Background

The 'CAA' Resource Record (RR) is standarized in RFC 6844 and allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.


Details

RR Type: CAA
ID: 257 (0x0101)
Defining RFC: RFC 6844
Description: Certification Authority Authorization
Function: Allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.
Status: Active

'CAA' RR Syntax

name ttl class type rdata {flags, tag, value}

RR Field Example Description
name foo The name is unqualified, causing $ORIGIN substitution. You can also write this as a fully qualified domain name (FQDN) such as foo.yourdomain.com.

Blank Name - A record that has nothing in the 'name' field gets used for all requests being made to the base domain such as yourdomain.com. (Same as Parent)
ttl This is the records time to live value (in seconds). If there is no TTL specified, the zone's default $TTL Directive will be used.
type CAA Specifies the RDATA field will contain data in the CAA RDATA format.
class IN Specifies the class to be 'Internet'.
rdata flags 0 Is an unsigned integer between 0 and 255.
rdata tag issue Is a non-zero sequence of US-ASCII letters and numbers in lower case.
Defined tags: issue, issuewild, iodef
rdata value "letsencrypt.org" Is the 'character-string' encoding of the value field as specified in [RFC 1035], Section 5.1.

Defined Tags

issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property entry authorizes the holder of the domain name <Issuer Domain Name> or a party acting under the explicit authority of the holder of that domain name to issue certificates for the domain in which the property is published.

issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild property entry authorizes the holder of the domain name <Issuer Domain Name> or a party acting under the explicit authority of the holder of that domain name to issue wildcard certificates for the domain in which the property is published.

iodef <URL> : Specifies a URL to which an issuer MAY report certificate issue requests that are inconsistent with the issuer's Certification Practices or Certificate Policy, or that a Certificate Evaluator may use to report observation of a possible policy violation. The Incident Object Description Exchange Format (IODEF) format is used [RFC 5070].


Examples

Snippets from a fictitious forward lookup 'yourdomain.com' zone file

Typical 'CAA' Record Entries

;   Authorize 'letsencrypt.org' as the certificate authority for your domain
@ IN CAA 0 issue "letsencrypt.org"
 
;   Specify where to report issues.
@ IN CAA 0 iodef "mailto:dnsadmin@yourdomain.com"
 


See Also




This content was last updated on February 16, 2021
An error has occurred. This application may no longer respond until reloaded. Reload 🗙