What You Should Know About CAA Resource Records
(using them can help protect your domain)
What is a CAA (Certification Authority Authorization) Resource Record?
As most DDI (DNS, DHCP, IPAM) administrators know by now, a CAA RR (Resource Record) is a DNS record that you, as a domain owner, can enter into your DNS server to help prevent unauthorized CAs (Certificate Authorities) from issuing a certificate for your domain. There is a common misconception a requirement exists to enter a CAA record into your DNS server if you want to purchase a certificate, but this is not the case. There is a requirement, but it applies to CAs, not DNS administrators. This requirement, effective September 2017, requires CAs to query for a CAA record in the authoritative zone for which the certificate is being requested. The CAA record contains (among other things) a list of the CAs that are allowed to issue a certificate for the domain (zone) it is in. If the requesting CA is not listed, the certificate will not be issued.
For example, if you own the domain “mydomain.com”, you probably also have an authoritative DNS zone that holds all the records for that zone. If this zone is publicly available, you might want to obtain a certificate for it, so you can encrypt traffic. In this example, let’s say you obtain your certificates from “EncryptMe”. You would then create a CAA record, and specify that only “encryptme.com” is allowed to issue certificates for “mydomain.com”. In the CAA record, you can (should) also specify where to send a notification if a CA other than EncryptMe has been asked to issue a certificate.
Why should you use a CAA Resource Record?
Using CAA records adds another layer of protection for your organization by limiting which CAs can issue a certificate for your domain. CAA records can also contain information that tells the requesting CA how to contact the domain holder when a certificate is issued, or if the policy in the CAA record is violated. For example, if an unlisted CA has been asked to issue your certificate, the CA won’t issue it. Basically, you will have much tighter control on how and when your certificates are issued. An unauthorized certificate request isn’t necessarily malicious, by the way. You might have a user innocently attempt to buy a certificate from a different CA than the one you normally use. Having a CAA record prevents this from happening. You can even prevent certificates from being issued at all. And remember CAA records cost you nothing – they are simply resource records in a zone. Use them!
And keep in mind that if you do NOT use CAA records, any CA can issue your certificates. CAs are required to check for CAA records, but if none are found, any CA will issue the certificate – this is probably not what you want!
Reference
RFC6844: https://tools.ietf.org/html/rfc6844