CAA records in DNS

What are CAA records?

You might be familiar with the common CNAME and A records in DNS.  CAA is a new type of DNS record.  It tells the world which certificate authority (CA) is allowed to issue SSL certificates for your domain name.  Over the past year we have seen some CAs have security issues, and certificates issued by them for domain names result in worries for domain operators.  Using a CAA record you can limit SSL certificates issued for your domain name to the CA you have chosen to trust.

CAA records at 34SP.com

As they are a new type of DNS record, CAA is only supported in modern DNS server software.  Before we could give customers the ability to create CAA records, we needed to upgrade our servers.  We took the opportunity to do a “from the ground up” redesign and build of our DNS serving system.  Not only does this use the latest software versions to support CAA records, it is also built with fault tolerance and redundancy in mind.  Fortunately DNS failures have been pretty rare as the software we use is very stable, but we should see even better stability and performance now that the new system is live.

How to add a CAA record

We’ve written an article in our knowledge base detailing how you can add a CAA record for your domains.  Follow that, and after a few minutes, your CAA record will be live and your site will be that little bit safer!

There’s a handy CAA record generator on this site; you can translate the values under the “Standard Zone File” results section straight into our form, and if you use multiple providers, there’s nothing to stop you using multiple CAA records, one per provider.

As ever, if you have any questions on CAA records, please don’t hesitate to contact our support team.

Do I need to add a CAA record if I am already using SSL/TLS?

There is no current requirement to add a CAA record to your domain name, and your existing setup will continue just fine. This may change at a future date, but we will of course update any 34SP.com Let’s Encrypt users at that time, should this become a requirement.

For now, adding a CAA record to your DNS simply adds an extra layer of security to your site. With the CAA DNS record present, SSL certificates cannot be issued for your domain name, by anyone other than your nominated SSL issuer.