Jun 18 2017

CAA Record

Posted by Claudiu Tănăselia

Today we are pleased to announce support for CAA record.

What is CAA?

CAA (Certificate Authority Authorization) is a new DNS record (along with the classical A, AAAA, CNAME, TXT, MX, SPF etc) defined in RFC 6844 since January 2013.

Why We Need CAA?

A Certificate Authority (CA) is a entity that issues digital certificates for domains. It acts as a trusted third-party between owner of the certificate and the party relying on the certificate.

Two years ago, Google security engineers, discovered that a Chinese certificate authority issued unauthorized certificates for several Google domains and could have issued digital certificates for virtually any domain. This serious security issue can be avoided by using CAA records.

Why Now?

All certificate authorities & browsers will have to implement CAA checking starting September 2017, after a vote during CA/Browser forum, held in March 2017.

CAA records are not mandatory for users, but CAA records are encouraged for increased security of internet domains. Not using CAA records means that any certificate authority can issue a certificate for your domain and there are many, just check your trusted certificates from your OS and/or browser.

Usage

To whitelist the certificate authorities which can emit digital certificates for your domain use caa function.

Syntax:

-- @name    = relative name
-- @value   = value
-- @tag     = tag (issue, issuewild, iodef, default: issue)
-- @flag    = flag (default: 0)
-- @ttl     = TTL (default: user default TTL)
caa(name, value, tag, flag, ttl)

For example, if you use letsencrypt.org for issuing a certificate for your domain, the syntax for your CAA record would be:

-- example.com.lua
caa("", "letsencrypt.org", "issue")

This means only letsencrypt.org can issue certificates for your domain. If you use multiple certificate authorities then you'll need to add a CAA record for each authority. To include subdomains set tag to issuewild instead of issue, it covers only first level of subdomains.

The iodef tag allows you to define an URL where you can be notified when a certificate authority receives a certificate request for a domain, but the CAA record denies it.

-- example.com.lua
caa("", "letsencrypt.org", "issue")
caa("", "mailto:me@example.com", "iodef")