Products
Edge AI
AI Training
GPU Cloud
GPU CloudBoost AI/ML training with servers powered by NVIDIA
AI Inference
Inference at the Edge
Inference at the EdgeAccelerate your ML model inference for fast global performance
AI Applications
Image Generator
Image GeneratorCreate realistic and stunning images with ease
Speech-to-Text Translator
Speech-to-Text TranslatorTranslate from English to Luxembourgish seamlessly
Edge Cloud
Compute
Basic VMs
Basic VMsManage workloads on affordable shared virtual servers
Virtual Machines
Virtual MachinesRun apps on customizable dedicated virtual servers
Bare Metal
Bare MetalDeploy apps on powerful dedicated physical servers
Containers
Managed Kubernetes
Managed KubernetesDeploy, manage, and scale Kubernetes clusters easily
Container as a Service
Container as a ServiceRun containerized apps without server provisioning
Function as a Service
Function as a ServiceExecute serverless code functions efficiently
Networking
Load Balancer
Load BalancerRoute traffic optimally to improve app performance
5G Network
5G NetworkDeploy apps and securely connect mobile devices via 5G
Virtual Private Cloud
Virtual Private CloudManage resources in a secure isolated private cloud
Hosting
Virtual Servers
Virtual ServersHost on virtual servers with no traffic restrictions
Dedicated Servers
Dedicated ServersHost on physical servers with worldwide availability
Storage
Object Storage
Object StorageStore data in fast and scalable S3-compatible storage
File Shares
File SharesShare files across servers easily using NFS protocol
Databases
Managed PostgreSQL
Managed PostgreSQLProvision fully managed PostgreSQL databases with ease
Monitoring
Managed Logging
Managed LoggingCollect, store, and analyze application logs
About Edge Cloud
Edge Network
Application Performance
CDN
CDNAccelerate dynamic and static content delivery
FastEdge
FastEdgeDeploy serverless apps with low-latency edge computing
Media Delivery
Video Streaming
Video StreamingDeliver high-quality live and on-demand video at scale
DNS
Managed DNS
Managed DNSEnsure application availability with authoritative DNS
Public DNS
Public DNSProtect online privacy with a free DNS resolver
About Edge Network
Edge Security
Network Security
DDoS Protection
DDoS ProtectionProtect your infrastructure from evolving DDoS attacks
Application Security
Web Application Security
Web Application SecuritySafeguard web resources against attacks and threats
WAAP
WAAPSecure apps and APIs from DDoS, bots and OWASP attacks
Solutions
By Industry
Gaming
CDN for Gaming
Game Server Protection
Game Development
Retail
CDN for E-commerce
Media & Entertainment
CDN for Video
Metaverse Streaming
TV & Online Broadcasters
Sport Broadcasting
Online Events
Financial Services
Cloud for Financial Services
Technology
Image Optimization
Web Acceleration
Wordpress CDN
Education
Online Education
By Need
Web Acceleration
Web Acceleration
Image Optimization
Wordpress CDN
Security
Game Server Protection
Video Streaming
CDN for Video
Video Hosting
Live Streaming
Availability
Multi-CDN
Cloud
Web Service
Game Development
Online Store
Migration to the Cloud
ERP in the Cloud
Pricing
Resources
Resources
Blog
Customer Stories
White Papers
Events
Documentation
Docs
API
Product Roadmap
Help Center
Gcore Status
Tools
Looking Glass
Speed Test
Developer Tools
Partners
Partners
Intel
Intel | New CPU Generation
Intel | Ice Lakes
Hesp
Equinix
InData Labs
Ampere
Unum
Programs
White Label Solutions
Referral Program
Why Gcore
Company
About Gcore
Press
Awards
Careers
Legal Information
Platform
Network
Infrastructure
Internet Peering Points
Compliance
Under attack?Under attack?
en
Contact usContact us
Contact us

Select the Gcore Platform

Recommended
Gcore Edge Solutions Go to Gcore Platform → Go to Gcore Platform →

Products:

  • Edge Delivery (CDN)
  • DNS with failover
  • Virtual Machines
  • Bare Metal
  • Cloud Load Balancers
  • Managed Kubernetes
  • AI Infrastructure
  • Edge Security (DDOS+WAF)
  • FaaS
  • Streaming
  • Object Storage
  • ImageStack (Optimize and Resize)
  • Edge Compute (Coming soon)
Show full list
Gcore Hosting Go to Gcore Hosting →
  1. Home
  2. Learning
  3. Why CAA Records Matter

Why CAA Records Matter

June 13, 2023 3 min read
Why CAA Records Matter

CAA records for DNS help people who own domain names control who can make certificates for their domain. This stops people who shouldn’t have them from getting digital certificates and makes your website’s domain more secure. This writing will tell you more about CAA records.

What is a CAA Record?

A CAA record, or Certification Authority Authorization record, is a type of DNS record. It lets a person who owns a domain name choose which Certificate Authorities (CAs) can make certificates for their domain.

On the internet, a certificate (also called a digital certificate or SSL/TLS certificate) is used to show that a public key belongs to someone. It has details about the key, who owns it, and a digital signature from a Certificate Authority (CA) which has checked that the certificate is right.

CAA records help domain owners set rules about who can make certificates for their domain. This makes the domain more secure.

How Does a CAA Record Work?

Imagine you own a house and want to make it safe. You could put in a security system and choose a specific security company to look after it. In this picture, your house is your domain, the security system is the SSL/TLS certificate, and the security company is the Certificate Authority. A CAA record is like a list of approved security companies that you put on your front door.

When a CA gets ready to make a certificate, it first looks at the CAA record for the domain. If the CA sees itself on the CAA record, it can go ahead and make the certificate. If it’s not on the record, it has to say no to the certificate request. This gives domain owners more control and helps stop certificates from being made when they shouldn’t be.

How to Use CAA Records

To use a CAA record, you add the record to your DNS setup. The record has parts like flags, tags, and values, which help set the policy. The most common tags are ‘issue’, ‘issuewild’, and ‘iodef’:

  • issue: This tag says which CA can make a certificate for your domain
  • issuewild: This tag says which CA can make a wildcard certificate for your domain. Wildcard certificates make the domain and its subdomains safe
  • iodef: This tag is used to report when a policy is broken. It gives a URL where the CA can send reports if they find any breaking of your rules

What Does a CAA Record Look Like?

Here’s an example of a CAA record for a made-up domain, example.com:

example.com.    IN   CAA   0 issue "letsencrypt.org"

This is a basic CAA record. Here’s what each part means:

  • example.com.: This is the domain for the CAA record
  • IN: This stands for Internet – it’s the class of the DNS record
  • CAA: This tells us the type of DNS record – in this case, a Certification Authority Authorization record
  • 0: This is the flag. Most CAA records have a flag of 0. It can be set to 1 to mean “critical”. This means that any Certificate Authority that doesn’t know about CAA records should not make a certificate. Since many older CAs don’t know about CAA records, this flag is usually set at 0
  • issue: This is the tag of the record. Here, it’s issue, which means the record is saying which CA can make certificates (non-wildcard) for this domain
  • “letsencrypt.org”: This is the value, which shows the authorized Certificate Authority. In this example, only Let’s Encrypt (letsencrypt.org) can make certificates for example.com

You can add an iodef record for more protection. It looks like this:

example.com.    IN   CAA   0 iodef "mailto:security@example.com"

In this, iodef is the tag. It shows a way to report certificate requests that break the security rules. The value “mailto:security@example.com” means that rule breaks should be reported by email to security@example.com.

So, with these two CAA records, only Let’s Encrypt can make certificates for example.com. If anyone breaks this rule, they should report it to security@example.com.

Conclusion

Looking for reliable, high-performance DNS hosting? Choose Gcore DNS Hosting for fast and resilient DNS services:

  • Global latency averaging 30 ms
  • Anycast routing
  • Multiple load balancing options, including Geobalancing
  • Free-forever through enterprise-grade plans

Try for free

Table of contents

Try Gcore DNS

Why CAA Records Matter

Related articles

How to Spot and Stop a DDoS Attack
How to Spot and Stop a DDoS Attack
The faster you detect and resolve a DDoS (distributed denial-of-service) attack, the less damage it can do to your business. Read on to learn how to identify the signs of a DDoS attack, differentiate it from other issues, and implement effective protection strategies to safeguard your business. You’ll also discover […]
July 24, 2024 3 min read
Improve Your Privacy and Data Security with TLS Encryption on CDN
Improve Your Privacy and Data Security with TLS Encryption on CDN
The web is a public infrastructure: Anyone can use it. Encryption is a must to ensure that communications over this public infrastructure are secure and private. You don’t want anyone to read or modify the data you send or receive, like credit card information when paying for an online service. […]
July 16, 2024 4 min read
How Edge AI Solves 5 AI Inference Workload Challenges
How Edge AI Solves 5 AI Inference Workload Challenges
AI workloads are all the computational processes required to run AI behind the scenes, including during training and inference. These intensive workloads require massive computational resources, making them expensive, complex, and slow to run. At least, that’s the case when using a traditional cloud AI infrastructure. Edge AI is a […]
July 4, 2024 4 min read
Real-Life Applications of Low-Latency Edge Inference
Real-Life Applications of Low-Latency Edge Inference
Businesses using AI are encountering a major challenge: latency. It’s frustrating for customers when they’re kept waiting for a chatbot to process their ecommerce return, stuck with a jittery, lagging game, or reading TV subtitles that are a few seconds behind the action. Enter edge AI. This powerful technology minimizes […]
July 1, 2024 6 min read
What Is Serverless Computing?
What Is Serverless Computing?
Serverless computing is a cloud model in which developers can write and run code without needing to buy, manage, or maintain servers. Despite its name, serverless computing still involves servers, but all the underlying infrastructure—servers, operating systems, virtual machines, and containers—is managed by a cloud service provider. Users normally pay […]
June 28, 2024 8 min read
What Is WebAssembly (Wasm)?
What Is WebAssembly (Wasm)?
WebAssembly (Wasm) is transforming web development by enabling high-performance applications in web browsers. Key benefits of Wasm include near-native performance, low overhead, and high portability, making it suitable for diverse applications from gaming and machine learning to IoT and edge computing. This article will explore how Wasm works, its benefits, […]
June 25, 2024 7 min read
What Is Brotli Compression? | How Does It Work?
What Is Brotli Compression? | How Does It Work?
Data compression is essential in today’s data-driven environment since it makes data storage cheaper and data transfer quicker. In 2015, Google introduced Brotli, an open-source, lossless data compression algorithm. The Brotli algorithm offers higher compression ratios, faster speeds, and more efficient memory usage than other popular compression algorithms. Let’s take […]
June 18, 2024 3 min read
What Is Edge Artificial Intelligence? How Does Edge AI Work?
What Is Edge Artificial Intelligence? How Does Edge AI Work?
Edge artificial intelligence (edge AI) refers to the deployment of AI algorithms close to the data source or user. This approach allows data processing and inference to occur without relying on central cloud servers, resulting in faster and more efficient AI inference and lower latency for end users. Keeping data […]
June 17, 2024 5 min read

Subscribe
to our newsletter

Get the latest industry trends, exclusive insights, and Gcore
updates delivered straight to your inbox.
Subscribe