• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » What is CAA DNS Record And How to Add?

By Abhishek Ghosh April 7, 2017 4:49 am Updated on April 7, 2017

What is CAA DNS Record And How to Add?

Advertisement

A decision of CA/Browser Forum taken in March 2017 by vote to make CAA mandatory which be in action by September 2017. Here is our guide around CAA DNS Record and how to add CAA DNS Record. Previously we discussed about DNS-based Authentication of Named Entities – DANE and how to add DANE. CAA stands for Certification Authority Authorization.

 

What is CAA DNS Record?

 

In this case, DNS CAA will use the DNS to control the owner of a domain to specify which certificate authority will be allowed or whitelisted to issue certificates for that domain. This means, thecustomizewindows.com uses GeoTrust SSL (CA in this case), a fraud can not use some other CA to get a DV SSL as it is near impossible to get same domain’s DV SSL from the same CA. This is not exactly for cross-checking at the client end of TLS connections but a simple check for the CA to make their issuance procedure strict. If you notice the below diagram, CAA DNS Record only adding an extra manual (at least for now) method, it is not any rock solid technology :

What is CAA DNS Record And How to Add

At this moment, if no CAA record is present, any CA can issue a certificate for the domain. But if a CAA record is present, only listed are allowed to issue certificates for that hostname. CAA records can set policy for the entire domain or for specific fully qualified domain name. So technically, CAA records are inherited by subdomains, unless overridden. CAA records can control the issuance of wildcard certificates or root domain certificates.

Advertisement

---

This DNS CAA is specified by RFC 6844 :

Vim
1
https://tools.ietf.org/html/rfc6844

Also, RFC 3597 defines Legacy Zone File. The CAA record is represented by 3 elements:

flag An unsigned integer between 0-255.
It is currently used to represent the critical flag, that has a specific meaning per RFC.
tag An ASCII string that represents the identifier of the property represented by the record.
value The value associated with the tag.

And 4 properties :

Vim
1
2
3
4
5
6
7
8
Tag             Meaning                               RFC
   -----------  -------------------------------------- ---------
   issue        Authorization Entry by Domain          [RFC6844]
   issuewild    Authorization Entry by Wildcard Domain [RFC6844]
   iodef        Report incident by IODEF report        [RFC6844]
   auth         Reserved                               [HB2011]
   path         Reserved                               [HB2011]
   policy       Reserved                               [HB2011]

 

Advantages :

  1. CAA is a s way to express preference of CA.
  2. Forces domain owner to be responsible for certificate.
  3. Also enables CAs to report invalid certificate requests.
  4. Not tied to one CA.
  5. Easy to add.
  6. Working at DNS level not server level

Disadvantages :

  1. Compliant CA actually can could ignore CAA record
  2. Usage of DNSSEC can prevent some attacks, but the use of DNSSEC is not mandatory with CAA.

 

Who Supports CAA DNS Record?

 

Among the self hosted DNS softwares, CAA record is supported by BIND DNS server, NSD authoritative DNS server, Knot DNS server, PowerDNS.

The CAs currently supporting CAA record are Amazon, Certum, Comodo, DigiCert, Entrust, GlobalSign, GoDaddy, Izenpe, QuoVadis, Starfield GoDaddy, StartCom WoSign, Let’s Encrypt, Symantec/GeoTrust/Thawte, T-Telesec, Trustwave, WoSign.

 

How to Add CAA DNS Record?

 

Obviously it has many flaws including many of the DNS providers including Dyn has no support of the CAA DNS record feature at the time of publication. We guess, the reason to be Let’s Encrypt Libre software project which actually can be forked to give birth to many CA in future.

 

The standard zone file is of following syntax (thecustomizewindows.com is domain, geotrust is one CA, letsencrypt another CA and email is admin@thecustomizewindows.com and geotrust is allowed to issue wildcard ):

Vim
1
2
3
4
thecustomizewindows.com. IN CAA 0 issue "geotrust.com"
thecustomizewindows.com. IN CAA 0 issue "letsencrypt.org"
thecustomizewindows.com. IN CAA 0 issuewild "letsencrypt.org"
thecustomizewindows.com. IN CAA 0 iodef "admin@thecustomizewindows.com"

There is also a legacy RFC 3597 syntax :

Vim
1
2
example.com. IN TYPE257 \# 19 00056973737565636F6D6F646F63612E636F6D
example.com. IN TYPE257 \# 12 0009697373756577696C643B

Specially for the above, you need some free tools like :

Vim
1
https://github.com/SSLMate/caa_helper

 

How to Check CAA DNS Record?

 

Regarding tools for checking CAA records, newer versions of dig supports parsing the record data. It is possibly practical to use this kind of tool :

Vim
1
https://github.com/weppos/dnscaa

Tagged With CAA record , dns caa , what is caa , dns caa record , caa dns record , what are caa records dns , add caa record , add CAA record windows server 2012 , caa dns , caa record dns

This Article Has Been Shared 419 Times!

Facebook Twitter Pinterest
Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to What is CAA DNS Record And How to Add?

  • Differences between FTP and SSH

    You must have heard of FTP and SSH. This article explains the basics of both FTP and SSH in simple language.

  • HTTPS : Secure Hypertext Transfer Protocol

    HTTPS is an application protocol based on HTTP, for the secure transfer of data from Hyper Text, it is the secure version of HTTP.

  • Cloud Computing Risk Analysis

    Cloud Computing Risk Analysis is an important administrative and marketing task. ENISA itself has a pdf guide. However, we will cover a generalized idea.

  • Cloud as a Test Environment

    Cloud as a test environment for applications is an elegant idea in theory, but needs a thorough investigation of the security and privacy aspects.

  • Cloud Computing Contracts and SLAs

    Cloud Computing Contracts and SLAs are to get protection against data loss or abuse – provider is not liable, but the client, so clients must be aware.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (22.1K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • How Telecoms Can Use The Cloud To Power Their 5G Network June 24, 2022
  • A Beginner Guide to Cloud Computing for Development June 22, 2022
  • 5 Benefits of Using a Virtual Data Room Today June 19, 2022
  • Top System Administration Courses 2022 June 18, 2022
  • The Best Business VPNs for 2022 June 17, 2022

About This Article

Cite this article as: Abhishek Ghosh, "What is CAA DNS Record And How to Add?," in The Customize Windows, April 7, 2017, June 25, 2022, https://thecustomizewindows.com/2017/04/what-is-caa-dns-record-and-how-to-add/.

Source:The Customize Windows, JiMA.in

This website uses cookies. If you do not want to allow us to use cookies and/or non-personalized Ads, kindly clear browser cookies after closing this webpage.

Read Privacy Policy.

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2022 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy