CAA Record—What is it and why is it important?

What is a CAA Record?

A CAA record is an entry in a domain's DNS zone. CAA stands for Certification Authority Authorization. This DNS entry specifies which certification authorities (CAs) are permitted to issue certificates for that domain.

The CAA record prevents unknown or unwanted certification authorities from issuing certificates on behalf of your domain. Without it, any certification authority worldwide could issue certificates for your domain.

This entry was standardized in 2013 through RFC 6844 and serves to increase security on the web.

How is a CAA Record structured?

 The following is an example of a CAA record:
3600 IN CAA 0 issue "example-CA.com"

The individual components mean:

• example.com : The domain for which the entry applies
• 3600: Time to Live (TTL), how long the entry is stored in cache
• IN: Protocol class, in DNS entries typically stands for “Internet”
• CAA: Record type
• 0: Fixed value, usually always 0
• issue: Property tag that specifies what type of authorization is defined
• “example-CA.com”: Which certification authority is allowed to issue certificates

The exact authorization is defined via the property tag:

• issue: Which CA is allowed to issue SSL certificates
• issuewild: Which CA is allowed to issue wildcard SSL certificates
• iodef: Where to send a report (by email or to a URL) if someone tries to issue a certificate without permission.

How does a DNS CAA Record work?

When a certification authority receives a request to issue a certificate, it checks the domain's DNS. If no CAA record is set for a domain, the CA continues checking DNS at higher levels until it reaches the top-level domain. CAA records are inherited and apply to subdomains too, unless you set a separate entry there.

If the issuing certification authority is listed in the CAA record, it can successfully issue the certificate. If it is not listed, it is not authorized to issue the certificate and must reject the certificate request.

The number of CAA records in DNS is not limited. Multiple CAA entries can be added, allowing several certification authorities to issue certificates.

What role do Certificate Authorities play?

A certification authority (CA) is a trusted organization that issues digital certificates. An SSL certificate confirms the identity of a domain and is comparable to a passport.

When issuing an SSL certificate, the certification authority checks various aspects to verify the domain's identity. For example, it ensures that the specified person actually has technical access to the domain.

Since any certification authority is fundamentally authorized to issue certificates for domains, the CAA record becomes relevant. It allows you to select a specific CA and authorize only that CA to issue certificates. This prevents unauthorized certificates.

Since September 2017, certification authorities have had to check and respect CAA records before they issue a certificate.

CAA Records in the Context of email certificates

In addition to SSL certificates, which verify a domain, there are also S/MIME certificates (Secure/Multipurpose Internet Mail Extension) that verify email addresses. These provide sender authentication, secure message integrity, and protect against unauthorized access to emails.

These certificates are also issued by a certification authority. That's why the CAA record was extended with the property tag issuemail, allowing CAs for email certificates to be explicitly authorized. This is specified in the internet standard RFC 9495.

With this extension, certification authorities for email certificates can be authorized to ensure that email certificates are only issued by authorized CAs. This increases the security of email communication, helps prevent phishing attacks, and reduces the risk of hacking.

How to check and use a CAA Record

Although CAA records are not mandatory, they provide additional control and security. For this reason, every domain that has a certificate issued should also contain CAA records. With a CAA record, you have full control over who is authorized to issue certificates for your domain. This reduces the risk of intentional or unintentional misissuance of certificates.

It is important to note that a CAA record only authorizes one type of certification authority. This means that if only a record for SSL certificates is set, all certification authorities can still issue S/MIME certificates. Ideally, each domain should therefore contain at least two entries—one for SSL certificates and one for email certificates.

To check whether a CAA record already exists for a domain, there are various tools available:

• dnsspy.io
• caatest.co.uk
• digwebinterface.com

To set a CAA entry, your host, or registrar must support this setting. Nowadays, this should be the case with most providers.

At INWX, you can easily set your CAA entry yourself. You can find out how here.