How to setup DNS CAA


#1

Hello all,

I have seen since 2017 that CAA is madniated as a baseline requirement for the setup of a secure SSL site. How do i implement this?

Best regards,
Tom


#2

Hi @2e0eej

your dns - provider must support the dns record type 257.

Then you can add something like

Type CAA
yourdomain - issue letsencrypt

There are simple generators like

https://sslmate.com/caa/

But they don’t understand CAA definitions which are a little bit more complex. Something like my own

server-daten.de issue letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/35657966


#3

Hi @2e0eej,

The “baseline requirements” are rules that apply to certificate authorities, not to the people requesting certificates. They describe technologies that the CAs must support and rules that they must follow when issuing certificates.

From the user’s side, these requirements do not apply (which is a good thing, because they’re complex and detailed and most of them aren’t relevant to an individual certificate request).

You don’t need a CAA record in order to obtain or use a certificate. The CAA requirement is applied to certificate authorities: before issuing a new certificate, the CA has to check whether a CAA record is present, and, if so, obey the instructions in that record. If no CAA record is present, the CA doesn’t have to do anything different.

You can find out more about Let’s Encrypt’s implementation of CAA, and how to deal with any CAA-related errors that you may encounter when requesting a certificate from Let’s Encrypt, at

If you haven’t encountered a CAA error when trying to issue a certificate, you don’t have to do anything related to this at all!


#4

Where did you see this?


#5

I came across this at:

https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

" But that’s going to change, because the CA/Browser Forum recently voted to mandate CAA support as part of its certificate issuance standard Baseline Requirements. The changes will become effective in September 2017." This is the part that i got the details from.


#6

Thank you very much for clarifying that for me. :slight_smile:

–
Tom


#7

Thank you very much for clarifying this for me.


#8

Thank you for the link.
I think the “mandate” is on the CAs, not the entire community.
You are still free to use it or not.
All CAs, however, must.


#9

Ok thank you very much. That article was a bit vague on the subject to the clients perspective.
I am now on the hunt to find a DNS provider who supports the CAA certificate i having a feeling i am going have to host my own DNS server to add that particular record.

–
Tom


#10

It shouldn’t be that hard to find one.
Most DNS providers use BIND; which supports CAA records.

Even the Windows DNS I use support CAA records - LOL
It is almost 2019, I think every DNS system probably supports it now.

Best of luck.


#11

Thank you very much,

I am also interested in setting up my own DNS server just for the hell of it.
My current provider uses BIND i think but they only let you add certain records from the online control panel so i might contact them to see if they will add it for me.

–
Tom


#12

Sounds like a fun/learning experience.
Feel free to reach out if you run into any (DNS) walls.


#13

Will do.

I have just got started in the world of networking and server hosting and loving every second of it except when apache decides its not going to work but except that it is great fun.

Hopefully i wont run into any walls real or not :joy:.

–
Tom


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.