Certification Authority Authorisation (CAA)

What are CAA records?

Certification Authority Authorisation (CAA) records allow a DNS domain name holder to specify one or more Certification Authorities (CAs) authorised to issue certificates for that domain (see RFC 6844)

  • CAA records are intended to prevent CAs from improperly issuing certificates.

  • CAA records can set policy for the entire domain, or for specific hostnames.

  • CAA records are inherited by subdomains.  For example, a CAA record set on example.com will also apply to test.example.com (and any other subdomain, unless specifically overridden).

  • CAA records can control the issuance of single-name/SAN certificates, wildcard certificates, or both.

  • CAA records may be set to authorise multiple CAs if the 0 flag is set.

According to section 3.2.2.8 of the CA/Browser Forum Baseline Requirements for TLS/SSL certificates, CAs must implement CAA checking before September 8, 2017.

Configuration for QuoVadis

To set CAA records for QuoVadis in your Standard BIND Zone File:

example.com.        CAA    0     issue "quovadisglobal.com"
example.com.        CAA    0     issuewild "quovadisglobal.com"
example.com.        CAA    0     iodef "mailto:cert-admin@example.com"

(Note: Legacy BIND and other generic DNS may require a different syntax.)

Background

When you are configuring CAA records you will need to present the record values in the following format:

<flags> <tag> <value>
example.com. CAA 0 issue “quovadisglobal.com”

Flag

There is currently only one flag defined: “issuer critical” with a value of 1. If a CA does not understand the flag value for an issuer critical record, then the CA will reject the certificate issuance.  The issuer critical value of 0 means “not critical”.

Type (Tag)

Type allows you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair.

  • issue: Explicitly authorises a single CA to issue a certificate (any type) for the domain name.
  • issuewild: Authorises to issue certificates that specify a wildcard domain. Important: issuewild properties take precedence over issue properties when specified.
  • iodef: Incident Description Exchange Format specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.

Time to Live (TTL)

Time to Live is measured in seconds and is the amount of time the record will cache in resolving name servers and web browsers.  TTL also determines the duration of time a CA is allowed to cache a CAA check.

Add Feedback