Introduction to CAA Records
Certification Authority Authorization (CAA) records are DNS records that allow domain owners to specify which Certificate Authorities (CAs) are authorized to issue SSL/TLS certificates for their domains. Introduced in RFC 6844 and made mandatory in 2017, CAA records add an important security layer to certificate issuance by preventing unauthorized CAs from issuing certificates for your domains.
Why CAA Records Matter:
- Prevent unauthorized certificate issuance
- Reduce the risk of phishing attacks using fraudulent certificates
- Provide an audit trail for certificate issuance
- Help maintain control over which CAs can issue certificates for your domains
- Enhance overall SSL/TLS security posture
Core CAA Record Concepts
Basic CAA Record Structure
flag tag value
- Flag: A single octet that defines processing requirements (0-255)
- Tag: Identifies the property being defined (“issue”, “issuewild”, or “iodef”)
- Value: The parameter value for the specified property
Standard Format in DNS Zone File
domain.com. IN CAA flag tag "value"
Example:
example.com. IN CAA 0 issue "letsencrypt.org"
Key CAA Tags
| Tag | Purpose | Example |
|---|---|---|
issue | Authorizes a CA to issue certificates for the exact domain | 0 issue "digicert.com" |
issuewild | Authorizes a CA to issue wildcard certificates | 0 issuewild "globalsign.com" |
iodef | Specifies a URL or email for reporting policy violations | 0 iodef "mailto:security@example.com" |
How CAA Validation Works
- When a CA receives a certificate request, it must check for CAA records
- CA looks up CAA records for the domain and all parent domains until it finds a record or reaches the DNS root
- If CAA records exist, the CA verifies its authorization
- If the CA is not authorized, it must reject the certificate request
- If no CAA records exist, any CA can issue certificates
Implementing CAA Records: Step-by-Step
1. Determine Your Certificate Authority Requirements
- Identify which CAs you currently use or plan to use
- Check if your CAs support CAA (most major CAs do)
- Get the correct domain identifier for each CA (check CA documentation)
2. Plan Your CAA Policy
- Decide which CAs should be authorized for regular certificates
- Determine if wildcard certificates should be authorized separately
- Plan incident reporting procedures
3. Create Your CAA Records
For authorizing Let’s Encrypt for standard certificates:
example.com. IN CAA 0 issue "letsencrypt.org"
For authorizing DigiCert for wildcard certificates:
example.com. IN CAA 0 issuewild "digicert.com"
For reporting violations:
example.com. IN CAA 0 iodef "mailto:security@example.com"
4. Add Records to Your DNS Zone
Using traditional zone file:
example.com. 3600 IN CAA 0 issue "letsencrypt.org"
example.com. 3600 IN CAA 0 issuewild "digicert.com"
example.com. 3600 IN CAA 0 iodef "mailto:security@example.com"
Using common DNS providers:
| Provider | Method |
|---|---|
| AWS Route 53 | Select CAA record type and enter flag, tag, and value |
| Cloudflare | Add CAA record with dropdown for tag type |
| GoDaddy | Add CAA record with separate fields for flag, tag, value |
| Google Cloud DNS | Add CAA record with specified format |
5. Test Your CAA Records
# Using dig
dig CAA example.com
# Using online tools
# - caatest.co.uk
# - CAA Test by SSLMate
CAA Record Options and Parameters
Flag Values
| Flag Value | Meaning | Usage |
|---|---|---|
| 0 | Non-critical | Standard flag (most common) |
| 1 | Critical | CA must understand this property or reject |
| 128 | Critical for owners | For custom CA policies |
Common CA Domain Identifiers
| Certificate Authority | CAA Domain Identifier |
|---|---|
| Let’s Encrypt | letsencrypt.org |
| DigiCert | digicert.com |
| Sectigo (Comodo) | sectigo.com, comodoca.com |
| GoDaddy | godaddy.com |
| GlobalSign | globalsign.com |
| Amazon | amazon.com, amazontrust.com |
| Google Trust Services | pki.goog |
| IdenTrust | identrust.com |
Advanced Parameters
For more complex policies, some CAs support additional parameters:
example.com. IN CAA 0 issue "digicert.com; account=123456"
Common parameters:
account=: Specific account numbervalidationmethods=: Allowed validation methodspolicy=: URL pointing to issuance policy
Multiple CAA Records
You can create multiple CAA records to authorize several CAs:
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issuewild "digicert.com"
DNS Records Comparison
| Record Type | Purpose | Similar to CAA? | Example |
|---|---|---|---|
| CAA | Control which CAs can issue certificates | – | 0 issue "letsencrypt.org" |
| TLSA (DANE) | Associate certificates directly with services | Yes, but different approach | 3 0 1 HASH |
| DKIM | Email authentication | No, but also uses cryptographic keys | v=DKIM1; k=rsa; p=MIGfMA0... |
| SPF | Email sender authorization | No, but also security-focused | v=spf1 mx a include:_spf.example.com ~all |
| MX | Mail server definition | No | 10 mail.example.com |
| A/AAAA | IP address resolution | No | 192.0.2.1 |
Common CAA Challenges and Solutions
Challenge: Certificate Issuance Failures
Symptoms:
- CA rejects certificate request
- Error messages about CAA restrictions
Solutions:
- Verify the CA’s domain identifier is correct (e.g.,
letsencrypt.orgnotletsencrypt) - Check for typos in CAA records
- Ensure TTL is low enough for changes to propagate
- Test with
dig CAA example.comto confirm records are visible - Check parent domains for restrictive CAA policies
Challenge: Wildcard Certificate Issues
Symptoms:
- Regular certificates work but wildcards fail
- Error specifically mentions wildcard restrictions
Solutions:
- Verify you’ve added an
issuewildtag for your CA - Remember that
issuealone doesn’t authorize wildcards ifissuewildexists - Add both records:
example.com. IN CAA 0 issue "digicert.com"example.com. IN CAA 0 issuewild "digicert.com"
Challenge: DNS Propagation Delays
Symptoms:
- CAA changes don’t take effect immediately
- Different results from different DNS servers
Solutions:
- Set a lower TTL (time to live) value before making changes
- Wait for existing TTL to expire before testing
- Use multiple DNS lookup tools to verify propagation
- Consider that some DNS providers cache results longer than specified TTL
Challenge: Subdomain Inheritance
Symptoms:
- Unexpected certificate issuance behavior for subdomains
Solutions:
- Remember CAA records apply to the specified domain and all subdomains unless overridden
- Create specific CAA records for subdomains requiring different policies
- Test subdomain CAA resolution with
dig CAA subdomain.example.com
CAA Record Best Practices
Security Recommendations
- Restrict to necessary CAs only: Don’t authorize CAs you don’t use
- Configure both
issueandissuewild: Explicitly control wildcard issuance - Implement violation reporting: Use the
iodeftag to receive reports - Set appropriate TTLs: Balance propagation speed with DNS load
- Document your CAA policy: Include CA information in security documentation
- Test after implementation: Verify records are correct before certificate renewal
Implementation Tips
- Start permissive: Begin with all your CAs authorized, then restrict
- Phase implementation: Deploy CAA records before making them restrictive
- Monitor certificate expiration: Ensure your CAA policy allows renewal
- Consider backup CAs: Authorize a backup CA in case your primary CA has issues
- Check parent domain policies: Understand inheritance for multi-level domains
- Review periodically: Audit your CAA records when changing CAs
Operational Considerations
- Certificate automation: Ensure automated systems like Let’s Encrypt clients can work with your CAA policy
- Emergency procedures: Document how to change CAA records quickly if needed
- Monitoring: Set up alerts for CAA record changes or unexpected modifications
- DNS Redundancy: Ensure your DNS infrastructure is reliable for CAA checks
CAA Record Templates
Basic Security Configuration
; Allow only Let's Encrypt for standard certificates
example.com. IN CAA 0 issue "letsencrypt.org"
; Report violations to security team
example.com. IN CAA 0 iodef "mailto:security@example.com"
Enterprise Multi-CA Configuration
; Allow DigiCert for standard certificates
example.com. IN CAA 0 issue "digicert.com"
; Allow Sectigo for wildcard certificates
example.com. IN CAA 0 issuewild "sectigo.com"
; Secondary CA for backup purposes
example.com. IN CAA 0 issue "globalsign.com"
; Report violations via email and HTTPS
example.com. IN CAA 0 iodef "mailto:security@example.com"
example.com. IN CAA 0 iodef "https://reports.example.com/caa-violations"
E-commerce Security Configuration
; Primary CA for standard certificates
shop.example.com. IN CAA 0 issue "digicert.com"
; Explicitly disallow wildcards by not having issuewild
; Report violations immediately
shop.example.com. IN CAA 0 iodef "mailto:security-urgent@example.com"