Explaining CAA DNS Record

Pavol Z. Kutaj - Nov 4 - - Dev Community

The aim of this page is to explain Certificate Authority Authorization (CAA) DNS records and how they function. Why? Because I am having an issue creating a TLS cert with Traefik as the CAA record of the vendor is not listing Let's Encrypt as an allowed Certificate Authority.

  • CAA records authorize specific Certificate Authorities (CAs) to issue SSL/TLS certificates for a domain.
  • Enhances security by preventing unauthorized CAs from issuing certificates.
  • Contains fields: Flags, Tag, and Value.
  • Flags: Integer value, typically 0.
  • Tag: Specifies the type of policy, e.g., issue, issuewild, iodef.
  • Value: Domain of the authorized CA.
  • Real-world example:
doggo CAA google.com
NAME        TYPE    CLASS   TTL     ADDRESS             NAMESERVER
google.com. CAA     IN      9550s   0 issue "pki.goog"  8.8.8.8:53  
Enter fullscreen mode Exit fullscreen mode
  • The record type is Defined in RFC 8659.

LINKS

. . . . . . . .