• Zilore is perfect for developers, systems administrators, organisation websites and high-load, distributed web services

CAA – a new type of DNS record

zilore • 29/08/2017

Hello everyone!

We have added support for a new type of DNS record, the CAA.

A CAA (Certification Authority Authorization) record is used to specify the certification authorities that are allowed to issue SSL/TLS certificates for a certain domain name or sub-domain.

Beginning on September 8, 2017, every certification authority will be required to strictly follow the instructions in the domain-name or sub-domain CAA records for which the issuance of a certificate is requested.

Using a CAA record makes it possible to increase the level of security in an Internet network and to decrease the instances of unauthorized receipt of certificates for outside domain names.

We have prepared detailed instructions explaining CAA record options and the format for using it.

For your convenience, we have launched an on-line CAA record generator that will help correctly format the CAA records needed for your domain name – caa.zilore.com.

Record format:

CAA <flags> <tag> <value>

The value of the CAA record consists of three elements separated by a space:

flag

The flag element is an 8-bit number, the most significant bit of which denotes how critical it is for the certification authority to understand the record. At this time, the following values are permitted:

0

If the tag element is not supported or recognized by the certification authority, the certification authority is authorized to issue a certificate for a domain name or sub-domain as it deems fit.

128

If the tag element is not supported or recognized by the certification authority, the certification authority should not issue a certificate for the domain name or sub-domain.

tag

The tag element can take one of the following values:

issue

Identifies the certification authority authorized to issue a certificate for the domain-name or sub-domain record used in the name.

issuewild

Identifies the certification authority authorized to issue a wildcard certificate for the domain-name or sub-domain record used in the name. The certificate applies directly to the domain name or sub-domain and to all of its sub-domains.

iodef

Identifies the e-mail address or URL (in compliance with Standard RFC 5070) that the certification authority must use for notifications in the event it receives a request for issuance of a certificate in violation of certain rules defined by the CAA record for the domain name.

value

The value element depends on the tag and should be included in quotation marks (“”).

Some certification authorities allow the use of additional parameters for the value element. In that case, the parameters must be separated by a semicolon (;).

Example: 0 issue “comodoca.com; account=12345”

Where tag = issue

The domain name of the certification authority authorized to issue a certificate for the domain-name or sub-domain record used in the name.

Example: example.com. CAA 0 issue “comodoca.com”

To keep any certification authorities from issuing a certificate for the domain-name or sub-domain record in the name, you must use a semicolon (;) instead of the domain name for the certification authority.

Example: example.com. CAA 0 issue “;”

Where tag = issuewild

Same as when tag = issue, except that the rule applies to wildcard certificates.

Example: example.com. CAA 0 issuewild “comodoca.com”

Example: example.com. CAA 0 issuewild “;”

Where tag = iodef

The e-mail address (“mailto:abuse@example.com”) or URL (“http(s)://URL”) the certification authority must use in the event of receipt of an unauthorized request for issuance of a certificate for the domain-name or sub-domain record used in the name.

Example: example.com. CAA 0 iodef “mailto:abuse@example.com”

Special considerations:

The value of the domain-name or sub-domain record is inherited by all of its sub-domains unless a different value is explicitly defined.

To specify two or more certification authorities for one domain name or sub-domain, multiple CAA records must be used.

A missing CAA will be interpreted by any certification authority as permission to issue a certificate.

The complete specifications for the CAA record is available in the document RFC 6844.

How do you check it?

dig zilore.com caa

Zilore Team.