What are CAA Records?
Certification Authority Authorization (CAA) records let you specify which certificate authorities (CAs)
are permitted to issue SSL/TLS certificates for your domain. This is an important security measure that helps prevent unauthorized certificate issuance.
How This Tool Works:
- The tool queries the CAA record (TXT record) for your domain.
- It parses each record into three components: flag, tag, and value.
- It then analyzes the parsed data:
- It lists authorized CA(s) from the "issue" tag.
- It checks for an "issuewild" tag, which controls wildcard certificate issuance.
- It verifies if an "iodef" tag is present for reporting certificate issuance incidents.
Interpreting the Results:
Example Raw Output:
In this example:
- Flag: 0 (standard value indicating non-critical permission).
- Tag: issue, meaning that only the specified CA is authorized.
- Value: "letsencrypt.org" — only Let's Encrypt is allowed to issue certificates.
Recommendations:
- If no CAA record is found, it’s recommended to add one to restrict which CAs can issue certificates.
- If a record exists, ensure that the "issue" tag authorizes only trusted CAs.
- Consider adding an iodef tag so that reports of unauthorized certificate requests can be sent to an email or URL you specify.
- Review wildcard settings (issuewild) to ensure they match your certificate issuance policy.
This enhanced output gives you both the technical details and actionable recommendations for improving your domain’s certificate security.