More certificate control with CAA-records in your DNS

With DNS Certification Authority Authorization (CAA) one uses DNS to allow maintainer of a domain to specify which certificate authorities (CAs) are allowed to issue certificates for that domain. It allows for an additional check for CAs prior to issuance of new certificates.

DNS Certification Authority Authorization is not new and was already specified back in 2011 in RFC 6844. It defines a new "CAA" DNS resource record type (257) for name-value pairs that can carry a wide range of information to be used as part of the CA authorization process. Unfortunately, it hasn't been available as a defined record type in most popular DNS software, but things have changed.

To get started using CAA records, please make sure you use the latest versions of bind, PowerDNS etc. Chances of not being able to use them then, are pretty slim.

Zone-file	CAA	0 issue ""	CAA	0 issuewild ";"	CAA	0 iodef ""

Legacy Zone File (RFC 3597 Syntax) For BIND <9.9.6, NSD <4.0.1	TYPE257	\# 22 000569737375656C657473656E63727970742E6F7267	TYPE257	\# 12 0009697373756577696C643B	TYPE257	\# 39 0005696F6465666D61696C746F3A616E67656C69717565406461776E6272696E6765722E6E6574

Example showing multiple CA's plus allow for wildcard by just "lets-encrypt" (which doesn't do wildvards a.t.m.)	CAA	0 issue ""	CAA	0 issue ""	CAA	0 issuewild ""	CAA	0 iodef ""

The content of the CAA record is: '0 issue ""'

More info:


Author: Angelique Dawnbringer Published: 2017-02-23 09:06:26 Keywords:
  • DNS
  • CAA
  • Certificates
Modified: 2017-09-10 17:50:52