In Security Last updated:
Share on:
Cloudways offers managed cloud hosting for any size business to host a website or complex web applications.

Take advantage of the CAA DNS record to authorize CA to issue the TLS certificates.

What is DNS CAA?

CAA is one of the DNS record types which instruct CA if they should issue a certificate or not. In another word, you are letting the world know who should issue your domain SSL/TLS certificate. CAA implementation made mandatory late 2017, so it’s relatively new, and less than 5% of popular sites have implemented this.

Let’s take an example – Geekflare owns a site called “gf.dev,” which has the following CAA record.

gf.dev.			3586	IN	CAA	0 issue "digicert.com; cansignhttpexchanges=yes"
gf.dev.			3586	IN	CAA	0 issuewild "comodoca.com"
gf.dev.			3586	IN	CAA	0 issue "comodoca.com"
gf.dev.			3586	IN	CAA	0 issuewild "digicert.com; cansignhttpexchanges=yes"
gf.dev.			3586	IN	CAA	0 issuewild "letsencrypt.org"
gf.dev.			3586	IN	CAA	0 issue "letsencrypt.org"

By looking at the above results, I can get the certificate issued only from DigiCert, Comodo, and Let’s encrypt. If I ask Thawte or other CA to issue a cert for gf.dev, then they won’t be able to. Also, if you pay attention, you will notice some entry has issue and some issuewild. Let’s find out what they are.

  • issue – instruct CA to issue the cert only for that domain.
  • issuewild – CA can issue the wildcard certificate so that it can be used in a domain or sub-domain.

CAA record also supports iodef (Incident object description exchange format) which allow CA to send violation report to the specified email or contact details.

What happens when no CAA record found?

If a domain doesn’t have a CAA record, then anyone can generate a CSR for that domain and get the cert signed by any CA. This is a security risk.

Is it clear now?

There are a few abbreviations I’ve used above. Let’s check out what they are.

  • DNS – Domain name system
  • CA – Certificate authority
  • CAA – Certification authority authorization
  • TLS – Transport layer security
  • SSL – Secure socket layer

How to check the DNS CAA record?

There are multiple ways to validate the CAA record. If you don’t want to leave your terminal, then you can check using dig command.

dig caa $YOURWEBSITE.COM

Example of geekflare.com

root@geekflare:~# dig caa geekflare.com

; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> caa geekflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54430
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;geekflare.com.			IN	CAA

;; ANSWER SECTION:
geekflare.com.		3600	IN	CAA	0 issuewild "comodoca.com"
geekflare.com.		3600	IN	CAA	0 issuewild "letsencrypt.org"
geekflare.com.		3600	IN	CAA	0 issue "comodoca.com"
geekflare.com.		3600	IN	CAA	0 issue "digicert.com; cansignhttpexchanges=yes"
geekflare.com.		3600	IN	CAA	0 issue "letsencrypt.org"
geekflare.com.		3600	IN	CAA	0 issuewild "digicert.com; cansignhttpexchanges=yes"

;; Query time: 7 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Oct 08 07:12:21 UTC 2019
;; MSG SIZE  rcvd: 298

root@geekflare:~#

If you like to test this remotely, then you can use DNS CAA Tester online tool.

How to add a CAA record?

Technically, this is the same way as you add other DNS records like A, NS, CNAME, etc.

If you are using Cloudflare, go to DNS tab >> add a record and select CAA as type.

For GoDaddy, go to DNS Management and add a record

If you are not sure how to add then, you may contact your DNS/hosting provider for help.

Conclusion

If not already, you should take advantage of the CAA record to add a layer of domain security. Adding a CAA record doesn’t cost you.

Share on:
  • Chandan Kumar
    Author
    Chandan Kumar is a seasoned technology enthusiast and entrepreneur passionate about empowering businesses and individuals globally. As the founder of Geekflare, a leading technology publication, Chandan has spearheaded the development…

Thanks to our Sponsors

More great readings on Security

Power Your Business

Some of the tools and services to help your business grow.
  • The text-to-speech tool that uses AI to generate realistic human-like voices.

    Try Murf AI
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.

    Try Brightdata
  • Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.

    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.

    Try Intruder