The DNS CAA

What is the DNS CAA ?


The DNS CAA, for Domain Name System Certification Authority Authorization, is an specification of DNS service witch allows the holder of a domain name to createa whitelist of the certification authorities that it wishes to authorize to issue certificats for its website.

What is the use of the DNS CAA ?


The DNS CAA was created to allow the domain owner to add additional security when issuing certificates for the websites it manage.


Indeed, for each of its websites, it is possible to specify a list of certification authorities authorized to issue certificates.


The advantage of such system becomes meaningful following the growth of certificates generated "on the fly". These types of certificates are issued without any verification on the holder of the domain (existence of the company, validation of identities,...). It is then easy for any person to request a certificate for a domain that does not belong to him.


The DNS CAA therefore allows a domain name holder to specify the authorities he trusts, particularly those who perform verifications on the identity of the owner of the website.


How does Certigna manager the DNS CAA ?


Certigna being an authority qualified ETSI, RGS and following the recommendations of the CA/B Forum, we systematically carry out checks before issuing a certificate.


These controls ensure the existence of the company, verify the identity of the requester and the legal representative of the company. Therefore Certigna reserves the right to issue a certificate even though it does not appear in the list of authorized authorities.


In this case, the certificate requester will be informed during the validation process.


How add Certigna to my list of authorized authorities ?


Note that this extension is recent, it may not yet be managed on your server, so, we invite you to get closer to your host, or network administrator for more informations.


Several syntaxes exist to add a DNS CAA record depending your server :



Syntax n°1

example.com. IN  CAA 0 issue "certigna.fr"

Syntax n°2

example.com. IN  TYPE257 \# 18 000569737375656365727469676e612e6672

Syntax n°3

0 issue "certigna.fr"


Here is a non-exhaustive list of servers running the DNS CAA, with the syntax to use :
  • BIND, syntax n°2 < version 9.9.6 >= syntax n°1
  • NSD, syntax n°2 < version 4.0.1 >= syntax n°1
  • PowerDNS, version 4.0.0 >= syntax n°1
  • Knot DNS, version 2.2.0 >= syntax n°1
  • Windows Server 2016, syntax n°2
  • Tinydns, syntax n°3
  • Google Cloud DNS, syntax n°3
  • DNSimple, syntax n°3
Récupération des commandes...
Veuillez patienter