DNS Certification Authority Authorization (CAA)

DNS Certificate Authority Authorization (CAA) is an Internet security policy that allows domain name holders to indicate to certificate authorities if they are authorized to issue digital certificates for a particular domain name.

Because of a series of incorrect certificates issued since 2001, the trust in certificate authorities was damaged and several security mechanisms were in the making to track the incorrect issuing of certificates. Certificate Authority Authorization was one of these with the purpose to block the mis-issuance of certificates on the certificate authority’s side.

What is DNS Certificate Authority Authorization Used For?
Certificate Authority Authorization is used with CAA Records to specify which certificate authorities are allowed to issue certificates for a specific domain.
​
These CAA records allow the domain owners to specify which certificate authorities can issue certificates for the domain. They also provide a means of indicating notification rules if someone requests a certificate from a certificate authority other than those specified in the CAA record.
​
These CAA records allow the domain owners to specify which certificate authorities can issue certificates for the domain. They also provide a means of indicating notification rules if someone requests a certificate from a certificate authority other than those specified in the CAA record.
​
​CAA records can set the policies for an entire domain or specific hostnames and they are also inherited by subdomains, which means that any subdomain will use the same CAA records to control the issuance of certificates by certification authorities.

Why is DNS Certification Authority Authorization Important?
The most important advantage and function of CAA records are to prevent or reduce the risk of certificate mis-issuance. This helps to protect a domain, a business, or an online identity because potential attackers are unable to issue SSL certificates for a domain if that certificate authority is not specified in the CAA record.