The Certification Authority Authorization (CAA) is a new DNS record that helps identify certification authorities authorized to issue SSL/TLS certificates for a specific domain or subdomain. As of September 8, 2017, the largest and most popular certification authorities have made it mandatory to follow the instructions specified in the CAA records for the domain or subdomain for which the certificate is requested.



Using CAA records can enhance Internet security and reduce the unauthorized issuance of certificates for third-party domains. To help users understand CAA recording and its format, a detailed instruction has been prepared. The recording format consists of three parts: flag, tag, and value.

The flag value is an 8-bit number that determines the criticality of understanding the record by the certification authority. The tag value can be issue, issuewild, or iodef, and the value value must be enclosed in double quotes and separated by a semicolon if additional parameters are used.

For instance, if tag = issue, the domain of the certification authority that is allowed to issue a certificate for the specified domain or subdomain is included in the name of the record. To prohibit the issuance of a certificate for all certification authorities, a semicolon should be used instead of the domain of the certification authority. If tag = issuewild, the same rule applies to wildcard certificates. Finally, if tag = iodef, the email address or URL that the certification authority should use in case of unauthorized requests to issue a certificate is included.

Unless explicitly specified otherwise, the value of a record for a domain or subdomain is inherited to all its subdomains. Multiple CAA records are required to define two or more certificate authorities for the same domain or subdomain. Any certification authority will interpret the absence of a CAA record as permission to issue a certificate. The full specification of the CAA record can be found in RFC 6844.

To check, use the command "dig example.com caa."

Not all DNS providers support CAA records. Here's a list of current providers in alphabetical order: Afraid.org Free DNS, Amazon Route 53, BuddyNS, Cloudflare, ClouDNS, Constellix DNS, DNSimple, DNS Made Easy, Dyn Managed DNS, Domeneshop, Google Cloud DNS, Gandi, Hurricane Electric Free DNS, Neustar UltraDNS, NS1, and Zilore.

For those looking for online generators, there are two recommended options: Zilore and SSLmate.

All members of the Association of the largest UCS are required to follow the standard outlined in RFC 6844. This RFC, which is currently a Proposed standard, does not apply to non-members of the association.

In regards to Let's Encrypt, there may already be available records that permit the issuance of these certificates for specific domain names. It's worth exploring this option to simplify the process.

If a CAA record permits malicious actors to issue a certificate for a domain that they don't control, who ensures that they will check the DNS records? After all, isn't the purpose of CAA to verify whether the certificate applicant actually owns the resource being certified?

The essential concept of CAA is that all certification authorities should review the CAA in addition to traditional verification methods like email, website, and dоcument validation. This additional step helps ensure that only legitimate requests are approved, and that unauthorized certificates aren't issued to bad actors.

CAA (Certification Authority Authorization) records are a type of DNS (Domain Name System) record that allows domain owners to specify which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for their domain. This helps domain owners to have more control over the issuance of certificates for their domains and adds an extra layer of security.

To specify CAA records for a domain, you would need to log in to your domain registrar or DNS hosting provider's control panel and access the DNS settings for your domain. Then, you can add a CAA record with the following information:

1. Name: The domain name for which the CAA record is being created (e.g., example.com).
2. Type: CAA
3. Flags: This field indicates the critical flag for the CAA record. It can be set to 0 or 1. If set to 1, it means that the issuing CA must understand the CAA record type to issue a certificate.
4. Tag: The CAA record tag specifies the type of permission being granted. The most common tag is "issue", which specifies the CA allowed to issue certificates for the domain. Other tags include "issuewild" for wildcard certificates and "iodef" for incident reports.
5. Value: The value field contains the domain name of the CA that is allowed to issue certificates. For example, if you want to allow Let's Encrypt to issue certificates for your domain, the value would be "letsencrypt.org".

After adding the CAA record, the DNS changes may take some time to propagate. Once the CAA record is active, only the CAs specified in the record will be allowed to issue SSL/TLS certificates for the domain, providing an additional layer of security against unauthorized certificate issuance.