Adding CAA Records


Certification Authority Authorization (CAA) records are a security policy used by DNS Administrators in order to let Certificate Authorities (CAs) know who is allowed to issue SSL certificates for that particular domain. The idea was drafted in January 2013. If you would like to learn more about CAA records, you can view the entirety of RFC 6844 here. This guide will walk you through creating CAA records inside of your No-IP account.

How to Add CAA Records

Who can use this CAA Record Guide?

This guide will walk you through creating CAA records inside of your No-IP account. If you use a different service for DNS management, the general steps should be similar, but not identical.

Step 1: Access Your DNS Service

Log into your No-IP account

Login

Step 2: Open “DNS Records”

On the left side, click on My Services and then DNS Records

DNS Records

Step 3: Modify Your Domain

Click on Modify next to the domain you wish to add the CAA record to
Modify

Step 4: Select the CAA Record Option

Halfway down the page you will see Advanced Records. Click on the CAA button
Screen Shot 2022-10-09 at 7.08.42 AM

Here you can create your record
Edit CAA Record

If you are adding this record type to a Round Robin hostname you will need to temporarily configure the hostname as an A record

Step 5: Set Your CAA Record’s Flags, Tags, and Value

There are three options to edit:
• Flags
• Tag
• Value

Flags

Flags is mostly for future usage of CAA records. Currently only 0 and 128 are recognized. 0 is default and 128 is designated as Critical Flag. This means that if you have your record set to 0, any unrecognized tags in your record will be ignored and other requests will be processed. If it is set to 128, then any unrecognized tags will halt the certificate issuance (assuming the issuer is Standards Compliant).

Tags

Tags offer three different options – Issue, issuewild, and iodef. Using issue authorizes the CA to issue a certificate to that specific hostname the CAA record is on. If you need to authorize multiple hostnames, you will need to add a CAA record to each host. Using issuewild authorizes the CA to create a wildcard certificate (and only a wildcard cert) for that specific hostname the CAA record is on. Again, If you need to authorize multiple hostnames, you will need to add a CAA record to each host. Using iodef defines where people can send policy violation reports.

Value

Value is where you designate which CA is allowed to issue certificates for your domain/hostname.

Step 6: Save Your CAA Record

Once you are done setting your Flag, Tag, and Value, click Add to complete the process. Here are some examples and what they do:

This example shows a basic CAA record which will allow LetsEncrypt to issue SSL certificates example.com
Example CAA 1

This example shows a CAA record that establishes where policy violations should be mailed to:
Example CAA 2