CAA record - CA authority
What is CAA?
CAA is a standard that you can use to control which certification authorities (CAs ) May issue certificates for your domain. You can use CAA to reduce the risk of vulnerabilities in CA validation systems and to enforce certificate procurement policies.
To use CAA, publish a series of CAA records in your domain's DNS that list the certification authorities that entitle you to issue certificates. Before issuing a certificate, the certification body checks your CAA records and blocks the request if it is not listed.
What is a CAA record?
A Certification Authority Authorization (CAA) record is a standard that you can use to specify which certification authorities (CAs) are allowed to issue certificates for your domain.
The purpose of the CAA record is to allow domain owners to authorize which certificate authorities can issue a certificate for a domain. Before issuing a certificate, the certification body checks your CAA records and blocks the request if it is not listed. If there is no CAA record, a certification authority can issue a certificate for the domain.
CAA records can set policies for the entire domain or for specific host names. CAA records are also inherited from subdomains. CAA records can regulate the issuance of single name certificates, wildcard certificates, or both.
As of September 8, 2017, all certification bodies were asked to check CAA DNS records.
We recognize the following domain names in the output and issue wild property tags as permitted output:
The following DNS servers support CAA records:
- BIND (vor Version 9.9.6 verwenden Sie die RFC 3597- Syntax)
- NSD (Vor Version 4.0.1 RFC 3597- Syntax verwenden)
- PowerDNS ≥ 4.0.0
- DNS knoten ≥2.2.0
- Google Cloud-DNS
Standard BIND zone file
Für BIND ≥ 9.9.6, PowerDNS ≥ 4.0.0, NSD ≥ 4.0.1, Knoten-DNS ≥ 2.2.0
Example: comodo.com. IN CAA 0 Ausgabe „comodoca.com“
For Google Cloud DNS, DNSimple
- 0 Ausgabe „comodoca.com“
Additional reference information: https://tools.ietf.org/html/rfc6844