• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » What is CAA DNS Record And How to Add?

By Abhishek Ghosh April 7, 2017 4:49 am Updated on April 7, 2017

What is CAA DNS Record And How to Add?

Advertisement

A decision of CA/Browser Forum taken in March 2017 by vote to make CAA mandatory which be in action by September 2017. Here is our guide around CAA DNS Record and how to add CAA DNS Record. Previously we discussed about DNS-based Authentication of Named Entities – DANE and how to add DANE. CAA stands for Certification Authority Authorization.

 

What is CAA DNS Record?

 

In this case, DNS CAA will use the DNS to control the owner of a domain to specify which certificate authority will be allowed or whitelisted to issue certificates for that domain. This means, thecustomizewindows.com uses GeoTrust SSL (CA in this case), a fraud can not use some other CA to get a DV SSL as it is near impossible to get same domain’s DV SSL from the same CA. This is not exactly for cross-checking at the client end of TLS connections but a simple check for the CA to make their issuance procedure strict. If you notice the below diagram, CAA DNS Record only adding an extra manual (at least for now) method, it is not any rock solid technology :

What is CAA DNS Record And How to Add

At this moment, if no CAA record is present, any CA can issue a certificate for the domain. But if a CAA record is present, only listed are allowed to issue certificates for that hostname. CAA records can set policy for the entire domain or for specific fully qualified domain name. So technically, CAA records are inherited by subdomains, unless overridden. CAA records can control the issuance of wildcard certificates or root domain certificates.

Advertisement

---

This DNS CAA is specified by RFC 6844 :

Vim
1
https://tools.ietf.org/html/rfc6844

Also, RFC 3597 defines Legacy Zone File. The CAA record is represented by 3 elements:

flag An unsigned integer between 0-255.
It is currently used to represent the critical flag, that has a specific meaning per RFC.
tag An ASCII string that represents the identifier of the property represented by the record.
value The value associated with the tag.

And 4 properties :

Vim
1
2
3
4
5
6
7
8
Tag             Meaning                               RFC
   -----------  -------------------------------------- ---------
   issue        Authorization Entry by Domain          [RFC6844]
   issuewild    Authorization Entry by Wildcard Domain [RFC6844]
   iodef        Report incident by IODEF report        [RFC6844]
   auth         Reserved                               [HB2011]
   path         Reserved                               [HB2011]
   policy       Reserved                               [HB2011]

 

Advantages :

  1. CAA is a s way to express preference of CA.
  2. Forces domain owner to be responsible for certificate.
  3. Also enables CAs to report invalid certificate requests.
  4. Not tied to one CA.
  5. Easy to add.
  6. Working at DNS level not server level

Disadvantages :

  1. Compliant CA actually can could ignore CAA record
  2. Usage of DNSSEC can prevent some attacks, but the use of DNSSEC is not mandatory with CAA.

 

Who Supports CAA DNS Record?

 

Among the self hosted DNS softwares, CAA record is supported by BIND DNS server, NSD authoritative DNS server, Knot DNS server, PowerDNS.

The CAs currently supporting CAA record are Amazon, Certum, Comodo, DigiCert, Entrust, GlobalSign, GoDaddy, Izenpe, QuoVadis, Starfield GoDaddy, StartCom WoSign, Let’s Encrypt, Symantec/GeoTrust/Thawte, T-Telesec, Trustwave, WoSign.

 

How to Add CAA DNS Record?

 

Obviously it has many flaws including many of the DNS providers including Dyn has no support of the CAA DNS record feature at the time of publication. We guess, the reason to be Let’s Encrypt Libre software project which actually can be forked to give birth to many CA in future.

 

The standard zone file is of following syntax (thecustomizewindows.com is domain, geotrust is one CA, letsencrypt another CA and email is admin@thecustomizewindows.com and geotrust is allowed to issue wildcard ):

Vim
1
2
3
4
thecustomizewindows.com. IN CAA 0 issue "geotrust.com"
thecustomizewindows.com. IN CAA 0 issue "letsencrypt.org"
thecustomizewindows.com. IN CAA 0 issuewild "letsencrypt.org"
thecustomizewindows.com. IN CAA 0 iodef "admin@thecustomizewindows.com"

There is also a legacy RFC 3597 syntax :

Vim
1
2
example.com. IN TYPE257 \# 19 00056973737565636F6D6F646F63612E636F6D
example.com. IN TYPE257 \# 12 0009697373756577696C643B

Specially for the above, you need some free tools like :

Vim
1
https://github.com/SSLMate/caa_helper

 

How to Check CAA DNS Record?

 

Regarding tools for checking CAA records, newer versions of dig supports parsing the record data. It is possibly practical to use this kind of tool :

Vim
1
https://github.com/weppos/dnscaa

Tagged With CAA record , dns caa , what is caa , dns caa record , caa dns record , what are caa records dns , add caa record , add CAA record windows server 2012 , caa dns , caa record dns

This Article Has Been Shared 685 Times!

Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to What is CAA DNS Record And How to Add?

  • Differences between FTP and SSH

    You must have heard of FTP and SSH. This article explains the basics of both FTP and SSH in simple language.

  • HTTPS : Secure Hypertext Transfer Protocol

    HTTPS is an application protocol based on HTTP, for the secure transfer of data from Hyper Text, it is the secure version of HTTP.

  • Cloud Computing Risk Analysis

    Cloud Computing Risk Analysis is an important administrative and marketing task. ENISA itself has a pdf guide. However, we will cover a generalized idea.

  • Cloud as a Test Environment

    Cloud as a test environment for applications is an elegant idea in theory, but needs a thorough investigation of the security and privacy aspects.

  • Cloud Computing Contracts and SLAs

    Cloud Computing Contracts and SLAs are to get protection against data loss or abuse – provider is not liable, but the client, so clients must be aware.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Projector Screen Basics February 6, 2023
  • What is Configuration Management February 5, 2023
  • What is ChatGPT? February 3, 2023
  • Zebronics Pixaplay 16 : Entry Level Movie Projector Review February 2, 2023
  • What is Voice User Interface (VUI) January 31, 2023

About This Article

Cite this article as: Abhishek Ghosh, "What is CAA DNS Record And How to Add?," in The Customize Windows, April 7, 2017, February 6, 2023, https://thecustomizewindows.com/2017/04/what-is-caa-dns-record-and-how-to-add/.

Source:The Customize Windows, JiMA.in

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT