CAA Records: Controlling SSL Certificate Issuance

## CAA Records: Controlling SSL Certificate Issuance A CAA Record (Certification Authority Authorization) is a DNS record that specifies which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for your domain. Without a CAA record, any of the hundreds of trusted CAs can issue certificates for your domain — a significant attack surface. ## Why CAA Records Matter Before CAA records were standardized (RFC 6844, 2013; mandatory for CAs since 2017), a rogue or compromised Certificate Authority could issue a fraudulent certificate for your domain. Anyone with that certificate could impersonate your site in a man-in-the-middle attack, and browsers would show the familiar green padlock. CAA records are a defense-in-depth control. If your CAA record says only Let's Encrypt may issue certificates for your domain, then even if DigiCert, Sectigo, or any other CA were compromised, they could not issue a valid cert for you — browsers would reject it. ## CAA Record Anatomy A CAA record has three fields beyond the standard name/type/TTL: | Field | Example | Meaning | |-------|---------|---------| | Name | `@` | Domain to restrict | | Flags | `0` | Currently only `0` is used (non-critical) | | Tag | `issue` | Type of permission | | Value | `"letsencrypt.org"` | The CA's domain | The three tag values: | Tag | Purpose | |-----|---------| | `issue` | Authorizes the CA to issue any certificate for the domain | | `issuewild` | Authorizes the CA to issue wildcard certificates specifically | | `iodef` | Provides an email/URL for CAs to report policy violations | ## Basic CAA Setup: Single CA To authorize only Let's Encrypt: ``` example.com. CAA 0 issue "letsencrypt.org" example.com. CAA 0 issuewild "letsencrypt.org" ``` Both `issue` and `issuewild` are needed if you want wildcard certificates (`*.example.com`). The `issue` tag alone does not cover wildcards. To authorize only DigiCert: ``` example.com. CAA 0 issue "digicert.com" example.com. CAA 0 issuewild "digicert.com" ``` ## Authorizing Multiple CAs You can have multiple CAA records, one per CA: ``` example.com. CAA 0 issue "letsencrypt.org" example.com. CAA 0 issue "sectigo.com" example.com. CAA 0 issuewild "letsencrypt.org" ``` This allows both Let's Encrypt and Sectigo to issue standard certificates, but only Let's Encrypt for wildcards. ## Blocking All Issuance An empty issue value denies all certificate issuance: ``` example.com. CAA 0 issue ";" ``` This is useful for subdomains that should never have certificates, or as a starting point before listing approved CAs. ## The iodef Tag for Violation Reporting ``` example.com. CAA 0 iodef "mailto:[email protected]" ``` When a CA encounters a CAA record that prohibits issuance (because someone attempted to get an unauthorized certificate), the `iodef` tag tells them where to send a report. This is optional but provides visibility into attempted certificate misissuance. ## Inheritance and Subdomain Behavior CAA records follow a tree-walking inheritance model. When a CA checks whether it can issue for `api.example.com`: 1. Check for CAA records on `api.example.com` 2. If none, check `example.com` 3. If none, no restriction — any CA can issue To apply different rules to a subdomain: ``` ; Root — only Let's Encrypt for main site example.com. CAA 0 issue "letsencrypt.org" ; Subdomain — also allow DigiCert for the API api.example.com. CAA 0 issue "letsencrypt.org" api.example.com. CAA 0 issue "digicert.com" ``` ## CA-Specific Authorization Parameters Some CAs support account-binding parameters to restrict issuance to a specific account, not just the CA organization. This prevents a different customer of the same CA from obtaining a certificate for your domain. Let's Encrypt example: ``` example.com. CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/12345" ``` This is an advanced configuration — consult your CA's documentation for the exact parameter syntax. ## Common CA CAA Values | CA | CAA Value | |----|-----------| | Let's Encrypt | `letsencrypt.org` | | ZeroSSL | `sectigo.com` | | DigiCert | `digicert.com` | | Sectigo | `sectigo.com` | | GlobalSign | `globalsign.com` | | Comodo | `comodoca.com` | | Amazon ACM | `amazon.com` | Note: AWS Certificate Manager uses `amazon.com` for public certs. Check [sslmate.com/caa](https://sslmate.com/caa) for a complete, up-to-date list. ## Verifying CAA Records ```bash dig example.com CAA ``` Expected output: ``` example.com. 3600 IN CAA 0 issue "letsencrypt.org" example.com. 3600 IN CAA 0 issuewild "letsencrypt.org" ``` Tools like [sslmate.com/caa](https://sslmate.com/caa) also generate and validate CAA records interactively. ## What Happens When a CA Is Not Authorized If a CA encounters a CAA record that excludes it and someone requests a certificate through that CA, the CA must refuse issuance and optionally send an `iodef` report. Browsers will not see this refusal — it happens entirely at the CA level during certificate ordering, before any certificate is issued. ## Next Steps - Setting Up DNS for Your Domain — full DNS setup including CAA and other records - TXT Records: SPF, DKIM, and DMARC Explained — email authentication records - DNS Troubleshooting Guide — diagnose DNS record issues