DNS CAA record to avoid fraudulent certificates

The DNS CAA record was first defined in 2013, and from September 2017, Certificate Authorities are obliged to review it before issuing any certificate. So, let’s clarify things a little bit more about it.

DNS CAA record – Definition

The CAA (Certification Authority Authorization) record is a Resource Record in DNS (Domain Name System) that lets domain owners to specify which CAs are authorized to issue a certificate for the domain name. 

Certification Authorities (CAs) are organizations that are authorized and able to issue certificates for domain names, for instance, SSL, TLS, or other certificates.

How to create a CAA record?

Security is crucial, and domain owners constantly want to improve it for their website and provide the best user experience. One of these improvements is exactly including a purchase of a certificate.

The DNS CAA record appears for better control of the process of issuing a certificate. In addition, it minimizes the risk of mistakes related to publishing a certificate for a domain name. 

By checking inside the DNS CAA record, you are able to see to which exact part of the domain the certificate applies. Besides, it is possible to use it only for a specific subdomain or for the entire domain name. 

In addition, it is a good idea to consider implementing DNS CAA record together with DNSSEC. The reason for that, of course, is for better security once you include DNSSEC and higher trust from the side of the CA.


If you want to create a new DNS CAA record, you will need to set some parameters. The structure is simple, and after you determine everything, the record should function flawlessly.

Type: Here, in ower case, it is CAA.

TTL: That is the Time-to-Live (TTL) value for your CAA record. You could set a long time because you won’t need to make changes to it so often. 

Host: Here, you have to choose the domain name or only a subdomain name for which you require the CAA records to employ.

Flag: 0 or 128. Selecting 128 will indicate critically, so the CA has to follow the rules. Choosing 0 will indicate that it is not necessary for the CA to follow the rules. 

Property type: Here, you have three options: issue/issuewild/iodef

Issue – For CA is permitted to issue a certificate.

Issuewild – For CA is permitted to issue a wildcard certificate.

Iodef (incident object description exchange format) – It gives information where the CA could send a declaration for a questionable certificate that does not fulfill the rules.

Value: That is a value provided by the chosen CA.

The CA process with DNS CAA records

First, before the CA publishes a certificate, it is obligated to examine for a DNS CAA record for the domain. Next, if the CAA is available, it is necessary to follow its rules to publish or not a certificate. 

The CA reviews for compatibility with the CAA and view its certificate policies and certification practices. 

The certificate could include more than an individual domain name and might contain wildcard domains. The CA must follow up with the CAA and the authorization described there for each one of the domains. 

Implementing DNS CAA records finally stops the abuse and precisely determines who is able to publish certificates for your domain. That way, you avoid the fake certificates that others could create for your domain.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *