How to add a Certificate Authority Authorization (CAA) DNS record

You are here:
← All Topics
image_pdfimage_print

What is a Certificate Authority Authorization (CAA) DNS Record?

A Certificate Authority Authorization (CAA) record is a security measure that allows the domain name owner to specify which Certificate Authority (CA) is authorized to issue certificates for that domain.
If a CA receives an order for a certificate for a domain with a CAA record and that CA isn’t listed as an authorized issuer, they are prohibited from issuing the certificate to that domain or any subdomain.

Why use a CAA?
SSL Certificate Authoritys are required to check a Domain Names DNS records for a CAA record before issuing an SSL Certificate.
This gives the benifit of perventing unauthorized issueance of an SSL Certificate and will help protect your business and your web site from fraud.

What if I don’t have a CAA Record?
If you don’t have a CAA Record in your DNS this is the same a saying that all CA’s may issue a certificate for you and as such we would recommend adding a CAA Rule.

How Do I Create A CAA Record?
We have found a site that will do most of the work for you.
If you visit https://sslmate.com/caa/ you will be able to enter the details needed.
If for example you wanted to create a CAA record for ‘reditexample.co.uk’ you would enter the domain name into the box in section 1.

Enter your Domain Name

Now if you are looking to create your first CAA record for this domain click on the ‘Auto-Generate Policy’ this will look for any existing SSL Certificates on you domains DNS Records.
If you think you already have a CAA Record and are looking to update the rules you can click on ‘Load Current Policy’
If any SSL Certificates are found they will then be selected in section 2.

CAA - Select Authorized Certificate Authorities

From here you can either select to add additional SSL Certificate providers or remove some of the ones that have been selected for you.   In the next section ‘Section 3’ you can enter an optional eMail address, which will be used if an SSL Certificate is attempted to be issued for your domain that is not on the allowed list.

CAA - Incident Reporting

Finally you will see that in Section 4 is a copy of the DNS Records that you will need to add to your DNS Zone file. Most providers will be able to work with the ‘Generic’ output

If you are using the redIT Shared Hosting Platform or the redIT DNS Service you can add these records through our Hosting Control Panel and once you are logged in select ‘Domain Names’ from the left hand menu:

redIT Control Panel - Domain Names menu

Now from the main control panel page select the domain name that you wish to add the CAA record for and click on the ‘Records’ Icon

redIT Control Panel Domain Records

You should now see a list of all your current DNS Records for the selected Domain Name. To add the new record or records you will need to click on the ‘Add’ button at the top of this page.

redIT Control Panel Add DNS Record

Finally for each of the records that the CAA Wizard has shown you you simply enter the details into the new record form. In this example we have added the first result returned from the Wizard as shown above

redIT Control Panel Add DNS record

If you are adding the eMail record you can change the ‘Tag’ type as needed.