CAA record - certification authority autorization

CAA record type (Certification Authority Authorization) defines politics of SSL/TLS certificate creation on selected domain. The goal is to stop fake certificates creations and raise trustworthy of https connection with server.

You simply specify which certification authority can issue the certificate, or who should be notified if someone attempts to issue the certificate unjustifiably.

One CAA record define one certification authority. On one domain, there can be more records, which complements each other.

The record itself for using SSL / TLS certificates is not an obligation. Without using this entry, any SSL / TLS certificate may be issued by any certification authority.


Structure of CAA record:

Flags: Defines the severity of a C & A record violation conflict (the rule is 0 by default)

TAG:   issue for domain; 
       issuewild for all subdomains 
       iodef defines website or e-mail address if the rule is violated.

Value: A text string (such as a URL or email box)

Example of using CAA:

In most cases you just have to define the main domain, or also its subdomains (issuewild).

However, there may be a subdomain running an e-shop that requires a safer type of certificate than other domains. In this case, there may be intermingling rules that complement one another.

Therefore, a certification authority can be defined for one specific subdomain and another authority for all other subdomains.

In the same way, you will define another contact email address for a subdomain, such as an e-shop administrator, and another address for the main domain.

domain.xy.      1800 IN CAA 0 issue ""      - for main domain can be just Let's Encrypt
domain.xy.      1800 IN CAA 0 issuewild ""     - for all subdomains (*.domain.xy) only RapidSSL 
sub.domain.xy.  1800 IN CAA 0 issue ""           - for this subdomain is certificate issued by Thawte
sub.domain.xy.  1800 IN CAA 0 iodef "mailto:caa@domain.xy" - rule violation will be informed on caa@domain.xy