DNS CAA Records

I just wanted to expand a little bit on the very useful topic raised by @vincen.

I thought it might be useful to explain the records syntax and their purpose and to post a link to a simple and useful; tool to help with CAA record creation and checking (see below).

The following entry, will allow the issuing of non-wildcard AND wildcard certificates for the specified domain, only by the specified CA (in this case Lets Encrypt):
example.com. IN CAA 0 issue “letsencrypt.org

The entry below will only allow the issuing of non wildcard certificates (each host is specified), by the specified CA.
example.com. IN CAA 0 issue “letsencrypt.org
example.com. IN CAA 0 issuewild “;”

You will only need to add the records to the primary DNS Zone file (example.com), not each subdomain (e.g sub.example.com) for the CAA record to be returned.

You can specify an email address or URL for reporting certificate requests or issued certificates that violate your CAA policy. Reports will be provided in iodef format:
example.com. IN CAA 0 iodef “mailto:ssl-issuance-reporting@example.com
example.com. IN CAA 0 iodef “https://example.com/caa-policy

You can find a great CAA tool at sslmate.com: CAA Record Generator

To check CAA records using ‘dig’:
dig caa example.com

Correct implementation of DNS CAA records will also help to boost your ssllabs rating:

Hope you found the above useful / informative.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.