The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA records can set policy for the entire domain, or for specific hostnames. They are also inherited by subdomains, therefore a CAA record set on domain.com will also apply to any subdomain, such as subdomain.domain.com (unless overridden). CAA records can control the issuance single-name certificates, wildcard certificates, or both
Flag: All records will have the default issuer critical value of 0, which means they are “not critical”. Flag 128 is used for “critical”
Type: Type allows you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair.
- Issue: Explicitly authorizes a single certificate authority to issue a certificate (any type) for the hostname.
- Issuewild: Authorization to issue certificates that specify a wildcard domain. Please note: issuewild properties take precedence over issue properties when specified.
- Iodef: (Incident Description Exchange Format) Specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.
In DNSimple, the CAA record is represented by the following customizable elements:
|Name||The hostname for the record, without the domain name. This is generally referred to as “subdomain”. We automatically append the domain name.|
|TTL||The time-to-live in seconds. This is the amount of time the record is allowed to be cached by a resolver.|
|Tag||An ASCII string that represents the identifier of the property represented by the record.|
|Value||The value associated with the tag.|