The CAA record is considered not so well-known in comparison with, for example, the DNS A record. Actually, the CAA record was first defined in 2013, and from 2017, Certificate Authorities are obligated to first examine it before issuing some type of certificate. So, let’s reveal a little bit more information about it.
The CAA record explained
The Certification Authority Authorization record, or for short the CAA record, is applied mainly by the DNS administrator of a domain to add and establish which Certificate Authorities (CAs) can publish SSL or TLS certificates for the domain.
As a domain owner, you have the right to pick which CA can distribute cryptographic certificates for your domain name.
The purpose of a cryptographic certificate is to authenticate the domain owner plus to secure the communication with that domain with encryption. Additionally, it keeps data that is considered sensitive safe.
With the CAA record, the domain owner holds the advantage of having control over the method of issuing certificates. Moreover, the number of miss-issued certificate for that domain is going to be reduced. It is possible to use CAA record for your complete domain or only for some of the subdomains. It all depends on what are your personal preferences and the setup you want.
A well-known requirement for applying CAA records is first to enable DNSSEC. The reason for that is basically providing better security and assurance from the side of the CA.
What is inside the CAA record?
Once you decide to create a new CAA record, you will have to choose the following parameters. As a result, you will have a well-functioning record.
Type: Here, you have to simply choose CAA.
TTL: Here is the TTL value for the CAA record. Considering that it won’t be modified so often, you can establish a more extended time.
Host: Here, you have to set the domain name or the subdomain name for which you want the CAA records to apply.
Flag: 0 or 128. If you choose 0, it will indicate that it is not crucial for the CA to follow the rules. If you select 128, it will indicate critically, so the CA is obligated to follow the rules.
Property type: Three options are here: issue/issuewild/iodef
Issue – It will permit the CA to issue a certificate.
Issuewild – It will permit the CA to issue a wildcard certificate.
Iodef (incident object description exchange format) – It shows to the CA where it could send a statement for a suspicious certificate that doesn’t fulfill the rules.
Value: Here is a value given by the selected CA.
What are the advantages of CAA?
With CAA records, domain owners are able to take charge of Certificate Authorities, which are permitted to publish certificates for their domain. Additionally, participation is not needed by the CA. Besides, applying CAA records supports CAs to communicate with the domain owner concerning an unsuccessful certificate issuance demand. Domain and website owners could receive insight into forged or fraudulent certificate offers. Applying CAA records doesn’t limit domain owners to one precise CA. As previously mentioned, applying several CAA records gives permission to many Certificate Authorities to publish certificates for the domains.