Earlier this year the CA/Browser Forum voted to make Certificate Authority Authorization (CAA) mandatory for all Certificate Authorities. What this means that domains will need to assert via DNS records (the CAA DNS RRType) which CA’s are permitted to issue certificates for your domains. Think of it as “sort of like SPF, but for SSL/TLS certs”.
CAA records are now enabled in the easyDNS control panel. (If you don’t see the Advanced DNS Records then make sure they are enabled in your user preferences.)
You can add multiple issuers to a specific hostname and if you want to specify authority for a wildcard certificate, use the “issuewild” tag:
After which, your CAA recs will be visible via DNS:
markjr@markjr:~$ dig -t caa anarchy.fm [snip] ;; ANSWER SECTION: anarchy.fm. 10799 IN CAA 0 issue "rapidssl.com" anarchy.fm. 10799 IN CAA 0 issuewild "geotrust.com"
We now return you to your regularly scheduled programming…
Jason Fleetwood-Boldt says
question for clarification:
The CAA records one adds to the top-level of the domain apply to certificates issued on any subdomain, correct?
That is, you must add any the CA domain for any certificates you own on both your top-level domain and any subdomain?
CAA records are inherited by subdomains – so if you add ‘issue’ records for all the CAs you use at the root level (@) then all subdomains will also be covered.