How Can We Help?

CAA record - CA authority

You are here:

What is CAA?

CAA is a standard that you can use to control which certification authorities (CAs ) May issue certificates for your domain. You can use CAA to reduce the risk of vulnerabilities in CA validation systems and to enforce certificate procurement policies.

To use CAA, publish a series of CAA records in your domain's DNS that list the certification authorities that entitle you to issue certificates. Before issuing a certificate, the certification body checks your CAA records and blocks the request if it is not listed.

What is a CAA record?

A Certification Authority Authorization (CAA) record is a standard that you can use to specify which certification authorities (CAs) are allowed to issue certificates for your domain.

The purpose of the CAA record is to allow domain owners to authorize which certificate authorities can issue a certificate for a domain. Before issuing a certificate, the certification body checks your CAA records and blocks the request if it is not listed. If there is no CAA record, a certification authority can issue a certificate for the domain.

CAA records can set policies for the entire domain or for specific host names. CAA records are also inherited from subdomains. CAA records can regulate the issuance of single name certificates, wildcard certificates, or both.

As of September 8, 2017, all certification bodies were asked to check CAA DNS records. 

We recognize the following domain names in the output and issue wild property tags as permitted output:

comodo.com
comodoca.com
usertrust.com
trust-provider.com              
sectigo.com

The following DNS servers support CAA records:

  • BIND (vor Version 9.9.6 verwenden Sie die RFC 3597- Syntax)
  • NSD (Vor Version 4.0.1 RFC 3597- Syntax verwenden)
  • PowerDNS ≥ 4.0.0
  • DNS knoten ≥2.2.0
  • Google Cloud-DNS
  • DNSimple

Standard BIND zone file

Für BIND ≥ 9.9.6, PowerDNS ≥ 4.0.0, NSD ≥ 4.0.1, Knoten-DNS ≥ 2.2.0

Example: comodo.com. IN CAA 0 Ausgabe „comodoca.com“

Generic

For Google Cloud DNS, DNSimple

  • 0 Ausgabe „comodoca.com“

Additional reference information: https://tools.ietf.org/html/rfc6844

Next Maximum certificate term of 27 months
Table of Contents