What is CAA record. A Common Misbelief.

What is CAA record

Certification Authority Authorization (CAA) is a type of DNS records which allows domain owner setting Certificate Authorities which are allowed to issue SSL certificates for this particular domain. The main idea is to prevent certificate mis-issuance by Certificate Authorities which actually happen from time to time. For example, if you prefer Let’s Encrypt then you can allow only it in your CAA record which means that Comodo or Symantec will not be able to issue a certificate for your domain name. If you don’t have any DNS CAA record set then any CA has right to issue SSL for your domain name. The CAA record may be set for any hostname so the domain owner may declare specific rules for subdomains.

CAA record example

An example of CAA record can be found below:

hostinsider.com. CAA 0 issue "letsencrypt.org"

CAA misbelief

Currently, there is a common misbelief that CAA record is obligatory for every domain name. Most likely this comes from the news that starting from March 2017 each and every certificate authority has to implement CAA check before issuing a certificate. This wasn’t obligatory for CAs in past. The truth is that It is completely up to domain name owner whether he/she would like to add the record. However, CAs have to check your domain name records before issuing SSL for the domain name.

Who supports CAA and who doesn’t

Moreover, the vast majority of DNS providers don’t have this feature implemented in their interfaces. For example, cPanel added this feature only in version 66 which by far is not provided by many hosting providers on shared servers. As of October 2017, for Google Domains CAA is not supported. Also, you can’t configure it at Hetzner and Namecheap. CloudFlare has this feature in beta. Digital Ocean, Gandi and Route 53 allow adding CAA records to your DNS zone.

One comment

Comments are closed.