less than 1 minute read

Put simply Certification Authority Authorization or CAA is a special type of DNS records that allows you to inform a certification authority if they are allowed to issue certificates for a domain (or subdomain).

The standard is not that common at the moment but is beginning to get traction. The CA forum has mandated it as Qualys Reported

In this example howson.me is allowed to have certificates issued by either Comodo or lets encrypt. Any violations are reported to hositng e-mail address. The 128 means it is critical failure.

howson.me 3600 IN CAA 128 iodef "hosting@howson.me"
howson.me 3600 IN CAA 128 issue "letsencrypt.org"
howson.me 3600 IN CAA 128 issue "comodoca.com"
howson.me 3600 IN CAA 128 issuewild ";"

The DNS CAA records can be confirmed with ssllabs test
image of SSL Labs Test

You can generate your own using this great opensource tool from SSL Mate



Leave a comment