Knowledge Base

Certification Authority Authorization (CAA) records allow domain owners to specify one or more Certificate Authorities (CAs) that are authorized to issue certificates for their domain (RFC 6844). A CAA record allows you to set a policy for your entire domain or you can specify policy by hostname. For example, subdomains automatically inherit CAA record policies, but you can add an additional CAA record for a subdomain so that it will follow a different policy. 

Note: CAA records can control the issuance of single-name certificates and wildcard certificates (or both). 

Common Use Case for Adding a CAA Record to Your Domain

Adding a CAA record for your domain prevents certificate requests from being answered by unauthorized CAs.  If a domain does not include a CAA record, certificates can be issued by any CA.

Here are some real-world examples for CAA record configurations (Skip to Step 1 if you are ready to start):

Canonical Format

<flags> <tag> <value> = example.com. CAA 0 issue “ssl.com”

If you want certificate requests answered by DigiCert and SSL, the configuration would look like this:

example.com. CAA 0 issue “digicert.com”

example.com CAA 0 issue “ssl.com”

If DigiCert does not understand the record information, it will not return a certification. Instead, SSL will respond.

If you only want DigiCert to issue certificates you would enter the following:

example.com. CAA 1 issue “digicert.com”

example.com CAA 0 issue “ssl.com”

To issue a wildcard, you would simply change the value to “issuewild” (without the quotes).

example.com. CAA 0 issue “digicert.com”

example.com CAA 0 issuewild “ssl.com”

In the above example, DigiCert would not be able to issue a wildcard certificate.

Prerequisites

• A domain has been added to your Constellix account

How to Configure CAA Records in Constellix 

1. Navigate to Managed DNS > Domains

After logging in to the Constellix DNS dashboard, select Managed DNS on the left-hand side menu to expand options and then click Domains.
 

2. Select Domain

From the domains list, click on the domain you want to add the CAA record to.
 

Note: Options shown may vary depending on the current configurations set for your domain.

3. Add CAA Record

After selecting the domain that needs the CAA record, you will be taken to the Records page. Scroll down until you see the option for CAA Record and click the green + icon to expand options.
 

4. Click the green + icon to add a CAA record.
 

5. Enter Record Values

You should now see the Add CAA Record pop-up window.

Fill out the following values:

a) Name: Enter the hostname for the record. To set the record for the root domain (@), leave this field blank

b) TTL: Time to live (measured in seconds) determines how long a record is cached in nameservers. Visit our What is TTL resource for more information and best practices for TTLs.

Note: For mission-critical records or those that require frequent updates, we recommend setting TTL values between 30 and 300 seconds. For failover configurations, 30 seconds is ideal for preventing end-user disruptions. 

c) Disable Record: This option allows you to remove records from our nameservers without removing the record configuration in the Constellix DNS control panel. See our Disabling a Record tutorial for more information. 

d) Providers: Specify the domain name of the Certificate Authority that applies to this record.  

Note: If your CA is not listed, select Custom and enter your CA’s domain name in the Data field. You also have the option of choosing “No Provider.”  See RFC1035, Section 5.1 for more information.

e) Tag: This allows you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair.

issue: Explicitly authorizes a single certificate authority to issue a certificate of any type for the hostname.

issuewild: Authorization for CAs to issue certificates that specify a wildcard domain. 

Note: issuewild properties take precedence over issue properties when specified.

iodef (Incident Description Exchange Format): Specifies if CAs should email reports of certificate issues and violations to the domain owner.

Note: If you want to receive reports/policy violations from CAs, change the tag “iodef” and replace the provider value with your contact email. An example would be: mailto: example.com. CAA 0 iodef “mailto:admin@example.com”

f) Data: This field will automatically populate with the FQDN of the CA provider after you enter the provider in step C. If you chose Custom, you will need to manually enter the FQDN of the CA. The Data field is automatically grayed out if the option for No Provider is chosen.

g) Issuer Critical: A value of 0 = "not critical" and 1 = "issuer critical." CAA records have issuer critical set to a value of 0 by default. If a CA does not understand the flag value, then the CA will return with “no issue” for the certification. 

h) Notes: The note section lets you add important details and keywords so you can easily search for specific records later (optional, but recommended).

Save and Close/Continue: Click Save and Close if you are finished or choose Save and Continue if you need to enter additional CAA records.

Note: In order for your record changes to take effect, you must review and apply changes.

Visit our website for more information on our services and features.