DNS Certification Authority Authorization

DNS Certification Authority Authorization ( CAA ) uses the Domain Name System to give the owner of a domain the option of authorizing certain certification authorities (CAs) to issue a certificate for the domain concerned. CAA records are intended to prevent certificates from being incorrectly issued for a domain.

DNS Certification Authority Authorization is defined in Internet standard RFC 8659 of 2019.

Structure of a CAA record

Each CAA record has a flag and a property and is implemented in the DNS as a resource record (RR) of type 257, with multiple CAA records per domain. The flag influences the interpretation of the record. The property allows the selection of different types of CAA record.

As of the beginning of 2019, only a single bit is defined: the English issuer critical flag . If this flag is set, the bit has a priority of 128, it means that CAs that cannot evaluate the entries in the CAA record are not allowed to issue a certificate for the domain.

In addition to the flag, the following three properties are defined:

issue: This property allows a CA, which is defined in the value field, to issue a certificate for the domain concerned.
issuewild: This property works like issue , but only for wildcard certificates. For these, the entry has priority over the issue under issue .
iodef: This property allows the domain owner to optionally provide a contact option for the certification authority. Not all certification authorities support this property.

Compulsory exam

Initially, the implementation of CAA was voluntary. Certification authorities could decide for themselves whether to check the record or not. In March 2017 the CA / Browser Forum decided that CAs have to check this record. This regulation came into force in September 2017.

This record is gaining in importance due to the obligation and is being supported by more and more name server providers.

Examples

A CAA record can allow a certification authority with the domain ca.example.net to issue simple certificates for the domain example.com as follows . All other certification authorities are then not allowed to issue simple certificates for example.com :

example.com. IN CAA 0 issue "ca.example.net"

In order to prohibit the issuance of simple certificates and wildcard certificates for the domain example.com, the following entries can be made:

example.com. IN CAA 0 issue ";"

example.com. IN CAA 0 issuewild ";"

The contact option can be specified in various ways, for example in the form of an email address or via a web-based service:

example.com. IN CAA 0 iodef "mailto:security@example.com"

example.com. IN CAA 0 iodef "https://security.example.com/"

credentials

^ Hallam-Baker, Phillip, Stradling, Rob, Hoffman-Andrews, J .: DNS Certification Authority Authorization (CAA) Resource Record. Retrieved February 17, 2020 .
^ What is a CAA record? - DNSimple Help. Retrieved July 10, 2017 .
↑ RFC 6844 - Chapter 3 .: The CAA RR Type
^ New Mandatory CAA Checking on the Horizon - Entrust, Inc. Retrieved July 10, 2017 (American English).
↑ CAA Records for more security . In: hosttech . June 28, 2017 ( hosttech.ch [accessed July 10, 2017]).

[1] Hallam-Baker, Phillip, Stradling, Rob, Hoffman-Andrews, J .: DNS Certification Authority Authorization (CAA) Resource Record. Retrieved February 17, 2020 .

[2] What is a CAA record? - DNSimple Help. Retrieved July 10, 2017 .

[rfc6844-3] RFC 6844 - Chapter 3 .: The CAA RR Type

[4] New Mandatory CAA Checking on the Horizon - Entrust, Inc. Retrieved July 10, 2017 (American English).

[5] CAA Records for more security . In: hosttech . June 28, 2017 ( hosttech.ch [accessed July 10, 2017]).