Manage Certificate Authority Authorization (CAA) DNS Record
This article explains Certificate Authority Authorization (CAA) records and how they can be managed at Rackspace.
What is a CAA record?
Certificate Authority Authorization (CAA) records allow domain owners to specify which Certificate Authorities (CAs) are allowed to issue SSL certificates for a domain. If no CAA record is present, any CA is allowed to issue certificates for the domain.
CAA records can set a policy for the entire domain or for specific subdomains. If no CAA record is specified for a particular subdomain, the policy is inherited from the parent domain.
For example, a CAA record set for example.com also applies to subdomain.example.com unless there is also a CAA record set for subdomain.example.com.
CAA record format
CAA records have four parts:
- FQDN: The domain or subdomain on which the policy is being set.
- Flag: An integer. Almost always “0”.
- Tag: A string indicating the type of CAA record. Common tags are:
- issue: The CA is allowed to issue SSL certificates.
- issuewild: The CA is allowed to issue wildcard SSL certificates.
- iodef: Specifies an URI or URL where the CA can report attempts to obtain certificates that violate the policy. This is optional.
- Value: The CA allowed to issue certificates. The special character “;” indicates that certificates may not be issued for the FQDN.
CAA record examples
Allow Let’s Encrypt to issue certificates for example.com:
example.com. CAA 0 issue "letsencrypt.org”
Allow both Let’s Encrypt and Sectigo to issue certificates for example.com, but only Sectigo is allowed to issue wildcard certificates:
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "sectigo.com"
Allow Let’s Encrypt to issue certificates for example.com. Also allow Sectigo to issue certificates, but only for ssl.example.com, and report requests that violate that policy to [email protected]. Certificates may not be issued for no-ssl.example.com:
example.com. CAA 0 issue “letsencrypt.org”
ssl.example.com. CAA 0 issue “sectigo.com"
ssl.example.com. CAA 0 iodef “mailto:[email protected]”
no-ssl.example.com. CAA 0 issue “;”
How can a CAA record be managed for domains hosted with Rackspace?
Please contact your support team for assistance with CAA records. For new CAA records, please include the following:
- Fully Qualified Domain Name (FQDN)
- Flag
- Tag
- Value
- Time-To-Live (TTL), default is 300 seconds <optional>
Some Useful Links
For assistance contacting support: https://docs.rackspace.com/docs/contact-support
For official documentation regarding CAA records: https://datatracker.ietf.org/doc/html/rfc8659
https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization offers a comprehensive explanation and examples of CAA records.
Updated about 2 months ago