What is a DNS CAA record?

There are several types of records - or Resource Records as they are called - in the Domain Name System (DNS). This page explains what the CAA record is and how it's used.

The purpose of a DNS CAA record

The CAA record - or Certification Authority Authorization - is used to define which certificate authority can issue a certificate for that particular hostname.

It can be used to say that, for instance, Let's Encrypt can issue a certificate for ohdear.app, but no one else. That would prohibit certificate providers like Globalsign or Cloudflare from issuing certificates for that particular domain.

Why would you use this? It's a security improvement that could prevent a bad actor from trying to get a certificate for your domain and issue a man-in-the-middle attack on your site. If a bad actor could hijack connections to your site (say: on a public, insecure WiFi or via a proxy server he controls), he could use his maliciously obtained SSL certificate to still provide a valid & secure connections for your users.

Your users would never know they were being served a different SSL certificate.

The CAA record limits the potential security risk by only allowing those certificate providers you explicitly authorize.

What does it mean if a CAA record changes?

A change could indicate that there is about to be a SSL certificate change from a different Certificate Authority.

Either a new Certificate Authority is being granted allowance to issue certificates, an existing Certificate Authority could be removed from the allowance list or you could have changed the notification options for new certificates.

The structure of a DNS CAA record

The CAA record has a few special flags that can be set in the DNS record. Here's an example of the 3 available flags you can use in CAA records:

ohdear.app.		3600	IN	CAA	0 iodef "mailto:support@ohdear.app"
ohdear.app.		3600	IN	CAA	0 issue "letsencrypt.org"
ohdear.app.		3600	IN	CAA	0 issuewild "letsencrypt.org"

As for other DNS records, it follows the similar structure:

<host>          <TTL>   IN  CAA <flag> <tag> <value>

In the first example, this would translate to:

  • Flag: 0
  • Tag: iodef
  • Value: "mailto:support@ohdear.app"

The CAA flag

For now, this is almost always set to 0. It is a signaling system that could, in the future, be used for extensions to the CAA protocol.

The only extra flag currently defined is the value 128 which instructs certificate authorities (ie: Let's Encrypt, Globalsign, ...) that they must understand the corresponding property tag before issuing a certificate.

The CAA tag

The tag in CAA records determins what kind of value is being provided in that record. You'll notice in the example above we have a tag called "iodef", "issue" and "issuewild". The value that follows is specific to that particular tag.

The following are valid CAA tags:

  • issue: this determines which Certificate Authority(ies) can issue domain certificates for this host
  • issuewild: this determines which Certificate Authority(ies) can issue wildcard certificates for this host
  • iodef: you can define how (and if) you want to be notified if a Certificate Authority received a request to issue a certificate for your domain, but was denied from doing so by your issue or issuewild tags.
  • contactemail: this allows you to publish contact information in DNS
  • contactphone: same as email, but for your phone number(s)

The CAA value

The value property determines the value for each of the tags you can specify.

For instance, if you want to only allow Let's Encrypt to issue certificates for your domain, you would set the value of the issue tag to be "letsencrypt.org":

ohdear.app.		3600	IN	CAA	0 issue "letsencrypt.org"

Each tag has specific syntax you can use in the value, depending on what you want to convey to the Certificate Authority.

Was this page helpful to you? Feel free to reach out via support@ohdear.app or on Twitter via @OhDearApp if you have any other questions. We'd love to help!