What is CAA?
CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. It was standardized in 2013 by RFC 6844 to allow a CA “reduce the risk of unintended certificate mis-issue.” By default, every public CA is allowed to issue certificates for any domain name in the public DNS, provided they validate control of that domain name. That means that if there’s a bug in any one of the many public CAs’ validation processes, every domain name is potentially affected. CAA provides a way for domain holders to reduce that risk.
Confirm CAA is enabled on your domain name
1. Ask your certificate provider, access the Control Panel, or run a DIG command to check that your domain name has a CAA record.
A. Use DIG command
Use the DIG command to check that the CAA record is enabled
dig YOUR-DOMAIN-NAME CAA +short
B. Use Google Admin Toolbox
If CAA is enabled, some records will be returned.
Go to "2. Add CAA records to DNS provider"
dig example.com CAA +short
0 issue "letsencrypt.org"
0 issuewild "comodoca.com"
0 issuewild "digicert.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "letsencrypt.org"
0 issue "comodoca.com"
0 issue "digicert.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
If CAA is disabled, no records will be return.
dig example.com CAA +short
No CAA records, go back to Custom Domains on Shifter to complete.
2. Add CAA records to DNS provider
Add one of the following DNS record to your domain name:
amazon.com
amazontrust.com
awstrust.com
amazonaws.com
Here are some samples for setting up CAA records DNS providers:
Cloudflare
Add amazon.com for example.com
Add amazon.com for www.example.com
GoDaddy
Add amazontrust.com for example.com
Add amazontrust.com for www.example.com
Route 53
Add amazonaws.com for example.com
Add amazonaws.com for www.example.com
