How to Manage CAA Records

Adding a domain you own to your DigitalOcean account lets you manage the domain’s DNS records with the control panel and API. Domains you manage on DigitalOcean also integrate with DigitalOcean Load Balancers and Spaces to streamline automatic SSL certificate management.


CAA Record Background Information

Certificate Authority Authorization (CAA) is a standard designed to prevent bad actors from creating unauthorized SSL/TLS certificates. CAA records specify which certificate authorities (CAs) can issue certificates.

Like other types of DNS records, CAA records can apply to an entire domain (like example.com) or to specific subdomains (like assets.example.com). Likewise, the lifespan of the record can be set with a Time To Live (TTL) value given in seconds.

CAA records have three additional fields: tags, values, and flags.

  • Tags are ASCII strings. Three tags are defined by the CAA standard. In addition to these, the CAA standard permits CAs to define their own tags. Each CAA record is limited to a single tag. The defined tags are:

    • issue authorizes a single CA to issue any type of certificate for a specific hostname. To allow multiple CAs to issue certificates, each requires its own record.
    • issuewild authorizes a single CA to issue a wildcard certificate and only a wildcard certificate for a hostname. Again, to allow multiple CAs to issue certificates, each requires its own record.
    • iodef defines a URL where a CA can report policy violations. Each contact URL requires its own record.
  • Values are strings associated with tags.

    • For the issue and issuewild tags, you’ll typically set the value to the domain name of the CA being granted permission by the record, such as letsencrypt.org.
    • For iodef you’ll supply a URL where policy violations should be reported. This may be the URL of a service set up specifically for this purpose or a mailto URI, such as mailto:[email protected].
  • Flags are unsigned integers between 0 and 255. Currently this field is used to set an Issuer Critical flag, which specifies how a CA should behave when it encounters a tag it doesn’t understand.

    The default flag is 0. When a CA requests the DNS record to issue a certificate, if there’s a tag that it doesn’t understand and the flag is set to 0, it will ignore that specific record and will continue to process any additional records.

    However, if any record in the response has the Issuer Critical flag, 128, set and the CA doesn’t understand the tag in that record, then a standards-compliant CA must refuse to issue a certificate.

Note

DigitalOcean DNS does not support the following CAA standard features:

  1. Blocking anyone from issuing certificates by sending a semicolon (;) in the value
  2. Allowing name-value tags after the CA name, for example: letsencrypt.org; abc=cde

You can learn more about the DNS Certification Authority Authorization (CAA) Resource Record in RFC 6844.

Creating CAA Records

You can create a new CAA record from the Networking page. From the control panel, either open the Create menu and click Domains/DNS or click Networking in the left nav.

When you’re on the Networking page, click into the domain. From within the domain under the Create new record header, choose CAA. The CAA tab contains the fields you need to add CAA records.

Create Issue Records

We’re going to create a record that allows Let’s Encrypt to issue certificates for any hostname at digitalocean.love

CAA record with issue values filled in
  1. HOSTNAME To apply this record to the entire domain, we’ll enter @.

  2. AUTHORITY GRANTED FOR Here, we enter the domain name for the Certificate Authority. In our case, that will be letsencrypt.org

  3. TAG Since we want to give permission for Let’s Encrypt to generate any kind of certificate, we’ll select the issue tag from the dropdown.

  4. FLAGS We’ll accept the default of 0.

  5. TTL (SECONDS) We’ll accept the default of 3600.

When we click Create Record, the new CAA record appears at the top of the domain’s record set.

Issue tags are additive. If we want to allow another CA to grant certificates, we would need to add an additional record.

Create Issuewild Records

Wildcards are a catchall subdomain, *.digitalocean.love. In the absence of an issuewild record, any CA can issue wildcard certificates. In this example, we’ll add a record to permit a different certificate authority, Comodo, to issue wildcard certificates (and only wildcard certificates).

CAA record with issuewild values filled in
  1. HOSTNAME We’ll apply this to digitalocean.love by entering @.

  2. AUTHORITY GRANTED FOR Next we’ll enter Comodo’s domain name, comodoca.org

  3. TAG We’ll select the issuewild tag from the dropdown.

  4. FLAGS We’ll accept the default of 0.

  5. TTL (SECONDS) We’ll accept the default of 3600.

Now that we’ve added Comodo, no other CA can issue wildcard certificates unless we add a record that explicitly allows them to.

Create Iodef Records

We’re going to add an iodef record so that CAs can contact us in the event of policy violations.

CAA record with iodef values filled in
  1. HOSTNAME Enter @ to indicate this contact information is for the entire digitalocean.love domain.

  2. AUTHORITY GRANTED FOR Next, we’ll enter the contact email in the format mailto:[email protected]

  3. TAG We’ll select the iodef from the dropdown.

  4. FLAGS We’ll accept the default of 0.

  5. TTL (SECONDS) We’ll accept the default of 3600.

If a policy violation occurs, this record lets certificate authorities know whom to contact.