A CAA record is a special type of DNS record (think TXT or CERT) that allows domain owners to authorize specific third party vendors to issue SSL certificates on behalf of their domains.
This fall, the CA/Browser Forum (CAB), an organization committed to providing greater assurance to internet users about the websites they visit, is mandating CAA support for Certification Authorities (CAs) as a standard baseline requirement as of September, 2017. As a domain owner, there are no requirements for you to have a CAA record.
This will require CAs to check for the presence of a CAA record and, if one is found, verify that they are authorized prior to issuing certificates for this domain. If a CAA record is not present, the CA can issue a certificate for the domain just as they do today.
CAA resource records allow a domain owner to specify one or more CAs authorized to issue certificates for the owner’s domain. See RFC 6844 for more information on this record type. NS1 is currently working to add support to our network for this important record type ahead of the September 2017 requirement.
As a domain owner, you probably have questions about the CAA record type and what you need to do, if anything, prior to September 2017. Here are some answers to questions we’ve been asked about CAA record types.
1. What does a CAA record do?
The CAA record is effectively an allow list for your certificate provider(s). In a CAA record, you list the CAs that are allowed to issue certificates for your domain.
2. Do I need to add a CAA record to my domain before September 2017?
No. The CAA record is optional for domain owners. If you don’t have a CAA record in place in September, issuing certificates for your domain will remain just as it is today.
3. What if I want to add a CAA record to my domain?
NS1 is currently working to add support to our network for CAA records prior to September 2017. To add a CAA record, you first contact your CA provider and request their identification string. Add this identification string to the CAA record in your domain. This limits who can issue your domain certificates.
4. What if I have more questions about DNS or the CAA record?