Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2017-10-03 10:56:11.0

What is Certification Authority Authorization (CAA)?

Article Number: 46517

User-added image

What is Certification Authority Authorization (CAA)?
Do I need a CAA record?
How to add a CAA record to your DNS zone file
How to add a CAA record in a hosted DNS
How to check CAA record using BIND
CAA Supported DNS Products
CAA Record Values Per Certification Authority
Certificate Transparency

What is Certification Authority Authorization (CAA)?


Domain Name Servers (DNS) use Certification Authority Authorization (CAA) as a means of identifying which Certification Authorities are authorized to issue a certificate for that domain.

As a means of providing an additional layer of control to the DNS owner, CAA gives DNS owners the ability to determine which Certification Authorities are authorized to issue certificates on behalf of that domain name by configuring their DNS CAA record.

For the complete report on CAA, please see RFC 6844. 

Do I need a CAA record?

No, the CAA record is not mandatory to be listed within your DNS record. CA’s are only required to check to see if there is a CAA record and if you have permitted the CA to issue for the FQDN in question.

If you do not list a CAA Record, all CA’s will be able to issue certificates for the FQDN.

CAA  is up to you and your organization to decide to support CAA within your DNS records.

How to add a CAA record to your DNS zone file

Please see our technote on how add a CAA record to your DNS zone file.

How to add a CAA record in a hosted DNS

Please see the technote on how you can add a CAA record in a hosted DNS, and what hosted DNS service providers currently support CAA.

How to check CAA record using BIND

If you have a dig tool from BIND, you can use it to check your CAA entry by typing the command below:

<drive>Dig yourdomain type257

NOTE: To download the Dig tool you can visit the official site of ISC :
https://www.isc.org/downloads/
 

CAA Supported DNS Products:
BIND (Prior to version 9.9.6 use RFC 3597 syntax)
NSD (Prior to version 4.0.1 use RFC 3597 syntax)
PowerDNS =4.0.0
• Knot DNS =2.2.0
Simple DNS Plus =6.0
Windows Server 2016 (use RFC 3597 syntax)
• tinydns (use generic record syntax)
• ldns =1.6.17
• OpenDNSSEC (with ldns =1.6.17)

CAA Records Values Per Certification Authority

Please see our article here for CA Values to input for your CAA Record for all Certification Authorities.

Certificate Transparency

You may use our Certificate Transparency Search Tool to scan if you have any other Certification Authorities (CAs) issuing certificates on your domains. 

If you find other certificates issued by different CAs, we recommend you check with your IT Team to ensure that you wish to allow those CAs to issue certificates for those domains. If YES, then you should add them to your DNS record. If NO, then leave them off.

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance: 

Hours of Operation: 
Sunday 8:00 PM ET to Friday 8:00 PM ET 
North America (toll free): 1-866-267-9297 
Outside North America: 1-613-270-2680 (or see the list here

TN9007