CAA Record (Certification Authority Authorization)
¿Qué es CAA Record (Certification Authority Authorization)?
CAA Record (Certification Authority Authorization)A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs.
A CAA record (Certification Authority Authorization, originally RFC 6844 and updated by RFC 8659) is a DNS resource record that lets a domain owner enumerate exactly which CAs may issue certificates for the domain. The record carries three fields: a flag byte, a property tag (`issue`, `issuewild`, `iodef`), and a value (typically a CA's issuer name such as `letsencrypt.org` or `digicert.com`). Since September 2017, all CAB Forum-trusted public CAs are required by the Baseline Requirements to check CAA records before issuing certificates and to refuse issuance if the record forbids them. A typical hardened deployment looks like `example.com. CAA 0 issue "letsencrypt.org"; example.com. CAA 0 issuewild ";"; example.com. CAA 0 iodef "mailto:security@example.com"`. The third record asks misbehaving CAs to report any rejected issuance attempt. CAA significantly reduces the risk of cert mis-issuance — by typosquatted domains, by hijacked CA accounts, by lookalike-CAs in obscure trust stores — and is one of the simplest single-record web-hygiene wins available. It pairs naturally with Certificate Transparency monitoring.
● Ejemplos
- 01
An organization publishes `CAA 0 issue "letsencrypt.org"` so that no other public CA can issue end-entity certificates for the domain.
- 02
A CT-monitoring alert fires on a certificate issued for the domain by a CA not listed in its CAA records, indicating either a misconfiguration or a CA non-compliance event.
● Preguntas frecuentes
¿Qué es CAA Record (Certification Authority Authorization)?
A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs. Pertenece a la categoría de Seguridad de red en ciberseguridad.
¿Qué significa CAA Record (Certification Authority Authorization)?
A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs.
¿Cómo funciona CAA Record (Certification Authority Authorization)?
A CAA record (Certification Authority Authorization, originally RFC 6844 and updated by RFC 8659) is a DNS resource record that lets a domain owner enumerate exactly which CAs may issue certificates for the domain. The record carries three fields: a flag byte, a property tag (`issue`, `issuewild`, `iodef`), and a value (typically a CA's issuer name such as `letsencrypt.org` or `digicert.com`). Since September 2017, all CAB Forum-trusted public CAs are required by the Baseline Requirements to check CAA records before issuing certificates and to refuse issuance if the record forbids them. A typical hardened deployment looks like `example.com. CAA 0 issue "letsencrypt.org"; example.com. CAA 0 issuewild ";"; example.com. CAA 0 iodef "mailto:security@example.com"`. The third record asks misbehaving CAs to report any rejected issuance attempt. CAA significantly reduces the risk of cert mis-issuance — by typosquatted domains, by hijacked CA accounts, by lookalike-CAs in obscure trust stores — and is one of the simplest single-record web-hygiene wins available. It pairs naturally with Certificate Transparency monitoring.
¿Cómo defenderse de CAA Record (Certification Authority Authorization)?
Las defensas contra CAA Record (Certification Authority Authorization) combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.
¿Cuáles son otros nombres para CAA Record (Certification Authority Authorization)?
Nombres alternativos comunes: Certification Authority Authorization, CAA DNS record.
● Términos relacionados
- network-security№ 174
Autoridad de certificación (CA)
Entidad de confianza que emite y firma certificados digitales, vinculando claves públicas a identidades verificadas como dominios u organizaciones.
- defense-ops№ 177
Transparencia de certificados
Ecosistema de registros publicos append-only de certificados TLS, definido en RFC 6962 y 9162, que permite auditar que certificados existen para cualquier dominio.
- network-security№ 981
Infraestructura de clave pública (PKI)
Conjunto de políticas, software, hardware y autoridades de confianza que emite, distribuye, valida y revoca certificados digitales que asocian identidades con claves públicas.
- network-security№ 380
DNSSEC
Conjunto de extensiones del DNS que usa firmas digitales para que los resolutores verifiquen la autenticidad e integridad de los registros DNS.
- network-security№ 1385
Certificado X.509
Estructura estándar de certificado digital que vincula una clave pública con una identidad mediante la firma de una autoridad de certificación de confianza.
- network-security№ 444
Certificado de validación extendida
Certificado TLS emitido solo después de que la CA realiza una verificación estricta y estandarizada de la identidad legal, existencia física y autoridad de la organización solicitante.