Statistics gathering
Skip to main content
  1. Today I Learned/

TIL: The Existence of the DNS Certification Authority Authorization Field

·3 mins
Today I learned Networking System Administration
Table of Contents

While migrating my blog to use S3 and CloudFormation, I needed to generate a new certificate using the AWS Certificate Manager. However, even after creating the correct DNS records and waiting for them to propagate, AWS was not accepting my generation request without providing any reason.

After spending a lot of time trying to understand what was happening, I discovered that the validation was failing because I had not allowed Amazon’s Certificate Authority to issue an SSL certificate for my domain name, which should have been done by adding a CAA (Certification Authority Authorisation) DNS record.

What is the CAA Field Used For? #

CAA DNS entries allow specifying which Certificate Authorities are allowed to generate certificates for a given domain. It aims to help preventing certificates mis-issues.

CAA Configuration #

Let’s look at a basic example. The following is an extract of the output from the command dig CAA             16      IN      CAA     0 issuewild ""             16      IN      CAA     0 iodef "mailto:[redacted to prevent crawling]"             16      IN      CAA     0 issue ""             16      IN      CAA     0 issue ""

The response says that both Amazon and Let’s Encrypt can generate certificates for the domain and its subdomains, but only Let’s Encrypt can generate wildcard certificates. In the event that a Certificate Authority receives an invalid request to generate a certificate, it should send a message to the specified email address. The 0 value is a flag (issue, issuewild and iodef are tags) telling CAs that they shouldn’t mind if they don’t understand a CAA entry, and just try to read the next one.

Flags #

There are two possible flag values:

  • 0 (uncritical) is the default. If a CA doesn’t understand an entry, it can simply ignore it
  • 1 (critical) tells the CA that it cannot proceed with issuing the certificate if it doesn’t understand the property, and it must notify the owner of the failure (using the iodef provided values)

CAA Scope #

In our example, all entries have been defined for, but we can also define entries for specific domains such as or

The rules priority will be from the most to the less specific. i.e. if we want to generate a certificate for, CAs will first try to see if any rules exist for If not, they will check if there are any for and then finally for

Another thing to note is that if you have only issue entries, then listed CAs are also allowed to issue wildcard certificates. However, if you have issuewild entries, then only entries with that flag can generate wildcard certificates.

A final interesting property is that if you only create an entry with the CA being ";", then no one is allowed to generate a certificate for the specified domain (if there are no CAA entries, then everyone is).

References #

Credits #

  • Cover Photo by Scott Rodgerson Unsplash