What is a Certificate Authority Authorization (CAA) DNS Record?
A Certificate Authority Authorization (CAA) record is a security measure that allows the domain name owner to specify which Certificate Authority (CA) is authorized to issue certificates for that domain.
If a CA receives an order for a certificate for a domain with a CAA record and that CA isn’t listed as an authorized issuer, they are prohibited from issuing the certificate to that domain or any subdomain.
Why use a CAA?
SSL Certificate Authoritys are required to check a Domain Names DNS records for a CAA record before issuing an SSL Certificate.
This gives the benifit of perventing unauthorized issueance of an SSL Certificate and will help protect your business and your web site from fraud.
What if I don’t have a CAA Record?
If you don’t have a CAA Record in your DNS this is the same a saying that all CA’s may issue a certificate for you and as such we would recommend adding a CAA Rule.
How Do I Create A CAA Record?
We have found a site that will do most of the work for you.
If you visit https://sslmate.com/caa/ you will be able to enter the details needed.
If for example you wanted to create a CAA record for ‘redit-example.co.uk’ you would enter the domain name into the box in section 1.
If you are looking to create your first CAA record for this domain click on the Auto-Generate Policy button in section 2 this will look for any existing SSL Certificates on you domains DNS Records.
If you think you already have a CAA Record and are looking to update the rules you can click on Load Current Policy
If any SSL Certificates are found they will then be selected in section 3, or you can select Empty Policy.
In Section 3 you can either select to add additional SSL Certificate providers or remove some of the ones that have been selected for you.
If you are creating a rule for our Shared Hosting Accounts you will need to ensure that Let's Encrypt is selected
In the next section ‘Section 4’ you can enter an optional eMail address, which will be used if an SSL Certificate is attempted to be issued for your domain that is not on the allowed list.
Finally you will see that in Section 5 is a copy of the DNS Records that you will need to add to your DNS Zone file.
Most providers will be able to work with the ‘Generic’ output but other types are generated if they are needed.
If you are using the redIT Shared Web Hosting Platform you can add these records through our Hosting Control Panel and once you are logged in select Domain Names from the left hand menu:
Now from the DNS management page select the domain name that you wish to add the CAA record for and click on the DNS Records button.
You should now see a list of all your current DNS Records for the selected Domain Name.
To add the new record or records you will need to click on the Create record button at the top of this page.
Finally for each of the records that the CAA Wizard has shown you you simply enter the details into the new record form.
In this example we have added the first result returned from the Wizard as shown above
