We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Create and Manage CAA Records Using DigitalOcean DNS

PostedSeptember 8, 2017 2.7k views DNS DigitalOcean

Introduction

Certificate Authority Authorization (CAA) is a standard designed to prevent bad actors from creating unauthorized SSL/TLS certificates. CAA records allow domain owners to specify which Certificate Authorities (CAs) are permitted to issue certificates.

Prerequisites

To follow this tutorial, you will need:

When you've set up your domain name on DigitalOcean, you're ready to begin.

Background

Certificate Authority Authorization uses Domain Name System (DNS) resource records. If you're new to DNS, the Introduction to DNS Terminology, Components, and Concepts can help you get familiar.

Like other types of DNS records, CAA records can apply to an entire domain such as example.com or to specific subdomains like beta.example.com. Likewise, the lifespan of the record can be set with a Time To Live (TTL) value given in seconds.

In addition to these common DNS fields, CAA records use three fields that are particular to them: tags, values, and flags.

Tags
A tag is an ASCII string. Three tags are defined by the CAA standard:

  • issue authorizes a single CA to issue any type of certificate for a specific hostname. To allow multiple CAs, each requires its own record.
  • issuewild authorizes a single CA to issue a wildcard certificate and only a wildcard certificate for a hostname. Again, to allow multiple CAs, each requires its own record.
  • iodef defines a URL where a certificate authority can report policy violations. Each contact URL requires its own record.

In addition to these, the CAA standard permits CAs to define their own tags. Each CAA record is limited to a single tag.

Values
A value is a string associated with a tag.

For the issue and issuewild tags, you'll typically set the value to the domain name of the CA being granted permission by the record, e.g. letsencrypt.org

For iodef you'll supply a URL where policy violations should be reported. This may be the URL of a service set up specifically for this purpose but more often, it will be a mailto URI like mailto:sammy@digitalocean.com.

Note: The CAA standard supports:

  1. Blocking anyone from issuing certificates by sending a semicolon (;) in the value
  2. Allowing name-value tags after the CA name, for example: letsencrypt.org; abc=cde

At the time of this writing, these are not supported by DigitalOcean DNS. We are working on it, and we will support them soon.

Flags
A flag is an unsigned integer between 0-255. Currently this field is used to set an Issuer Critical flag, which specifies how a CA should behave when it encounters a tag it doesn't understand.

The default flag is 0. When a CA requests the DNS record to issue a certificate, if there's a tag that it doesn't understand and the flag is set to 0, it will ignore that specific record and will continue to process any additional records.

However, if any record in the response has a flag set to 1 and the CA doesn't understand the tag in that record, then a standards-compliant CA must refuse to issue a certificate.

You can learn more about the DNS Certification Authority Authorization (CAA) Resource Record in RFC 6844

Step 1 — Navigating to the CAA Record Creation Page

Locate the domain on the networking tab of the DigitalOcean Control Panel, then click into it:

Screenshot showing a domain in the Control Panel

From within the domain under the Create new record header, choose CAA:

Screenshot with the CAA tab highlighted

The CAA tab contains the fields you need to add CAA records. In our next step, we'll create a record to allow Let's Encrypt to issue certificates for our domain.

Step 2 — Creating Issue Records

We're going to create a record that allows Let's Encrypt to issue certificates for any hostname at digitalocean.love

Screenshot with the issue values filled in

  1. HOSTNAME
    To apply this record to the entire domain, we'll enter @.

  2. AUTHORITY GRANTED FOR
    Here, we enter the domain name for the Certificate Authority. In our case, that will be letsencrypt.org

  3. TAG
    Since we want to give permission for Let's Encrypt to generate any kind of certificate, we'll select the issue tag from the dropdown.

  4. FLAGS
    We'll accept the default of 0.

  5. TTL (SECONDS)
    We'll accept the default of 3600.

When we click Create Record, the new CAA record appears at the top of the domain's record set.

Screenshot of the completed issue record

Issue tags are additive. If we want to allow another CA to grant certificates, we would need to add an additional record.

Step 3 — Creating Issuewild Records

Wildcards are a catchall subdomain, *.digitalocean.love. In the absence of an issuewild record, any CA can issue wildcard certificates. In this example, we'll add a record to permit a different certificate authority, Comodo, to issue wildcard certificates (and only wildcard certificates).

Screenshot with the issuewild values filled in

  1. HOSTNAME
    We'll apply this to digitalocean.love by entering @.

  2. AUTHORITY GRANTED FOR
    Next we'll enter Comodo's domain name, comodoca.org

  3. TAG
    We'll select the issuewild tag from the dropdown.

  4. FLAGS
    We'll accept the default of 0.

  5. TTL (SECONDS)
    We'll accept the default of 3600.

Screenshot of the completed issue and issuewild records

Now that we've added Comodo, no other CA can issue wildcard certificates unless we add a record that explicitly allows them to.

Step 4 — Creating a Iodef Records

Finally, we're going to add an iodef record so that CAs can contact us in the event of policy violations.

Screenshot with the iodef values filled in

  1. HOSTNAME
    Once again, we'll enter @ to indicate this contact information is for the entire digitalocean.love domain.

  2. AUTHORITY GRANTED FOR
    Next, we'll enter the contact email in the format mailto:caapolicy@digitalocean.love

  3. TAG
    We'll select the iodef from the dropdown.

  4. FLAGS
    We'll accept the default of 0.

  5. TTL (SECONDS)
    We'll accept the default of 3600.

Screenshot of the completed issue, issuewild, and iodef records

If a policy violation happens, this record lets certificate authorities know who to contact.

Step 5 — Managing Existing Records

To update or delete existing records, use the More menu:

Screenhot of expanded More menu with Edit record and Delete options visible

The changes will be immediately reflected in the Control Panel, but how soon the changes propagate to DNS servers will be determined by the TTL value.

Step 6 — Querying your DNS Records

In this final step, we'll look up our DNS record to verify that the changes we've made are visible to the internet. Note that older versions of common DNS tools like dig won't return CAA records by default. If you want to query your records with a command line tool, you many need to update the tool you're using.

We'll use Google's web-based Public DNS service to check our records by filling in the digitalocean.love domain and typing "CAA" in the RR Type field, then clicking Resolve:

Screenshot of Google Public DNS with values filled in

The query should return all three CAA records in the answer stanza:

Screenshot of our three CAA records in the output

This output verifies that the CAA records, type 257, are visible.

Conclusion

In this tutorial, we've provided some background on Certificate Authority Authorization records and demonstrated how to add the three standard resource record types, issue, issuewild, and iodef.

To learn more about DNS in general, visit the series An Introduction to Managing DNS. You can also learn more about CAA records specifically from RFC 6844: DNS Certification Authority Authorization (CAA) Resource Record.

0 Comments

Creative Commons License