CAA Record (Certification Authority Authorization).

A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs. Относится к категории Сетевая безопасность в кибербезопасности.

A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs.

A CAA record (Certification Authority Authorization, originally RFC 6844 and updated by RFC 8659) is a DNS resource record that lets a domain owner enumerate exactly which CAs may issue certificates for the domain. The record carries three fields: a flag byte, a property tag (`issue`, `issuewild`, `iodef`), and a value (typically a CA's issuer name such as `letsencrypt.org` or `digicert.com`). Since September 2017, all CAB Forum-trusted public CAs are required by the Baseline Requirements to check CAA records before issuing certificates and to refuse issuance if the record forbids them. A typical hardened deployment looks like `example.com. CAA 0 issue "letsencrypt.org"; example.com. CAA 0 issuewild ";"; example.com. CAA 0 iodef "mailto:security@example.com"`. The third record asks misbehaving CAs to report any rejected issuance attempt. CAA significantly reduces the risk of cert mis-issuance — by typosquatted domains, by hijacked CA accounts, by lookalike-CAs in obscure trust stores — and is one of the simplest single-record web-hygiene wins available. It pairs naturally with Certificate Transparency monitoring.

Защита от CAA Record (Certification Authority Authorization) обычно сочетает технические меры и операционные практики, как описано в определении выше.

Распространённые альтернативные названия: Certification Authority Authorization, CAA DNS record.