CAA Record¶
CAA is a new DNS record type. It specifies which certificate authority are allowed to issue a certificate for the domain. It is more of a mechanism for certificate authorities to check for erroneously issued certificates.
Structure¶
$ dig google.com caa +short
0 issue "pki.goog"
0 issue "symantec.com"
The first number has a special meaning for certificate authorities. 0 means, that they can issue a certificate. A different number usually means some kind of problem, so a certificate will not be issued.
The next property is issue. It denotes which authority is allowed to issue a certificate. Issuewild has the same meaning, but for wildcard certificates. Iodef sets the email address, where CA should send a notification of issuing a certificate (not all of them support this).