What is a CAA record?

Chris Wright
Published: 26 October 2023Last updated: 26 October 2023

CAA (Certificate Authority Authorization) records are DNS (Domain Name System) resource records that specify which certificate authorities (CAs) are authorized to issue SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates for a specific domain. These records help domain owners maintain control over the issuance of SSL/TLS certificates for their domains and enhance security by preventing unauthorized CAs from issuing certificates.

How can I add a CAA record at 20i?

To add a CAA record, you'll need to:

  1. Head to Manage Hosting
  2. Select the package name
  3. Select Options
  4. Select Manage
  5. Go to Manage DNS under Domain Names

Here's how CAA records work:

Domain Owner's Control: When you own a domain and want to control which CAs can issue SSL/TLS certificates for that domain, you can create CAA records in your domain's DNS settings.

CAA Record Format: A CAA record typically consists of the following components:

  • Flag: A flag that specifies the meaning of the record.
  • Tag: A tag that indicates the property or issue for which the record is being created.
  • Value: The value associated with the tag, which specifies the CA(s) that are authorized to issue certificates for the domain.

Flag Values:

  • "0" indicates that the CA specified in the CAA record is the only one authorized to issue certificates.
  • "128" indicates that the CA specified in the CAA record is authorized, but other CAs are not prevented from issuing certificates.

Tag Values:

  • "issue" is the most commonly used tag, which specifies the CAs that are allowed to issue certificates for the domain.
  • Other tags, like "iodef" (for incident reporting) and "issuewild" (for wildcard certificates), can be used for specific purposes.

Here's an example of a CAA record:

example.com.  CAA  0  issue "ca.example.net"

In this example:

  • The domain is "example.com."
  • The flag is set to "0," indicating that only the CA specified in the "issue" tag is authorized to issue certificates for the domain.
  • The "issue" tag specifies "ca.example.net" as the authorized CA.

With this CAA record in place, only the CA "ca.example.net" is allowed to issue SSL/TLS certificates for "example.com." If another CA attempts to issue a certificate for this domain, it should check the CAA records and honor the restrictions specified in them.

CAA records are a useful security mechanism to prevent unauthorized certificate issuance and enhance the overall security of websites and online services. Domain owners can configure these records to specify their preferred CAs and minimize the risk of certificate-related security issues.