Table of Contents

Networking - DNS - Bind - CAA (Certification Authority Authorization)

DNS CAA (Certification Authority Authorization) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. 

example.org. CAA 1 issue "letsencrypt.org"
example.org. CAA 1 iodef "mailto:caa@example.org"

Test

dig +short -t caa google.com

returns: 

0 issue "pki.goog"

NOTE:

  • 0 means the CA may continue to issue the the certificate if it does not understand the record. It is like a non-crtiical X.509 extension.
  • 128 means the CA may not issue the certificate if it does not understand the record in question, so this would be like a critical X.509 extension.

References

https://tools.ietf.org/html/rfc6844#section-5.1.1