CAA Record (Certification Authority Authorization)
Qu'est-ce que CAA Record (Certification Authority Authorization) ?
CAA Record (Certification Authority Authorization)A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs.
A CAA record (Certification Authority Authorization, originally RFC 6844 and updated by RFC 8659) is a DNS resource record that lets a domain owner enumerate exactly which CAs may issue certificates for the domain. The record carries three fields: a flag byte, a property tag (`issue`, `issuewild`, `iodef`), and a value (typically a CA's issuer name such as `letsencrypt.org` or `digicert.com`). Since September 2017, all CAB Forum-trusted public CAs are required by the Baseline Requirements to check CAA records before issuing certificates and to refuse issuance if the record forbids them. A typical hardened deployment looks like `example.com. CAA 0 issue "letsencrypt.org"; example.com. CAA 0 issuewild ";"; example.com. CAA 0 iodef "mailto:security@example.com"`. The third record asks misbehaving CAs to report any rejected issuance attempt. CAA significantly reduces the risk of cert mis-issuance — by typosquatted domains, by hijacked CA accounts, by lookalike-CAs in obscure trust stores — and is one of the simplest single-record web-hygiene wins available. It pairs naturally with Certificate Transparency monitoring.
● Exemples
- 01
An organization publishes `CAA 0 issue "letsencrypt.org"` so that no other public CA can issue end-entity certificates for the domain.
- 02
A CT-monitoring alert fires on a certificate issued for the domain by a CA not listed in its CAA records, indicating either a misconfiguration or a CA non-compliance event.
● Questions fréquentes
Qu'est-ce que CAA Record (Certification Authority Authorization) ?
A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs. Cette notion relève de la catégorie Sécurité réseau en cybersécurité.
Que signifie CAA Record (Certification Authority Authorization) ?
A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs.
Comment fonctionne CAA Record (Certification Authority Authorization) ?
A CAA record (Certification Authority Authorization, originally RFC 6844 and updated by RFC 8659) is a DNS resource record that lets a domain owner enumerate exactly which CAs may issue certificates for the domain. The record carries three fields: a flag byte, a property tag (`issue`, `issuewild`, `iodef`), and a value (typically a CA's issuer name such as `letsencrypt.org` or `digicert.com`). Since September 2017, all CAB Forum-trusted public CAs are required by the Baseline Requirements to check CAA records before issuing certificates and to refuse issuance if the record forbids them. A typical hardened deployment looks like `example.com. CAA 0 issue "letsencrypt.org"; example.com. CAA 0 issuewild ";"; example.com. CAA 0 iodef "mailto:security@example.com"`. The third record asks misbehaving CAs to report any rejected issuance attempt. CAA significantly reduces the risk of cert mis-issuance — by typosquatted domains, by hijacked CA accounts, by lookalike-CAs in obscure trust stores — and is one of the simplest single-record web-hygiene wins available. It pairs naturally with Certificate Transparency monitoring.
Comment se défendre contre CAA Record (Certification Authority Authorization) ?
Les défenses contre CAA Record (Certification Authority Authorization) combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de CAA Record (Certification Authority Authorization) ?
Noms alternatifs courants : Certification Authority Authorization, CAA DNS record.
● Termes liés
- network-security№ 174
Autorité de certification (CA)
Entité de confiance qui émet et signe des certificats numériques, liant des clés publiques à des identités vérifiées telles que des noms de domaine ou des organisations.
- defense-ops№ 177
Transparence des certificats
Ecosysteme de journaux publics append-only de certificats TLS, defini par les RFC 6962 et 9162, permettant a quiconque d'auditer les certificats existants pour un domaine.
- network-security№ 981
Infrastructure à clé publique (PKI)
Ensemble de politiques, logiciels, matériels et autorités de confiance qui émettent, distribuent, valident et révoquent les certificats numériques liant identités et clés publiques.
- network-security№ 380
DNSSEC
Ensemble d'extensions du DNS qui utilise des signatures numériques pour permettre aux résolveurs de vérifier l'authenticité et l'intégrité des enregistrements DNS.
- network-security№ 1385
Certificat X.509
Structure standard de certificat numérique qui lie une clé publique à une identité au moyen de la signature d'une autorité de certification de confiance.
- network-security№ 444
Certificat à validation étendue
Certificat TLS émis seulement après une vérification stricte et standardisée par la CA de l'identité légale, de l'existence physique et de l'autorité de l'organisation demandeuse.