With threats ranging from phishing to data breaches, businesses must adopt a multi-layered approach to protect their online assets. One easily missed security measure is certificate authority authorization (CAA) records.
Digital certificates are used to establish trust in various online interactions. Secure sockets layer (SSL) and transport layer security (TLS) certificates are types of digital certificates specifically designed to secure website connections. But what happens when those certificates are issued by the wrong certificate authority (CA), or worse, by unauthorized entities? This is where CAA records come in. They’re an important part of domain security that helps prevent unauthorized issuance of digital certificates.
What are CAA records?
A CAA record is a type of domain name system (DNS) record that lets domain owners specify which CAs can issue SSL and TLS certificates for their domain. Introduced in 2017 by the Internet Engineering Task Force, it acts as a security gatekeeper to ensure only authorized CAs can issue certificates.
Why are CAA records important?
CAA records play a vital role in securing your domain. Here’s how.
1. Preventing online impersonation
CAA records can stop unauthorized CAs from issuing certificates for your domain. Without them, any CA, even untrustworthy ones, could issue certificates, potentially enabling cybercriminals to impersonate your website.
2. Mitigating cyber attacks
Preventing attackers from obtaining fraudulent certificates reduces the likelihood of man-in-the-middle attacks—where malicious actors intercept and manipulate traffic between users and your site—as well as phishing and other malicious activities.
3. Reducing compliance and financial risks
CAA records help enforce security policies, ensuring compliance with industry standards and regulations. By controlling which CAs can issue certificates, you minimize exposure to breaches, regulatory fines, and brand damage.
4. Fostering trust with visitors
Implementing CAA records assures customers and partners that your website is legitimate and secure, which is critical for reputation and compliance.
How do CAA records work?
Implementing CAA records requires a basic understanding of how DNS and CAA policies function together. Here’s a simplified explanation of the process.
1: Create a CAA record
The first step is to create a CAA record in the DNS zone file for your domain. The DNS zone file contains various DNS records, including mappings between domain names and internet protocol (IP) addresses and includes configurations like CAA records. This will include the following elements:
- Flag: A number that controls how the CAA record behaves. Typically, the flag is set to 0, which means the CAA record doesn’t require mandatory enforcement. A flag value of 128 means the record is critical, meaning the CA must enforce the record or refuse to issue the certificate if the record’s content is not understood.
- Tag: Specifies the type of information in the record. Common tags include:
- issue: Specifies which CAs are authorized to issue certificates for the domain.
- issuewild: Specifies which CAs are authorized to issue wildcard certificates (i.e., certificates that cover multiple subdomains).
- iodef: Provides a URL where violations of the CAA policy can be reported.
- Value: The name of the CA that’s allowed to issue certificates for the domain (e.g., sectigo.com).
2. CAA record lookup by CAs
When a CA receives a request to issue a certificate for your domain, they’ll query the domain’s DNS for a CAA record. If a CAA record exists and doesn’t list the requesting CA as authorized, the certificate cannot be issued. If no CAA record exists, most CAs will proceed with issuing the certificate, as there are no restrictions. Adding a CAA record provides explicit control over which CAs can issue certificates for your domain.
3. Keep CAA records up to date
CAA records can be updated as needed to reflect changes in the authorized CAs. This is particularly important when a company switches certificate providers or adds additional CAs to its list of trusted issuers. Regularly reviewing and updating your CAA records ensures your certificate management policy remains current and aligned with your security posture.
Best practices for implementing CAA records
- Set comprehensive CAA policies. Specify which CAs can issue certificates for your domains. Consider also setting policies for wildcard certificates to prevent unauthorized issuances.
- Enable reporting with the iodef tag. Use the iodef tag to set up a reporting mechanism so you will be alerted to any violations of your CAA policy.
- Regularly review and update CAA records. Make sure to review your CAA records whenever your CA relationships change, or when you switch SSL or TLS providers.
CAA records offer a straightforward yet powerful defense against domain impersonation, phishing, and other forms of cybercrime. Yet in 2024, only 9.5% of companies in Forbes’ Global 2000 used CAA records to protect their domains.
At CSC, we understand the importance of a comprehensive security strategy. To learn more about how CSC can support your digital certificate and domain security needs, visit our SSL Certificate Management Solutions page.
