DEV Community

Pavol Z. Kutaj
Pavol Z. Kutaj

Posted on

Explaining CAA DNS Record

The aim of this page is to explain Certificate Authority Authorization (CAA) DNS records and how they function. Why? Because I am having an issue creating a TLS cert with Traefik as the CAA record of the vendor is not listing Let's Encrypt as an allowed Certificate Authority.

  • CAA records authorize specific Certificate Authorities (CAs) to issue SSL/TLS certificates for a domain.
  • Enhances security by preventing unauthorized CAs from issuing certificates.
  • Contains fields: Flags, Tag, and Value.
  • Flags: Integer value, typically 0.
  • Tag: Specifies the type of policy, e.g., issue, issuewild, iodef.
  • Value: Domain of the authorized CA.
  • Real-world example:
doggo CAA google.com
NAME        TYPE    CLASS   TTL     ADDRESS             NAMESERVER
google.com. CAA     IN      9550s   0 issue "pki.goog"  8.8.8.8:53  
Enter fullscreen mode Exit fullscreen mode
  • The record type is Defined in RFC 8659.

LINKS

Top comments (0)