Image

Knowledge base → CAA DNS Record, Application and Configuration

[Virtual servers] [Shared hosting]
Date of publication: 29.09.2024

CAA (Certification Authority Authorization) is a DNS record that was introduced in 2017 to allow or prohibit specific certification authorities (CAs) from issuing SSL certificates for a domain. Before issuing a certificate, certification authorities query and check the data in the domain's DNS settings.

If an attacker briefly gains access to your domain, they may attempt to issue a certificate for your domain with the goal of intercepting data. Having a CAA record, depending on the configuration, can significantly complicate or completely prevent this.

The virtual hosting and DNS hosting services support this type of record, and you can add them if desired.

Record format:

CAA <flags> <tag> <value>

1. Example. Prohibit all certification authorities from issuing certificates

domain.tld.	IN	CAA	0 issue ";"

2. Example. Allow only specific certification authorities to issue certificates, while prohibiting others

domain.tld.	IN	CAA	0 issue "comodoca.com"
domain.tld.	IN	CAA	0 issue "letsencrypt.org"
domain.tld.	IN	CAA	0 issuewild ";"

For online generation, you can use the convenient CAA record creation service.





No Comments Yet