CAA Record (Certification Authority Authorization)
Was ist CAA Record (Certification Authority Authorization)?
CAA Record (Certification Authority Authorization)A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs.
A CAA record (Certification Authority Authorization, originally RFC 6844 and updated by RFC 8659) is a DNS resource record that lets a domain owner enumerate exactly which CAs may issue certificates for the domain. The record carries three fields: a flag byte, a property tag (`issue`, `issuewild`, `iodef`), and a value (typically a CA's issuer name such as `letsencrypt.org` or `digicert.com`). Since September 2017, all CAB Forum-trusted public CAs are required by the Baseline Requirements to check CAA records before issuing certificates and to refuse issuance if the record forbids them. A typical hardened deployment looks like `example.com. CAA 0 issue "letsencrypt.org"; example.com. CAA 0 issuewild ";"; example.com. CAA 0 iodef "mailto:security@example.com"`. The third record asks misbehaving CAs to report any rejected issuance attempt. CAA significantly reduces the risk of cert mis-issuance — by typosquatted domains, by hijacked CA accounts, by lookalike-CAs in obscure trust stores — and is one of the simplest single-record web-hygiene wins available. It pairs naturally with Certificate Transparency monitoring.
● Beispiele
- 01
An organization publishes `CAA 0 issue "letsencrypt.org"` so that no other public CA can issue end-entity certificates for the domain.
- 02
A CT-monitoring alert fires on a certificate issued for the domain by a CA not listed in its CAA records, indicating either a misconfiguration or a CA non-compliance event.
● Häufige Fragen
Was ist CAA Record (Certification Authority Authorization)?
A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs. Es gehört zur Kategorie Netzwerksicherheit der Cybersicherheit.
Was bedeutet CAA Record (Certification Authority Authorization)?
A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs.
Wie funktioniert CAA Record (Certification Authority Authorization)?
A CAA record (Certification Authority Authorization, originally RFC 6844 and updated by RFC 8659) is a DNS resource record that lets a domain owner enumerate exactly which CAs may issue certificates for the domain. The record carries three fields: a flag byte, a property tag (`issue`, `issuewild`, `iodef`), and a value (typically a CA's issuer name such as `letsencrypt.org` or `digicert.com`). Since September 2017, all CAB Forum-trusted public CAs are required by the Baseline Requirements to check CAA records before issuing certificates and to refuse issuance if the record forbids them. A typical hardened deployment looks like `example.com. CAA 0 issue "letsencrypt.org"; example.com. CAA 0 issuewild ";"; example.com. CAA 0 iodef "mailto:security@example.com"`. The third record asks misbehaving CAs to report any rejected issuance attempt. CAA significantly reduces the risk of cert mis-issuance — by typosquatted domains, by hijacked CA accounts, by lookalike-CAs in obscure trust stores — and is one of the simplest single-record web-hygiene wins available. It pairs naturally with Certificate Transparency monitoring.
Wie schützt man sich gegen CAA Record (Certification Authority Authorization)?
Schutzmaßnahmen gegen CAA Record (Certification Authority Authorization) kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für CAA Record (Certification Authority Authorization)?
Übliche alternative Bezeichnungen: Certification Authority Authorization, CAA DNS record.
● Verwandte Begriffe
- network-security№ 174
Zertifizierungsstelle (CA)
Vertrauenswürdige Instanz, die digitale Zertifikate ausstellt und signiert und damit kryptografische öffentliche Schlüssel mit geprüften Identitäten wie Domains oder Organisationen verknüpft.
- defense-ops№ 177
Certificate Transparency
Oekosystem oeffentlicher Append-only-Logs fuer TLS-Zertifikate, definiert in RFC 6962 und 9162, das jedem die Pruefung existierender Zertifikate erlaubt.
- network-security№ 981
Public-Key-Infrastruktur (PKI)
Gesamtsystem aus Richtlinien, Software, Hardware und vertrauenswürdigen Instanzen, das digitale Zertifikate ausstellt, verteilt, prüft und widerruft, die Identitäten mit öffentlichen Schlüsseln verknüpfen.
- network-security№ 380
DNSSEC
Eine Reihe von DNS-Erweiterungen, die digitale Signaturen verwenden, damit Resolver die Echtheit und Integrität von DNS-Einträgen überprüfen können.
- network-security№ 1385
X.509-Zertifikat
Standardstruktur eines digitalen Zertifikats, das einen öffentlichen Schlüssel über die Signatur einer vertrauenswürdigen CA mit einer Identität verbindet.
- network-security№ 444
Extended-Validation-Zertifikat
Ein TLS-Zertifikat, das eine CA erst nach einer strengen, standardisierten Prüfung der Rechtspersönlichkeit, physischen Existenz und Berechtigung des Antragstellers ausstellt.