The aim of this page is to explain Certificate Authority Authorization (CAA) DNS records and how they function. Why? Because I am having an issue creating a TLS cert with Traefik as the CAA record of the vendor is not listing Let's Encrypt as an allowed Certificate Authority.
- CAA records authorize specific Certificate Authorities (CAs) to issue SSL/TLS certificates for a domain.
- Enhances security by preventing unauthorized CAs from issuing certificates.
- Contains fields: Flags, Tag, and Value.
- Flags: Integer value, typically 0.
- Tag: Specifies the type of policy, e.g.,
issue,issuewild,iodef. - Value: Domain of the authorized CA.
- Real-world example:
doggo CAA google.com
NAME TYPE CLASS TTL ADDRESS NAMESERVER
google.com. CAA IN 9550s 0 issue "pki.goog" 8.8.8.8:53
- The record type is Defined in RFC 8659.