How to Create and Manage CAA Records

CAA Record Background Information

Certificate Authority Authorization (CAA) is a standard designed to prevent bad actors from creating unauthorized SSL/TLS certificates. CAA records allow domain owners to specify which Certificate Authorities (CAs) are permitted to issue certificates.

Like other types of DNS records, CAA records can apply to an entire domain such as example.com or to specific subdomains like beta.example.com. Likewise, the lifespan of the record can be set with a Time To Live (TTL) value given in seconds.

In addition to these common DNS fields, CAA records use three fields that are particular to them: tags, values, and flags.

  • Tags are ASCII strings. Three tags are defined by the CAA standard. In addition to these, the CAA standard permits CAs to define their own tags. Each CAA record is limited to a single tag. The defined tags are:

    • issue authorizes a single CA to issue any type of certificate for a specific hostname. To allow multiple CAs, each requires its own record.
    • issuewild authorizes a single CA to issue a wildcard certificate and only a wildcard certificate for a hostname. Again, to allow multiple CAs, each requires its own record.
    • iodef defines a URL where a certificate authority can report policy violations. Each contact URL requires its own record.
  • Values are strings associated with tags.

    • For the issue and issuewild tags, you’ll typically set the value to the domain name of the CA being granted permission by the record, e.g. letsencrypt.org.
    • For iodef you’ll supply a URL where policy violations should be reported. This may be the URL of a service set up specifically for this purpose but more often, it will be a mailto URI like mailto:sammy@digitalocean.com.
  • Flags are unsigned integers between 0 and 255. Currently this field is used to set an Issuer Critical flag, which specifies how a CA should behave when it encounters a tag it doesn’t understand.

The default flag is 0. When a CA requests the DNS record to issue a certificate, if there’s a tag that it doesn’t understand and the flag is set to 0, it will ignore that specific record and will continue to process any additional records.

However, if any record in the response has a flag set to 1 and the CA doesn’t understand the tag in that record, then a standards-compliant CA must refuse to issue a certificate.

The CAA standard supports:

  1. Blocking anyone from issuing certificates by sending a semicolon (;) in the value
  2. Allowing name-value tags after the CA name, for example: letsencrypt.org; abc=cde

At the time of this writing, these are not supported by DigitalOcean DNS.

You can learn more about the DNS Certification Authority Authorization (CAA) Resource Record in RFC 6844.

Creating CAA Records

You can create a new CAA record from the Networking page. To navigate there from the Control Panel, use the Create menu to select the Domains/DNS option or use the Networking tab at the top of the page. When you’re on the Networking page, click into the domain.

Screenshot showing a domain in the Control Panel

From within the domain under the Create new record header, choose CAA.

Screenshot with the CAA tab highlighted

The CAA tab contains the fields you need to add CAA records.

Create Issue Records

We’re going to create a record that allows Let’s Encrypt to issue certificates for any hostname at digitalocean.love

Screenshot with the issue values filled in

  1. HOSTNAME To apply this record to the entire domain, we’ll enter @.

  2. AUTHORITY GRANTED FOR Here, we enter the domain name for the Certificate Authority. In our case, that will be letsencrypt.org

  3. TAG Since we want to give permission for Let’s Encrypt to generate any kind of certificate, we’ll select the issue tag from the dropdown.

  4. FLAGS We’ll accept the default of 0.

  5. TTL (SECONDS) We’ll accept the default of 3600.

When we click Create Record, the new CAA record appears at the top of the domain’s record set.

Issue tags are additive. If we want to allow another CA to grant certificates, we would need to add an additional record.

Create Issuewild Records

Wildcards are a catchall subdomain, *.digitalocean.love. In the absence of an issuewild record, any CA can issue wildcard certificates. In this example, we’ll add a record to permit a different certificate authority, Comodo, to issue wildcard certificates (and only wildcard certificates).

Screenshot with the issuewild values filled in

  1. HOSTNAME We’ll apply this to digitalocean.love by entering @.

  2. AUTHORITY GRANTED FOR Next we’ll enter Comodo’s domain name, comodoca.org

  3. TAG We’ll select the issuewild tag from the dropdown.

  4. FLAGS We’ll accept the default of 0.

  5. TTL (SECONDS) We’ll accept the default of 3600.

Now that we’ve added Comodo, no other CA can issue wildcard certificates unless we add a record that explicitly allows them to.

Create Iodef Records

Finally, we’re going to add an iodef record so that CAs can contact us in the event of policy violations.

Screenshot with the iodef values filled in

  1. HOSTNAME Once again, we’ll enter @ to indicate this contact information is for the entire digitalocean.love domain.

  2. AUTHORITY GRANTED FOR Next, we’ll enter the contact email in the format mailto:caapolicy@digitalocean.love

  3. TAG We’ll select the iodef from the dropdown.

  4. FLAGS We’ll accept the default of 0.

  5. TTL (SECONDS) We’ll accept the default of 3600.

If a policy violation happens, this record lets certificate authorities know who to contact.

Managing Existing Records

To update or delete existing records, use the More menu:

Screenshot of expanded More menu with Edit record and Delete options visible

The changes will be immediately reflected in the Control Panel, but how soon the changes propagate to DNS servers will be determined by the TTL value.