Certificate Authority Authorization (CAA) is a feature that allows you to protect your domains by specifying which certificate authorities can issue digital server certificates for your domains. CAA is a great way to ensure that only trustworthy certificate authorities, such as VikingCloud™, are able to issue certificates for your domains.
In order to protect your domain using CAA records, you will need the following:
Once you have access to the DNS settings for your domain, you will need to add the appropriate CAA records to the domain's zone configuration. If you have multiple subdomains for your website, you can create a single CAA record for your domain and it will protect all subdomains (e.g., a CAA record for "example.com" will also protect "www.example.com", "admin.example.com", etc.). Use the form below to generate the CAA records to add to the zone.
NOTE: If you won't be requesting wildcard certificates for your domain, then you do not need to add the issuewild record to your zone configuration.
Now that your domain has CAA records, only VikingCloud may issue certificates for your domain. When you submit a certificate request to VikingCloud, processing of the request remains the same as before. However, if an attacker attempts to get a certificate for your domain at another certificate authority, they will be unable to do so as the certificate authority will check the CAA records for your domain and see that only VikingCloud can issue certificates for your domain.
If VikingCloud notifies you of a problem encountered when attempting check CAA records prior to issuing a certificate for your domain, ensure that your DNS server is accepting queries for CAA records from the Internet. If the DNS server for your domain cannot be queried for CAA records by VikingCloud, then we cannot issue the certificate. Common reasons for your DNS server being unreachable include:
To diagnose the issue, try using a DNS query tool (such as dig) and attempt to reproduce the problem. Here is an example command line invocation of dig to query for CAA records (CAA records have a DNS resource record type of 257):
dig [YOUR DOMAIN NAME] type257 +dnssec
If that command times out, or if you encounter an error (such as a SERVFAIL response code), then this is likely the problem that VikingCloud is encountering when attempting to check for CAA records. However, if your domain has no CAA records configured and you are able to successfully query for CAA records, then the problem may be occurring at a parent domain, so it's important to repeat this process for the parent domains.
As an example, assume that the domain you are requesting a certificate for is "subdomain.example.com" and that there are no CAA records configured. VikingCloud will query the following domains for CAA records:
1. subdomain.example.com 2. example.com 3. com
If any of these domains cannot be queried for CAA records, then VikingCloud cannot issue the certificate.
As another example, assume that the domain you are requesting a certificate for is "subdomain.example.com" and that there is a CAA record permitting issuance for VikingCloud at "example.com". Prior to issuing the certificate, VikingCloud will query the following domains for CAA records:
1. subdomain.example.com 2. example.com
Since at least one CAA record was found at "example.com", the search for CAA records stops there ("com" is not queried).