CAA stands for “Certification Authority Authorization”. This Resource Record determines which CAs (Certificate Authorities) are authorized to issue SSL certificates for the Internet domain administrated by you.
Although the CAA Resource Record is not mandatory, it is designed to protect you since it prevents the unauthorized TLS certificates from being issued for one of your Internet domains. If there is no CAA Resource Record, any CA can issue a TLS certificate for your domain.
The specification of the D-TRUST CA in your CAA Resource Record ensures that no unauthorized TLS certificates can be issued for one of your Internet domains.
Examples of a CAA Resource Record specifying D-TRUST as the authorized CA:
- All TLS certificate types (including wildcards)
example.com. CAA 0 issue “d-trust.net”
- Wildcard TLS certificates only
example.com. CAA 0 issuewild “d-trust.net”
The first entry applies to all TLS certificate types, the second to wildcard TLS certificates only. If you wish to obtain all TLS certificate types from one CA, the first entry is sufficient. For more in-depth information, please refer to RFC 6844.
Where is the entry made?
You can enter a corresponding CAA record in the DNS configuration of your domain provider (for instance, 1und1, Strato, etc.).
NOTE: Please note that D-TRUST GmbH will be unable to issue any TLS certificates to you if your CAA Resource Record contains any CA other than D-TRUST GmbH.