What is a CAA record?
Certification Authority Authorization or CAA record is a type of DNS record used to specify which Certificate Authority (CA) is allowed to issue certificates for a domain. Only the CAs listed in the record are allowed to issue certificates for that hostname.
This DNS record can affect orders for any kind of SSL certificates including wildcard and multi-domain certificates.
Why use CAA DNS records?
Sometimes non-compliant CAs issue certificates without validating domain ownership in a fool-proof manner. You would want to reduce your risk from such certificate authorities. You can use CAA to limit your domain to certificate authorities which you trust not to issue unauthorized certificates.
If your employees or an external vendor manages your website hosting, you want to prevent them from obtaining certificates from unauthorized vendors. Adding a CAA record locks your website to certificates issued by the specified CAs and blocks all other CAs.
How do CAA DNS lookups work?
Domains and Sub-domains
The CAA DNS record set for a domain also applies to all it’s sub-domains. However, if a sub-domain has its own CAA record, it will take precedence.
For example, before a certificate authority issues a certificate for www.example.com, it will query CAA record sets in the following order, and use the first record set it finds in the following order:
- www.example.com
- example.com
Domains and CNAME
If a domain name is a CNAME (alias) for another domain, then the CA also looks for the CAA DNS record sets for the CNAME target, as well as all parent domains of the target. If no CAA record set is found, the certificate authority continues searching parent domains of the original domain name.
For example, if news.example.com is a CNAME for blog.example.net, then the CA looks for CAA record sets in the following order:
- blog.example.net
- example.net
- example.com
How can you prevent a CAA DNS record from blocking your SSL certificate order?
First check if your if your domain or sub-domain is a CNAME to another. If that is the case then you need to ensure the CAA DNS record set for the CNAME target matches the CA from whom you need to order the certificate. Alternately, to order the certificate from another CA you can delete the CAA record for the CNAME target domain or sub-domain.
Then check if you have set a CAA DNS record in your domain name’s DNS zone settings, you will have to order a certificate from the same CA. Alternately, to order the certificate from another CA you can delete the CAA DNS record.
