Implementing Certification Authority Authorization (CAA)

Certification Authority Authorization (CAA) is a used to specify which Certificate Authorities may issue certificates for the domain. Whilst lack of CAA does not constitute a vulnerability itself, it may be used to harden the transport layer security of an application by reducing the risk of certificates being mis-issued. Additionally, it can be used to notify the application owner when a mis-issue is detected and prevented through CAA.

CAA can be implemented by setting a CAA DNS record with the following format:

CAA <flags> <tag> <value>

e.g.

example.com. CAA 0 issue "letsencrypt.org"

The flag element is used to set whether the entry is critical, if set to one the entry must be understood by the certificate authority when issuing the certificate. As per the RFC, this is intended to allow for new semantics to be added in the future that effect the issuing of the certificate and to prevent the certificate from being issues if the issuer does not recognise the functionality. It is typically set to the digit zero.

The tag element can be either: issue, issuewild, or iodef. Issue is used to specify that the CA can issue a certificate for the domain. issuewild is used to specify that the CA can issue wildcard certificates for the domain. isodef is used to specify a URL for sending reports to when a request violates the CAA record. The URL can be a http:, https:, or mailto: URL. This allows for a web request to be sent to an API or for an email containing the issue to be sent.

When using the issue flag the name of an approved CA should be included, such as “letsencrypt.org” or “comodoca.com”. Each record can only include one tag:value pair – therefore to approve two or more CA you must create multiple CAA records.

That’s it!