Using CAA records will ensure your domain/s aren’t issued any SSL certificate/s you didn’t apply for — whether malicious or accidental.
What is CAA?
A CA is a Certification Authority that issues SSL Certificates.
CAA stands for Certification Authority Authorization, which allows you to choose which Certificate Authorities can issue your domain SSL Certificate/s.
You do this by adding a CAA record to your DNS for each Certification Authority you wish to authorize.
Why use CAA?
To ensure that only your chosen Certificate Authorities can issue SSL Certificates to your domains.
As a result, you reduce the risk of fraudulent SSL Certificates being issued to your domain/s.
How does it work?
When issuing an SSL Certificate to your domain, a Certification Authority will first check the domain’s CAA records for itself.
If present, it will issue your SSL Certificate.
Otherwise, it will block the request and bar itself from issuing SSL Certificates to your domain.
If you add the CAA record later, simply contact your SSL vendor or CA and request that they check your records again.
If no CAA records are on your domain’s DNS, any Certification Authority will be able to issue SSL Certificates to your domain by default.
However, as soon as you add one CAA record, all others are blocked until added.
Checking your CAA records
To check your current CAA records, simply visit Google’s G Suite Toolbox and enter your domain name in the entry field: toolbox.googleapps.com/apps/dig/#CAA/
As of September 8th 2017 all Certification Authorities are required to check a domain’s CAA records before issuing it an SSL Certificate.
A simple internet search will reveal your favored Certification Authority’s CAA record names.
How Useful Was This Post?
Let Us Know How We Are Doing - Click A Star To Rate This Post
Average Vote Rating / 5. Vote Count :
Tech/Customer Support agent and Blog Manager at Trustico® Online Limited.
Griffith University graduate with a Bachelor of Arts majoring in Politics & Foreign Relations and Journalism.