Let’s see one not-so-popular DNS record called the CAA record. It might not be one of the first that comes to your mind when you think about DNS, but it is worth checking out.
What is the CAA record?
CAA means Certification Authority Authorization. Such a record is a DNS Resource Record that allows the owner of a domain name to define which Certification Authorities (CAs) can issue a certificate for the domain.
The CAs or Certification Authorities are the companies that can issue certificates for a domain (SSL, TLS, or another). The domain owners need to purchase a certificate and incorporate it to improve their site’s security.
The CAA records allow the CAs to better control the process of issuing certificates and to reduce the possibility of mis-issue certificates for the domain.
Inside the CAA record, you will see to which part of the domain does it apply. It can apply for the complete domain name or only for a subdomain or the two to be with different rules.
It is strongly recommended to use the CAA records with DNSSEC. Having DNSSEC enabled will allow the issuer to acquire and archive the proof of authorization for issuing certificates for the domain.
The verification of such archives may be an audit requirement for the verification of the CAA process.
Why should you use CAA records?
Use CAA records to limit the abuse and stop the issuing of fake certificates for your domain. Don’t allow other people to create a different certificate for your domain and use it without permission.
Parameters inside a CAA record
If you check a CAA record, you will see that inside it, you have a flags’ byte, property type, and value that the CA provides.
- 0 – Not critical. It is not a must to follow what the CAA records are indicated.
- 128 – Critical. It is a must to follow what the CAA records are indicated.
- Issue – That allows the domain name holder to issue certificates for the domain name in which this property type is published.
- Issuewild – That allows the domain name holder to issue wildcard certificates for the domain name in which this property type is published.
- Iodef – Incident object description exchange format. It will show a URL, where the CA may report request for certificates that looks suspicious, not consistent with certification practices or policies.
The CA process with CAA records
First, before the CA issues a certificate, it must check for a CAA DNS record of the domain. Then if the CAA exists, it must obey its rules to issue or no a certificate.
The CA checks for consistency with the CAA and see its certificate policies and certification practices.
The certificate could cover more than one domain name and might include wildcard domains. The CA must check with the CAA and the authorization written there for all of the domains.
The CAA record is not one of the most popular DNS records, but it is sure worth using it. Now that you know what the CAA record is use it for your domain and limit cyber-criminals and their tries to abuse with your domain name.