Today we are pleased to announce support for CAA record.
What is CAA?
Why We Need CAA?
A Certificate Authority (CA) is a entity that issues digital certificates for domains. It acts as a trusted third-party between owner of the certificate and the party relying on the certificate.
Two years ago, Google security engineers, discovered that a Chinese certificate authority issued unauthorized certificates for several Google domains and could have issued digital certificates for virtually any domain. This serious security issue can be avoided by using CAA records.
All certificate authorities & browsers will have to implement CAA checking starting September 2017, after a vote during CA/Browser forum, held in March 2017.
CAA records are not mandatory for users, but CAA records are encouraged for increased security of internet domains. Not using CAA records means that any certificate authority can issue a certificate for your domain and there are many, just check your trusted certificates from your OS and/or browser.
To whitelist the certificate authorities which can emit digital certificates
for your domain use
-- @name = relative name -- @value = value -- @tag = tag (issue, issuewild, iodef, default: issue) -- @flag = flag (default: 0) -- @ttl = TTL (default: user default TTL) caa(name, value, tag, flag, ttl)
For example, if you use
letsencrypt.org for issuing a certificate for your
domain, the syntax for your CAA record would be:
-- example.com.lua caa("", "letsencrypt.org", "issue")
This means only letsencrypt.org can issue certificates for your domain.
If you use multiple certificate authorities then you'll need to add
a CAA record for each authority. To include subdomains set tag to
issue, it covers only first level of subdomains.
iodef tag allows you to define an URL where you can be
notified when a certificate authority receives a certificate
request for a domain, but the CAA record denies it.
-- example.com.lua caa("", "letsencrypt.org", "issue") caa("", "mailto:email@example.com", "iodef")