Configuration of CAA records
All certificates that are issued by a CA (Certificate Authority) runs a CAA (Certification Authority Authorization) check on the domain before issuance.
A CAA record can help an organization to keep better control of how and where a certificate is ordered. It can assist the IT department to keep better control over certificates that are ordered, and together with our SSL360 tool, the IT department can have full control over domains and certificates.
The rules for CAA records on a domain:
- No CAA record: All CAs can issue
- CAA record for specified CA(s): Only specified CA(s) can issue
There exists two CAA record commands:
- issue: Allows issuance of certificates for specified CA(s)
- issuewild: Allows issuance of wildcard certificates for specified CA(s)
Example CAA records for trustzone.com:
- issuewild: globalsign.com
- issue: sectigo.com
- issue: globalsign.com
This would allow both GlobalSign and Sectigo to issue regular SSL/TLS certificates for trustzone.com (and any subdomains), while only allowing GlobalSign to issue wildcard certificates.
Note: if there are no “issuewild” records, wildcards are allowed to be issued by CAs with a “issue” record.
Further, we recommend a TTL value of 3600 and if your DNS provider requires it, that the “Flag” value is set to 0.
An example of a CAA record created on a certain domain:
@ IN CAA 0 issue “globalsign.com”
It is perfectly fine to have CAA records for multiple CAs. Do contact us if you have any questions about getting better control over your certificates.
Follow us on LinkedIn to get the latest updates, news and insights.