Make the most of the CAA DNS document to authorize CA to problem the TLS certificates.
What’s DNS CAA?
CAA is likely one of the DNS document varieties that instructs the CA whether or not or to not problem a certificates. In different phrases, you let the world know who ought to problem your area SSL/TLS certificates. CAA implementation grew to become obligatory in late 2017, so it’s comparatively new and fewer than 5% of in style websites have carried out it.
Let’s take an instance: Geekflare owns a web site known as “gf.dev”, which has the next CAA document.
gf.dev. 3586 IN CAA 0 problem "digicert.com; cansignhttpexchanges=sure"
gf.dev. 3586 IN CAA 0 issuewild "comodoca.com"
gf.dev. 3586 IN CAA 0 problem "comodoca.com"
gf.dev. 3586 IN CAA 0 issuewild "digicert.com; cansignhttpexchanges=sure"
gf.dev. 3586 IN CAA 0 issuewild "letsencrypt.org"
gf.dev. 3586 IN CAA 0 problem "letsencrypt.org"Trying on the outcomes above, I can solely get the certificates from DigiCert, Comodo and Let’s encrypt. If I ask Thawte or one other CA to problem a certificates for gf.dev, then they cannot. And when you concentrate, you will discover there’s some enter downside and somewhat downside recreation. Let’s discover out what they’re.
- problem – instruct the CA to problem the certificates just for that area.
- issuewild – CA can problem the wildcard certificates in order that it may be utilized in a site or subdomain.
CAA document additionally helps jodef (Incident object description change format) that permits CA to ship a violation report back to the required electronic mail or contact info.
What occurs if no CAA document is discovered?
If a site doesn’t have a CAA document, anybody can generate a CSR for that area and have the certificates signed by any CA. It is a safety threat.
Is it clear now?
There are a number of abbreviations I used above. Let’s have a look at what they’re.
- DNS – Area Title System
- CA – Certificates Authority
- CAA – Certification Authority Authorization
- TLS – Transport Layer Safety
- SSL – Safe socket layer
How do I test the DNS CAA document?
There are a number of methods to validate the CAA document. In the event you do not wish to depart your terminal, you possibly can test with the dig command.
dig caa $YOURWEBSITE.COMInstance from geekflare.com
root@bestnich:~# dig caa geekflare.com
; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> caa geekflare.com
;; international choices: +cmd
;; Obtained reply:
;; ->>HEADER<<- opcode: QUERY, standing: NOERROR, id: 54430
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: model: 0, flags:; udp: 65494
;; QUESTION SECTION:
;geekflare.com. IN CAA
;; ANSWER SECTION:
geekflare.com. 3600 IN CAA 0 issuewild "comodoca.com"
geekflare.com. 3600 IN CAA 0 issuewild "letsencrypt.org"
geekflare.com. 3600 IN CAA 0 problem "comodoca.com"
geekflare.com. 3600 IN CAA 0 problem "digicert.com; cansignhttpexchanges=sure"
geekflare.com. 3600 IN CAA 0 problem "letsencrypt.org"
geekflare.com. 3600 IN CAA 0 issuewild "digicert.com; cansignhttpexchanges=sure"
;; Question time: 7 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Oct 08 07:12:21 UTC 2019
;; MSG SIZE rcvd: 298
root@bestnich:~#If you need to check this remotely, you should utilize the web DNS CAA Tester instrument.
Tips on how to add a CAA document?
Technically, this is similar manner you add different DNS information akin to A, NS, CNAME, and so forth.
If you’re utilizing Cloudflare, go to the DNS tab >> add a document and choose CAA as the kind.
For GoDaddy, go to DNS Supervisor and add a document
If you’re undecided learn how to add, please contact your DNS/internet hosting supplier for help.
Conclusion
If not already, you must benefit from the CAA document so as to add a layer of area safety. Including a CAA document prices you nothing.