This website uses cookies

Our website uses first- and third-party cookies to optimize your user experience, personalize advertising and analyze website performance. By clicking "Accept" you agree to the processing and transfer of your data to third parties. You can refuse the use of third-party cookies. An overview of all cookies used can be found in our privacy policy. There you will find a description of how to reject third-party cookies at any time (including retroactively).

Blog

The InterNetX Blog provides you with news and background information on innovations concerning domains, servers, SSL and other industry-related topics.

What is a CAA record and why is it so important?

A CAA record defines which certification authorities (CAs) are allowed to issue certificates for a particular domain or subdomain. Since September 2017, issuers of SSL certificates have been required to check CAA entries of the domains to be validated.


The CAA record is the latest version of previous DNS records, including CNAME, MX, and A. The abbreviation CAA stands for Certificate Authority Authorization. The CAA record ensures that only certain certificate authorities are allowed to issue valid certificates. As the domain owner, you decide which CA may issue such a certificate. It therefore requires an explicit prior approval for the certificates. CAA records are considered security contributions that give domain owners authority over how certificates are handled. Previously, the issuing of domain certificates was less regulated and comparatively liberal.

For a long time, it was sufficient if the domain pointed to a correct email address. However, this simple form of regulation had vulnerabilities: hackers could reroute users through man-in-the-middle attacks and a valid certificate, and they remained in good faith of following a secure [URL=https://www.internetx.com/ssl-zertifikate/]SSL connection[/URL]. With the CAA record such attacks should be prevented or at least made much more difficult.

Structure and components of a CAA record

CAA records follow a specific structure. In the Domain Name System CAA records are stored as [URL=https://tools.ietf.org/html/rfc6844]resource records (RR)[/ URL]. These correspond to the type 257. It is possible for multiple CAA records to be listed per domain. CAA records have a property and a flag. This property makes it possible to select different types of a CAA record. The flag determines how the record is to be interpreted.

Of particular importance is the flag type "issuer critical flag". Once this flag is set, certification authorities cannot issue a certificate for the corresponding domain if they are not able to evaluate the CAA record entries.

Apart from the flag, the properties "issue", "issuewild" and "iodef" are specified.

  • issue
    The property "issue" allows a CA that has been specified in the "value" field to issue a certificate for the domain in question.
     
  • issuewild
    The "issuewild" property has a similar purpose as "issue", but it focuses on wildcard certificates only. If you use the entry "issuewild", all entries under "issue" will be ignored.
     
  • iodef
    The property "iodef" allows the domain owner to optionally provide contact data for certification authorities. However, it should be noted that not allvcertification authorities support this feature.

Mandatory audit

Although the CAA record already existed before, it was not compulsory. Therefore, its meaning was limited. As a user, you had no clue as to which certification bodies adhered to the voluntary scheme. Especially smaller CAs could ignore the CAA record – a risk for domain owners.

In the past, the option to implement CAA was voluntary. Certification authorities could decide voluntarily if they want to check a record. The mandatory audit decision was made by the CA / Browser Forum. This volunteer consortium of CAs and providers announced in March 2017 that certification authorities would need to review records as of September 9, 2017. The members of the CA / Browser Forum commit themselves to comply in a document called [URL=https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/]Ballot 187 [/url]. The record has gained relevance due to this commitment and is therefore receiving support from more and more providers.

You can easily create CAA records in the DNS settings in AutoDNS​​​​​​​:

AutoDNS login

[Translate to Englisch:]

CAA Record hinterlegen | AutoDNS Quick Guide

Play Video?... As third-party cookies are set by the system and data is sent to the operator of the video portal, you need to accept our cookie policy if you want to play a video embedded by us. Information and the possibility to revoke your consent can be found here.

[Translate to Englisch:]

[Translate to Englisch:]

Jetzt CAA-Records für Ihre Domains anlegen 

In AutoDNS einloggen