CAA record is a DNS record that shows who can be the Certification Authority for a particular domain and issue certificates.

What is Certificate Authority (CA)?

The CA is the entity that has the right to issue certificates like SSL certificates or TLS certificates. You can easily identify the CA, based on their name and their certificate revocation list (CRL). The Certificate Authority must provide a public key or a certificate from their CA if it is subordinate.

What is the CAA record?

The CAA record (Certification Authority Authorization) is a DNS record that a domain name owner can use to specify the certificate authority which can issue for their domain name. Inside the CAA, the domain owner can adjust the settings that cover the whole domain or just particular subdomains.

If you manage the CAA on a domain level, it will automatically apply on the subdomain level, too, unless you set it inside the record.

The CAA work with both wildcard certificates and single-name certificates. Separate and together too.

What’s inside the CAA DNS record?

You have several fields inside that needs to define each of the important values:

  • Type: CAA – the DNS type.
  • TTL: Time in hours – the TTL value for the DNS record.
  • Host: Hostname – for which the certificate is valid
  • Flag: 0/182 – Issuer critical value. 0 means not critical, and 128 means critical.
  • Type: issue/issuewild/iodef – issue means that the CA can issue any type of certificate; issuewild means wildcard certificate; iodef is incident description exchange format.
  • Value: The value that you receive from the CA you chose.

Why does CAA exist?

It is always good to have control. Having CAA defines who can issue certificates for your domains and limit abuse chances.

If you don’t have a CAA record, everybody can generate a certificate for your domain name and sign it with one of the CAs.

The CAA record and the CNAME record

In normal conditions, the CA will be searching directly for the CAA record for your domain. But what if we are talking about a subdomain and CNAME records pointing to the canonical name?

There is no problem. The CA will check if there is a CAA record for the subdomain, and if there is no such record, it will search for the CNAME record. If it finds it, it will check the CAA record for the domain, and it will issue a certificate for the subdomain too.

In case the CA does not find a CAA record, it can’t issue a certificate for the domain, and it won’t do it.

How to check a CAA record?

You can’t use the popular tools like nslookup, dig, or host commands. You will need to search for a “DNS CAA lookup” too online. There are many, so try to find a legit site for your DNS lookup. We tried https://gf.dev/, and it was successfully showing our CAA records.

Conclusion

Adding a CAA record is easy, will limit the chances for abuse, and won’t affect your DNS service’s performance, so it is better to have it.