Using and Understanding CAA Records
What Is CAA?
CAA stands for Certificate Authority Authorization which is a type of DNS record website owners can use to define which certificate authorities (CAs) are permitted to issue certificates containing their domain name. These records are called DNS resource records and certain web developers use them to reduce the risk of “unintended certificate mis-issuse”. As of April 2018 Qualys reported that 3.1% of the top 150,000 websites are using CAA records.
Every public certificate authority is allowed to issue certificates for any domain in the public DNS by default, so as long as they have control of that domain. Therefore, if there is a bug in a public CA’s validation process that means every domain name could be affected.
Adding CAA DNS Records
The ability to add CAA DNS records will be dependent on your DNS software or provider. SSLmate provides a good overview of the software and providers who currently support CAA. Depending on your DNS provider will also determine which options they have available in terms of defining certain CAA record options. For example, according to Wikipedia, each CAA record can contain the following properties:
- issue - Authorizes the holder of the domain specified in associated property value to issue certificates for the domain for which the property is published.
- issuewild - Acts like “issue” but only authorizes issuance of wildcard certificates, and takes precedence over the issue property for wildcard certificate requests.
- iodef - This property specifies a method for certificate authorities to report to the domain name holder when a certificate is issued, or when a certificate is requested that violates the domain’s CAA record.
If you would like to add a CAA DNS resource record to your setup, you can use the options above to define specifics. As an example, take the following image which shows how we would add a CAA record within DigitalOcean to specify Let’s Encrypt as an authorized CA.
How CAA Affects Let’s Encrypt Certificates
Using CAA in conjunction with Let’s Encrypt isn’t a bad thing to do, just be aware if you’re using our Let’s Encrypt SSL certificate feature that you should either grant authority for
letsencrypt.org or remove all CAA records. Otherwise, this will result in you not being able to generate a Let’s Encrypt certificate for your Zone. On the other hand, if you’ve implemented Let’s Encrypt and later decide to use CAA without Let’s Encrypt added, the certificate renewal will be unable to process.
To quickly check if your domain is using CAA, you can use the following command:
dig CAA yourwebsite.com +short
Note this will check the root domain only and not subdomains. Add your subdomain(s) if you need to check those as well.
CAA Records - In Summary
CAA records help in reducing the risk of someone else obtaining an unauthorized SSL certificate for your domain. However, when implementing CAA records you must be careful that you’re including all CA’s that pertain to your setup. Otherwise, you may end up receiving a certificate creation or renewal error if you haven’t defined them properly. If you’re using KeyCDN’s Let’s Encrypt feature, remember to always grant authority to
letsencrypt.org (if you’re using CAAs) in order to ensure you don’t run into any issues.