL certificates for the domain. This ensures that only authorized certificate authorities can issue certificates, preventing any unauthorized or rogue certificates from being used to compromise the security of the domain and its subdomains. Implementing CAA records is a technical aspect of domain security that engineers need to consider when designing and maintaining secure systems. It involves understanding DNS record management and SSL certificate issuance processes to ensure that the domain and its subdomains remain protected against potential security threats.

Let's consider a scenario where a domain owner wants to ensure that only two specific certificate authorities, "ExampleCA" and "SecureSSL," are permitted to issue SSL certificates for their domain and subdomains.

In the art world analogy, this would be similar to an artist exclusively partnering with renowned galleries such as "GalleryA" and "ArtTrust" for exhibiting their work. By specifying these trusted entities in the CAA records, the domain owner effectively authorizes only "ExampleCA" and "SecureSSL" to issue SSL certificates, thereby enhancing the security and authenticity of their online presence.

Just as an artist carefully selects reputable galleries to represent them, the domain owner, through the use of CAA records, can exercise control over which certificate authorities are allowed to vouch for the security of their digital domain. This selective authorization helps prevent unauthorized or untrustworthy SSL certificates from being issued, much like how artists safeguard their artwork by entrusting it only to established and trustworthy galleries.