Adding a domain you own to your DigitalOcean account lets you manage the domain’s DNS records with the control panel and API. Domains you manage on DigitalOcean also integrate with DigitalOcean Load Balancers and Spaces to streamline automatic SSL certificate management.
Certificate Authority Authorization (CAA) is a standard designed to prevent bad actors from creating unauthorized SSL/TLS certificates. CAA records specify which certificate authorities (CAs) can issue certificates.
Like other types of DNS records, CAA records can apply to an entire domain (like example.com
) or to specific subdomains (like assets.example.com
). Likewise, the lifespan of the record can be set with a Time To Live (TTL) value given in seconds.
CAA records have three additional fields: tags, values, and flags.
Tags are ASCII strings. Three tags are defined by the CAA standard. In addition to these, the CAA standard permits CAs to define their own tags. Each CAA record is limited to a single tag. The defined tags are:
issue
authorizes a single CA to issue any type of certificate for a specific hostname. To allow multiple CAs to issue certificates, each requires its own record.issuewild
authorizes a single CA to issue a wildcard certificate and only a wildcard certificate for a hostname. Again, to allow multiple CAs to issue certificates, each requires its own record.iodef
defines a URL where a CA can report policy violations. Each contact URL requires its own record.Values are strings associated with tags.
issue
and issuewild
tags, you’ll typically set the value to the domain name of the CA being granted permission by the record, such as letsencrypt.org
.iodef
you’ll supply a URL where policy violations should be reported. This may be the URL of a service set up specifically for this purpose or a mailto URI, such as mailto:[email protected]
.Flags are unsigned integers between 0 and 255. Currently this field is used to set an Issuer Critical flag, which specifies how a CA should behave when it encounters a tag it doesn’t understand.
The default flag is 0. When a CA requests the DNS record to issue a certificate, if there’s a tag that it doesn’t understand and the flag is set to 0, it will ignore that specific record and will continue to process any additional records.
However, if any record in the response has the Issuer Critical flag, 128, set and the CA doesn’t understand the tag in that record, then a standards-compliant CA must refuse to issue a certificate.
DigitalOcean DNS does not support the following CAA standard features:
;
) in the valueletsencrypt.org; abc=cde
You can learn more about the DNS Certification Authority Authorization (CAA) Resource Record in RFC 6844.
You can create a new CAA record from the Networking page. From the control panel, either open the Create menu and click Domains/DNS or click Networking in the left nav.
When you’re on the Networking page, click into the domain. From within the domain under the Create new record header, choose CAA. The CAA tab contains the fields you need to add CAA records.
We’re going to create a record that allows Let’s Encrypt to issue certificates for any hostname at digitalocean.love
HOSTNAME
To apply this record to the entire domain, we’ll enter @
.
AUTHORITY GRANTED FOR
Here, we enter the domain name for the Certificate Authority. In our case, that will be letsencrypt.org
TAG
Since we want to give permission for Let’s Encrypt to generate any kind of certificate, we’ll select the issue
tag from the dropdown.
FLAGS
We’ll accept the default of 0
.
TTL (SECONDS)
We’ll accept the default of 3600
.
When we click Create Record, the new CAA record appears at the top of the domain’s record set.
Issue tags are additive. If we want to allow another CA to grant certificates, we would need to add an additional record.
Wildcards are a catchall subdomain, *.digitalocean.love
. In the absence of an issuewild
record, any CA can issue wildcard certificates. In this example, we’ll add a record to permit a different certificate authority, Comodo, to issue wildcard certificates (and only wildcard certificates).
HOSTNAME
We’ll apply this to digitalocean.love
by entering @
.
AUTHORITY GRANTED FOR
Next we’ll enter Comodo’s domain name, comodoca.org
TAG
We’ll select the issuewild
tag from the dropdown.
FLAGS
We’ll accept the default of 0
.
TTL (SECONDS)
We’ll accept the default of 3600
.
Now that we’ve added Comodo, no other CA can issue wildcard certificates unless we add a record that explicitly allows them to.
We’re going to add an iodef
record so that CAs can contact us in the event of policy violations.
HOSTNAME
Enter @
to indicate this contact information is for the entire digitalocean.love
domain.
AUTHORITY GRANTED FOR
Next, we’ll enter the contact email in the format mailto:[email protected]
TAG
We’ll select the iodef
from the dropdown.
FLAGS
We’ll accept the default of 0
.
TTL (SECONDS)
We’ll accept the default of 3600
.
If a policy violation occurs, this record lets certificate authorities know whom to contact.