Knowledge Base

CAA Record - Certification Authority Authorization

May 25, 2018 in Sectigo Certification Authority and CAA Record


What is CAA?
CAA is a standard that lets you control what certificate authorities (CAs) are allowed to issue certificates for your domain. You can use CAA to reduce your exposure to vulnerabilities in certificate authority validation systems and to enforce certificate procurement policies.

To use CAA, you publish a set of CAA records in your domain's DNS that list the CAs which you authorize to issue certificates. Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed.


What is a CAA record?

  • A Certification Authority Authorization (CAA) record is a standard that lets you specify which certificate authorities (CAs) are allowed to issue certificates for your domain.
  • The purpose of the CAA record is to allow domain owners to authorize which certificate authorities are allowed to issue a certificate for a domain.
  • Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed.
  • If no CAA record is present, any CA is allowed to issue a certificate for the domain.

CAA records can set policy for the entire domain, or for specific HostNames.
CAA records are also inherited by sub-domains.
CAA records can regulate the issuance single-name certificates, wildcard certificates, or both.

note: All CA's will be mandated to check CAA DNS records starting in late 2017 (Sep 8 to be precise)
Sectigo recognizes the following domain names in "issue" and "issuewild" property tags as permitting us to issue:

  • sectigo.com
  • trust-provider.com
  • usertrust.com


How to resolve CAA Check pre-sign failures and authorize Sectigo to issue certificates for your domain
Update the domain's DNS record to include a CAA record for "sectigo.com".
For more detailed information about how to access and edit DNS records on your domain, contact your domain registrar.

1. Open the CAA DNS zone file.
2. Under $ORIGIN yourdomain.com, add the line, CAA 0 issue “sectigo.com”. (See Valid CAA Resource Record Values.)


$ORIGIN yourdomain.com
. CAA 0 issue "sectigo.com"
. CAA 0 issuewild "sectigo.com

note: This single CAA Record applies to all hosts and subdomains under your domain (www.yourdomain.com, shop.yourdomain.com, checkout.yourdomain.com, etc.).


The following DNS servers support CAA records:

  • BIND (Prior to version 9.9.6 use RFC 3597 syntax)
  • NSD (Prior to version 4.0.1 use RFC 3597 syntax)
  • PowerDNS ≥4.0.0
  • Knot DNS ≥2.2.0
  • Google Cloud DNS
  • DNSimple


Standard BIND Zone File

For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0

Example: sectigo.com. IN CAA 0 issue 'sectigo.com'

Generic

For Google Cloud DNS, DNSimple

  • 0 issue 'sectigo.com'

Additional Reference Information: https://tools.ietf.org/html/rfc6844

Related articles