Certificate Authority Authorization Records

Support for the CAA record was added to BIND with the 9.10.1B release, after Rick Andrews of Symantec approached us at an IETF meeting and asked why we didn’t have it already. Rick is an expert and evangelist for the use of certificates, so we invited Rick to explain why people should use CAA records.

Certificate Authority Authorization (CAA) (RFC 6844) is intended to reduce the risk of unintended SSL/TLS certificate mis-issuance, either by malicious actors or by honest mistake. The goal is to allow a DNS domain name holder to specify the certificate authority or authorities that the owner has authorized to issue SSL/TLS certificates for that domain.

For example, if you own example.com, and wish to express your preference that certificates for that domain should only be issued by Primary CA, Inc., you would create a record in DNS indicating such. If a malicious actor, or an employee who is not aware of your preference, engages a different CA, Secondary CA, Inc. to purchase a certificate, Secondary CA might first check in DNS. If they see that you have a CAA record that does not specify Secondary CA as a preferred certificate authority, Secondary CA could alert you of that. You could then choose to deny the certificate purchase, or change or add to DNS your preference to allow Secondary CA to issue certificates for your domain.

For this reason, we recommend use of the CAA record.

Rick Andrews, Senior Technical Director for Trust Services, Symantec.com

Recent Posts

What's New from ISC