====== Networking - DNS - Bind - CAA (Certification Authority Authorization) ======

DNS CAA (Certification Authority Authorization) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. 

<code>
example.org. CAA 1 issue "letsencrypt.org"
example.org. CAA 1 iodef "mailto:caa@example.org"
</code>

----

===== Test =====

<code bash>
dig +short -t caa google.com
</code>

returns:

<code bash>
0 issue "pki.goog"
</code>

<WRAP info>
**NOTE:**

  * **0** means the CA may continue to issue the the certificate if it does not understand the record. It is like a non-crtiical X.509 extension.
  * **128** means the CA may not issue the certificate if it does not understand the record in question, so this would be like a critical X.509 extension.

</WRAP>

----


===== References =====

https://tools.ietf.org/html/rfc6844#section-5.1.1