Help Center/ Domain Name Service/ Best Practices/ Best Practices for Public Domain Name Resolution/ Setting CAA Records to Prevent CAs from Issuing Unauthorized HTTPS Certificate
Updated on 2025-08-27 GMT+08:00

Setting CAA Records to Prevent CAs from Issuing Unauthorized HTTPS Certificate

Overview

Scenarios

Certification Authority Authorization (CAA) is a way to ensure that HTTPS certificates are issued by authorized certificate authorities (CAs). CAA complies with IETF RFC 6844 requirements. As of September 8, 2017, all CAs are required to check CAA record sets before they can issue certificates.

There are hundreds of CAs in the world that can issue HTTPS certificates for websites. If a CA is blacklisted, the browser will no longer trust the HTTPS certificates issued by this CA. If you try to access websites that have those certificates, the browser will prompt that the websites are not secure, as shown in Figure 1.

Figure 1 Untrusted HTTPS certificate warning

According to the CAA standards, a compliant CA must check CAA record sets of a domain name before issuing certificates.

  • If a CA does not find any CAA records, the CA can issue a certificate for the domain name.

    Other CAs can also issue certificates for this domain name, but may issue unauthorized certificates.

  • If a CA finds a CAA record set that authorizes it to issue certificates, the CA will issue a certificate for the domain name.
  • If a CA finds a CAA record that does not authorize it to issue certificates, the CA will not issue HTTPS certificates for the domain name to avoid unauthorized HTTPS certificates.

Using Huawei Cloud DNS, you can configure CAA record sets for your public domain names on the DNS console.

Advantage

Configuring CAA record sets for website domain names enables you to configure a CA whitelist. Only authorized CAs can issue certificates for your website.

Notes and Constraints

A CAA record set consists of a flag byte and a tag-value pair in the format of [flag] [tag] [value].

  • flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, it is specified to 0.
  • tag: You can enter 1 to 15 characters. Only letters and digits from 0 to 9 are allowed. The tag can be one of the following:
    • issue: authorizes a CA to issue all types of certificates.
    • issuewild: authorizes a CA to issue wildcard certificates.
    • iodef: requests notifications once a CA receives invalid certificate requests.
  • value: authorized CA or email address/URL required for notifications once the CA receives invalid certificate requests. The value depends on the setting of the tag and must be enclosed in quotation marks (""). The value can contain a maximum of 255 characters. Only letters, digits, spaces, and the following special characters are allowed: -#*?&_~=:;.@+^/!%
You can set CAA record sets based on the following rules to suit different scenarios.
Table 1 Configuration of CAA record sets

Scenario

Description

Example

Configure a CAA record set for one domain name.

Only the specified CA (ca.example.com) can issue certificates for a particular domain name (domain.com). The requests to issue certificates for the domain name by other CAs will be rejected.

0 issue "ca.example.com"

No CA is allowed to issue certificates for the domain name (domain.com).

0 issue ";"

Enable a CA to report violations to the domain name holder.

If a certificate request violates the CAA record set, the CA will notify the domain name holder of the violation.

0 iodef "mailto:admin@domain.com"

The requests to issue certificates by unauthorized CAs will be recorded.

0 iodef "http://domain.com/log/"

0 iodef "https:// domain.com/log/"

Authorize a CA to issue wildcard certificates.

The authorized CA (ca.example.com) can issue wildcard certificates for the domain name.

0 issuewild "ca.example.com"

Configuration example

A CAA record set is configured for domain.com.

  • Only CA ca.abc.com can issue certificates of all types.
  • Only CA ca.def.com can issue wildcard certificates.
  • Any other CAs are not allowed to issue certificates.
  • If a violation occurs, the CA sends a notification to admin@domain.com.

0 issue "ca.abc.com"

0 issuewild "ca.def.com"

0 iodef "mailto:admin@domain.com"

Resource and Cost Planning

The following tables list the planned public zone and record set.

Table 2 Domain name

Service

Public Zone

Record Set Type

DNS

domain.com

CAA

Table 3 Resources and costs

Service

Resource

Description

Quantity

Cost

Domains

Domain name

Public domain name: domain.com

1

N/A

DNS

  • Public zone
  • Record set
  • Public domain name: domain.com:
  • Record set type: CAA

    Value:

    0 issue "ca.abc.com"

    0 iodef "mailto:admin@domain.com"

1

Free

Adding a CAA Record Set to a Public Zone

Figure 2 shows the process for adding a CAA record set to a public zone.

Figure 2 Adding a CAA record set to a public zone

Procedure

  1. Create a public zone.

    1. Go to the Public Zones page.
    2. Click Create Public Zone.
    3. Configure the parameters based on Table 4.
      Table 4 Parameters for creating a public zone

      Parameter

      Description

      Example

      Domain Name

      Domain name purchased from a domain name registrar.

      For details about the domain name format, see Domain Name Format and DNS Hierarchy.

      domain.com

      Tag

      Optional.

      Identifier of the zone. Each tag contains a key and a value. You can add up to 20 tags to a zone.

      example_key1

      example_value1

      Description

      Optional.

      Supplementary information about the zone.

      The description can contain a maximum of 255 characters.

      This is a zone example.

    4. Click OK.

  1. Add a CAA record set.

    1. In the public zone list, click the domain name domain.com.

      The Record Sets tab is displayed.

    2. Click Add Record Set.

      The Add Record Set dialog box is displayed.

    3. Configure the parameters based on Table 5.
      Table 5 Parameters for adding a CAA record set

      Parameter

      Description

      Example

      Type

      Type of the record set

      A message may be displayed, indicating that the record set you are trying to add conflicts with an existing record set of the zone.

      For details, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?

      CAA – Grant certificate issuing permissions to CAs

      Name

      Prefix of the domain name to be resolved.

      For example, if the domain name is domain.com, the domain name prefix can be any of the following:

      • www: The domain name is www.domain.com, which is used for a website.
      • Left blank: The domain name is domain.com.

        To use an at sign (@) as the domain name prefix, just leave this parameter blank.

      • abc: The domain name to be resolved is abc.domain.com.
      • mail: The domain name to be resolved is mail.domain.com, which is used for email servers.
      • *: The domain name is *.domain.com, which is a wildcard domain name, covering all subdomains of domain.com.

      Left blank

      Line

      Resolution line. The DNS server uses information about end users' carrier networks or geographical locations to determine the most appropriate server IP address to return.

      The default value is Default.

      This parameter is only configurable for public zone record sets.

      • Default: returns the default resolution result irrespective of where the visitors come from.
      • ISP: returns the resolution result based on end users' carrier networks.
      • Region: returns the resolution result based on end users' geographical locations.

      Default

      TTL (s)

      Cache duration of the record set on a local DNS server, in seconds.

      Default value: 300

      Value range: 1 to 2147483647

      If your service address changes frequently, set TTL to a smaller value.

      Learn more about TTL.

      300

      Value

      CA to be authorized to issue certificates for a domain name or its subdomains.

      You can enter up to 50 different IP addresses, each on a separate line.

      The format is [flag] [tag] [value].

      Configuration rules:

      • flag: CA identifier, an unsigned character ranging from 0 to 255. Usually, it is specified to 0.
      • tag: You can enter 1 to 15 characters. Only letters and digits from 0 to 9 are allowed. The tag can be one of the following:
        • issue: authorizes a CA to issue all types of certificates.
        • issuewild: authorizes a CA to issue wildcard certificates.
        • iodef: requests notifications once a CA receives invalid certificate requests.
      • value: authorized CA or email address/URL required for notification once the CA receives invalid certificate requests. The value depends on the value of tag and must be enclosed in quotation marks (""). The value can contain a maximum of 255 characters. Only letters, digits, spaces, and the following special characters are allowed: -#*?&_~=:;.@+^/!%

      0 issue "ca.abc.com"

      0 iodef "mailto:admin@domain.com"

      Weight

      (Optional) Weight for the record set. The value ranges from 0 to 1000, and the default value is 1.

      This parameter is only configurable for public zone record sets.

      If a resolution line in a zone contains multiple record sets of the same type, you can set different weights to each record set.

      1

      Tag

      (Optional) Identifier of the record set. Each tag contains a key and a value. You can add up to 20 tags to a record set.

      example_key1

      example_value1

      Description

      (Optional) Supplementary information about the record set.

      The description can contain a maximum of 255 characters.

      The description of the hostname.

    4. Click OK.

Checking Whether a CAA Record Set Has Taken Effect

Use Domain Information Groper (dig) to check whether the CAA record has taken effect. dig is a network administration command-line tool for querying the Domain Name System. If your OS does not support dig commands, install the dig tool.

Command format: dig <record-set-type> <domain-name> +trace.

Example:

dig caa www.domain.com +trace