• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here:Home » What is CAA DNS Record And How to Add?

By Abhishek Ghosh April 7, 2017 4:49 am Updated on April 7, 2017

What is CAA DNS Record And How to Add?

Advertisement

A decision of CA/Browser Forum taken in March 2017 by vote to make CAA mandatory which be in action by September 2017. Here is our guide around CAA DNS Record and how to add CAA DNS Record. Previously we discussed about DNS-based Authentication of Named Entities – DANE and how to add DANE. CAA stands for Certification Authority Authorization.

 

What is CAA DNS Record?

 

In this case, DNS CAA will use the DNS to control the owner of a domain to specify which certificate authority will be allowed or whitelisted to issue certificates for that domain. This means, thecustomizewindows.com uses GeoTrust SSL (CA in this case), a fraud can not use some other CA to get a DV SSL as it is near impossible to get same domain’s DV SSL from the same CA. This is not exactly for cross-checking at the client end of TLS connections but a simple check for the CA to make their issuance procedure strict. If you notice the below diagram, CAA DNS Record only adding an extra manual (at least for now) method, it is not any rock solid technology :

What is CAA DNS Record And How to Add

At this moment, if no CAA record is present, any CA can issue a certificate for the domain. But if a CAA record is present, only listed are allowed to issue certificates for that hostname. CAA records can set policy for the entire domain or for specific fully qualified domain name. So technically, CAA records are inherited by subdomains, unless overridden. CAA records can control the issuance of wildcard certificates or root domain certificates.

Advertisement

---

This DNS CAA is specified by RFC 6844 :

Vim
1
https://tools.ietf.org/html/rfc6844

Also, RFC 3597 defines Legacy Zone File. The CAA record is represented by 3 elements:

flagAn unsigned integer between 0-255.
It is currently used to represent the critical flag, that has a specific meaning per RFC.
tagAn ASCII string that represents the identifier of the property represented by the record.
valueThe value associated with the tag.

And 4 properties :

Vim
1
2
3
4
5
6
7
8
Tag             Meaning                               RFC
   -----------  -------------------------------------- ---------
   issue        Authorization Entry by Domain          [RFC6844]
   issuewild    Authorization Entry by Wildcard Domain [RFC6844]
   iodef        Report incident by IODEF report        [RFC6844]
   auth         Reserved                               [HB2011]
   path         Reserved                               [HB2011]
   policy       Reserved                               [HB2011]

 

Advantages :

  1. CAA is a s way to express preference of CA.
  2. Forces domain owner to be responsible for certificate.
  3. Also enables CAs to report invalid certificate requests.
  4. Not tied to one CA.
  5. Easy to add.
  6. Working at DNS level not server level

Disadvantages :

  1. Compliant CA actually can could ignore CAA record
  2. Usage of DNSSEC can prevent some attacks, but the use of DNSSEC is not mandatory with CAA.

 

Who Supports CAA DNS Record?

 

Among the self hosted DNS softwares, CAA record is supported by BIND DNS server, NSD authoritative DNS server, Knot DNS server, PowerDNS.

The CAs currently supporting CAA record are Amazon, Certum, Comodo, DigiCert, Entrust, GlobalSign, GoDaddy, Izenpe, QuoVadis, Starfield GoDaddy, StartCom WoSign, Let’s Encrypt, Symantec/GeoTrust/Thawte, T-Telesec, Trustwave, WoSign.

 

How to Add CAA DNS Record?

 

Obviously it has many flaws including many of the DNS providers including Dyn has no support of the CAA DNS record feature at the time of publication. We guess, the reason to be Let’s Encrypt Libre software project which actually can be forked to give birth to many CA in future.

 

The standard zone file is of following syntax (thecustomizewindows.com is domain, geotrust is one CA, letsencrypt another CA and email is admin@thecustomizewindows.com and geotrust is allowed to issue wildcard ):

Vim
1
2
3
4
thecustomizewindows.com. IN CAA 0 issue "geotrust.com"
thecustomizewindows.com. IN CAA 0 issue "letsencrypt.org"
thecustomizewindows.com. IN CAA 0 issuewild "letsencrypt.org"
thecustomizewindows.com. IN CAA 0 iodef "admin@thecustomizewindows.com"

There is also a legacy RFC 3597 syntax :

Vim
1
2
example.com.INTYPE257\# 19 00056973737565636F6D6F646F63612E636F6D
example.com.INTYPE257\# 12 0009697373756577696C643B

Specially for the above, you need some free tools like :

Vim
1
https://github.com/SSLMate/caa_helper

 

How to Check CAA DNS Record?

 

Regarding tools for checking CAA records, newer versions of dig supports parsing the record data. It is possibly practical to use this kind of tool :

Vim
1
https://github.com/weppos/dnscaa

Tagged With CAA record , dns caa , what is caa , dns caa record , caa dns record , what are caa records dns , add caa record , add CAA record windows server 2012 , caa dns , caa record dns
Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to What is CAA DNS Record And How to Add?

  • Nginx WordPress Installation Guide (All Steps)

    This is a Full Nginx WordPress Installation Guide With All the Steps, Including Some Optimization and Setup Which is Compatible With WordPress DOT ORG Example Settings For Nginx.

  • How To Add CAA Record : Dyn DNS With GeoTrust, Let’s Encrypt

    Here Is How To How To Add CAA Record In Dyn DNS With GeoTrust. Let’s Encrypt Etc Certificate. You Must Add DNS CAA Record, As It Is Mandatory.

  • What is DANE Protocol?

    What is DANE Protocol? DANE is a network protocol intended to secure in a way so that the used certificates of domain can not be substituted.

  • Which SSL Certificate You Need?

    Which SSL Certificate You Need? Pricing of SSL Certificates Varies and SSL Certificate is Difficult To Change – This is a Critical Topic.

performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Hybrid Multi-Cloud Environments Are Becoming UbiquitousJuly 12, 2023
  • Data Protection on the InternetJuly 12, 2023
  • Basics of BJT TransistorJuly 11, 2023
  • What is Confidential Computing?July 11, 2023
  • How a MOSFET WorksJuly 10, 2023
PC users can consult Corrine Chorney for Security.

Want to know more about us?

Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy