March 26, 2017 · DNS

CAA Records

Put simply Certification Authority Authorization or CAA is a speical type of DNS records that allows you to inform a certification authority if they are allowed to issue certificates for a domain (or subdomain).

The standard is not that common at the moment but is begenning to get traction. The CA forum has mandated it as Qualys Reported

In this example howson.me is allowed to have certificates issued by either Comodo or lets encrypt. Any violations are reported to hositng e-mail and the 128 means it is critical so

howson.me    3600    IN      CAA     128 iodef "hosting@howson.me"
howson.me    3600    IN      CAA     128 issue "letsencrypt.org"
howson.me    3600    IN      CAA     128 issue "comodoca.com"
howson.me    3600    IN      CAA     128 issuewild ";"

The DNS CAA records can be confirmed with ssllabs test
image of SSL Labs Test

You can generate your own using this great opensource tool from SSL Mate
https://sslmate.com/labs/caa/

  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket
Comments powered by Disqus