Security

How to add a Certificate Authority Authorization record in Google Domains

Add another layer of protection to your web presence. Create a CAA DNS record to specify which provider may issue certificates for your domain.

Vector drawing of CAA record type fields from Google Domains
Image: Andy Wolber / TechRepublic

As of September 2017, you now have an additional way to protect the security of your website. You can create a Certificate Authority Authorization (CAA) Domain Name System (DNS) record to identify who can issue SSL certificates for a domain. Once set up, systems can verify that the certificate provider specified in the CAA DNS record matches the source of the certificate for a site. The CAA DNS record type seeks to constrain the ability of an evildoer to issue an unauthorized certificate for a domain.

Before you add a CAA record, you should configure a Certificate Authority— part of the process used to create an HTTPS connection— for your domain. Not sure if you have this configured? If you do, you'll see a lock next to the URL of your site when you visit it. For example, in Chrome the lock turns green when an HTTPS connection occurs. (For more details, see "5 best practices for switching your site to HTTPS for improved security." To add a certificate, check with your hosting provider. Many will let you add a free certificate from Let's Encrypt.)

Next, you'll need to be able to create a CAA DNS record. Most DNS software, such as BIND and Windows Server 2016, already supports CAA records. Some providers, such as Digital Ocean, Gandi, and Linode, support CAA record types.

Google Domains lets you add a CAA record. Here's how.

1. Identify your certificate provider

First, obtain the official domain name used by your certificate authority. For example, since I use Let's Encrypt, the domain is letsencrypt.org. (See more about CAA at Let's Encrypt: https://letsencrypt.org//docs/caa/.)

2. Choose the domain to check

The most common and simplest setup is a CAA that validates your main domain, e.g., example.com. But you can create a CAA record for a sub-domain, such as securesite.example.com.

SSLMate provides a tool, CAA Record Helper (see https://sslmate.com/caa/), which helps you create a CAA entry. It can help you identify and modify an existing CAA record, or auto-generate the values needed to create a new CAA record. For example, if I want to protect TechRepublic.com, I can enter that in the domain name field, then select "Auto-Generate Policy." The tool detects my certificate provider and generates sample policy values.

Screenshot showing step 1 (enter domain, auto-detect) and step 4 (generated CAA entry info) of CAA Record Helper

CAA Record Helper identifies the certificate provider and generates content for a CAA DNS record entry. In the simplest case, enter your domain, choose Auto-Generate Policy, then look at the text generated for you in the Generic policy.

3. Add the record

Next, login to your domain name manager to add the CAA record. If you use Google Domains, login to your account at https://domains.google.com, choose your domain, then select the edit DNS record option. Take the information from the policy created previously, and enter it in the corresponding fields. In my case, I entered: wolberworks.com. in the domain field, chose CAA for record type from the drop-down menu, then 0 issue "letsencrypt.org" and selected "Add" to save the record. Then, I waited for the record to update across the domain name system.

Sample CAA entry. Top: data entered, Bottom: completed DNS field

Add a CAA record (top) in Google Domains to specify which certificate authority you authorize to issue certificates your domain. See the record added (bottom).

4. Check your work

To verify that the new CAA record is valid, you can run a test with another tool: https://ssllabs.com/ssltest/. Enter the domain name for which you created the CAA record in the "Hostname" field. Optionally, check the "Do not show the results on the board" to keep your test results private. Then submit the domain to run a series of tests.

The results display a variety of information about your domain. Look for the phrase "DNS Certification Authority Authorization (CAA) Policy found for this domain." Further down in the results, you should see your certificate provider listed in the DNS CAA details.

Screenshots of test showing "DNS CAA: Yes" and "DNS CAA: No" results

An SSL Server Test can check that your DNS CAA record is configured and visible.

Prudent protection

As with most security measures, problems may still arise. A security failure at either your certificate provider or your domain name registrar could produce problems. And a sophisticated attacker might still be able to serve false DNS data designed to deceive.

Think of a CAA record as a way to apply an additional layer of protection to your organization's online presence. If you've taken the time to obtain a certificate for your site, take the time to create a CAA record, too.

Have you created a CAA record for your site? How did your configuration go? If not, why? Let me know in the comments, or on Twitter (@awolber).


Also see

About Andy Wolber

Andy Wolber helps people understand and leverage technology for social impact. He resides in Ann Arbor, MI with his wife, Liz, and daughter, Katie.

Editor's Picks

Free Newsletters, In your Inbox