CAA (Certification Authority Authorization) is a DNS record that was introduced in 2017 to allow or prohibit specific certification authorities (CAs) from issuing SSL certificates for a domain. Before issuing a certificate, certification authorities query and check the data in the domain's DNS settings.
If an attacker briefly gains access to your domain, they may attempt to issue a certificate for your domain with the goal of intercepting data. Having a CAA record, depending on the configuration, can significantly complicate or completely prevent this.
The virtual hosting and DNS hosting services support this type of record, and you can add them if desired.
Record format:
CAA <flags> <tag> <value>
1. Example. Prohibit all certification authorities from issuing certificates
domain.tld. IN CAA 0 issue ";"
2. Example. Allow only specific certification authorities to issue certificates, while prohibiting others
domain.tld. IN CAA 0 issue "comodoca.com"
domain.tld. IN CAA 0 issue "letsencrypt.org"
domain.tld. IN CAA 0 issuewild ";"
For online generation, you can use the convenient CAA record creation service.
No Comments Yet