Let’s understand the technology that is a DNS CAA or Certification Authority Authorization record and whether you should use it or not.

Quite recently, checking DNS CAA (Certificate Authority Authorization) record of a website became mandatory for all certificate authorities (CAs). It’s not a new thing, but as it wasn’t necessary, most ordinary users were unaware of this excellent technology. If you’re still in limbo about CAA, wondering what it is and what it does, you couldn’t have landed at a better place (Page, in this case!). So, let’s understand what CAA is and whether you should use it or not.

caa record generation

What is CAA or Certificate authority authorization?

There are over 30 certificate authorities (CAs) enlisted on the CAB forum. It means that a domain name holder has over thirty options to choose from. But as it goes with everything else, he/she must have some favorites. That’s where DNS CAA record comes into play.

DNS CAA gives domain name holder the authority to specify and control the CA(s) that are allowed to issue SSL/TLS certificates for that particular domain name. For example, if you have a website named domain.com and want only Comodo to issue a certificate, you can generate your CAA record, and no other CA in future can come even close to your website. You can also specify more than one CA.

Keep in mind that it’s become mandatory for all the CAs, not for the domain name owners. So, if you don’t have such particular requirement, you don’t need to do anything.

Why CAA or certification authority authorization?

We hope we’ve answered your ‘What is CAA?’ question in the part above. Now, let’s have a look at why one needs to implement it. Many people struggle to classify DNS CAA. Is it a security mechanism? Is it just a control mechanism? Well, it’s both. When you have such a large number of CAs at your disposal, and you only want trusted CAs to issue your certificate, CAA comes in pretty handy. You can whitelist your trusted set of CA(s), and just those CAs can issue a certificate(s) for your specified domain(s).

Such control holds a great significance in larger organizations where specific purchase policies are in place. Many large corporations have websites with plenty of subdomains and have multiple SSL certificates deployed on them. But as a part of organization’s policies, the certificate must be issued from a particular CA only. How would such communication amongst different departments be managed? What if a new employee, who is unaware of the policy joins in and issues a certificate from another CA? It could become a huge problem, right? Had the organization generated its CAA record, other CA couldn’t have issued the certificate, and the policy would have been maintained.

How CAA works?

When someone mentions CAA, it’s not just CAA; it’s ‘DNS CAA.’ There’s a reason behind that. The entire idea of CAA works on the Internet’s DNS (Domain Name System) – internet’s phonebook. The way it works is pretty simple. For example, you have a website named domain.com and want only a particular CA to issue certs for your domain name. What you should do is create a CAA record in your DNS with the help of our CAA record generator tool and your DNS provider.

Every DNS provider has its own method of enabling CAA record. Here are ways set by some of the most noteworthy DNS providers supporting CAA records.

The downside of CAA

At first glance, there doesn’t seem to be any downside of CAA. Everything looks well and good, the domain name holders are empowered, and undesired CAs are thrown out of the window. However, there’s more to CAA than what meets the eye. The whole point of CAA boils down to the CA. If a CA, despite not being in the CAA record of website issues a certificate, no mechanism prevents that CA from issuing a certificate. Of course, the CA might be penalized by the CAB forum, but there’s no stopping it.

Another way one could circumvent the CAA record is through hacking DNS settings. Of course, it’s not easy as it sounds. However, if a hacker gets a hold of DNS settings somehow, he/she can modify the CAA record as he/she wants. Needless to say, this could be dangerous.

Concluding Thoughts

Without a shadow of a doubt, DNS CAA record is a great technology. It alleviates the risk of issuance by unauthorized CAs. Having said that, it’s at an earlier stage of development at this point, and some DNS service providers are still ill-prepared for its implementation. Give it some time, and you’ll have a fantastic standard that protects your identity!

What Is A Certificate Authority (CA)?

Important Resources

Buy Cheap Wildcard SSL


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.