CAA (Certification Authority Authorization) records are DNS resource records that allow domain owners to specify which certificate authorities (CAs) are authorized to issue SSL/TLS certificates for their domain.
When a CA receives a certificate signing request (CSR) for a domain, it checks the DNS records for the domain to see if any CAA records exist. If a CAA record exists, the CA checks to see if it’s authorized to issue a certificate for that domain. If the CA is not authorized, the request is denied and the certificate is not issued.
CAA records are a security measure that helps prevent unauthorized issuance of SSL/TLS certificates. By setting up CAA records, domain owners can restrict the issuance of SSL/TLS certificates to only the CAs that they trust. This can help prevent fraudulent SSL/TLS certificates from being issued for their domain, which can be used for phishing attacks, man-in-the-middle attacks, and other types of cybercrime.
In addition to specifying which CAs are authorized to issue SSL/TLS certificates for a domain, CAA records can also specify additional parameters, such as the type of certificate that can be issued (e.g. wildcard, EV, etc.) and the maximum validity period for the certificate. This allows domain owners to have greater control over the issuance of SSL/TLS certificates for their domain, and helps ensure that the certificates meet their security and compliance requirements.
CAA record properties:
- Issue property: The “issue” property specifies which CAs are authorized to issue SSL/TLS certificates for a domain. For example, a CAA record with the “issue” property set to “letsencrypt.org” authorizes Let’s Encrypt to issue certificates for the domain. Multiple CAs can be authorized by setting up multiple “issue” properties in separate CAA records.
- Issuewild property: The “issuewild” property is similar to the “issue” property, but it authorizes CAs to issue wildcard certificates for the domain. Wildcard certificates cover all subdomains of a domain, so they can be useful for organizations with many subdomains. A CAA record with the “issuewild” property set to “;” (semicolon) authorizes all CAs to issue wildcard certificates for the domain.
- Iodef property: The “iodef” (Incident Object Description Exchange Format) property specifies an email address or URL where security incidents related to the domain can be reported. When a security incident is detected, the CA can use this email address or URL to notify the domain owner.