CAA records
As of now KeyDNS is capable of managing CAA records via API and in our CentralNic control panel.
The purpose of the CAA (Certification Authority Authorization) record is to allow domain owners to specify which certificate authorities are allowed to issue a SSL certificate for a domain. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that host name. Thus a CAA record is optional for customers to set, but mandatory for certificate authorities to check.
For reference: RFC 6844 for CAA records
API Command Examples
Allow the Certificate Authority DigiCert to issue SSL certificates for example.com:
Command
command = adddnszone
dnszone = example.com
rr0 = @ IN CAA 0 issue digicert.com
Allow the Certificate Authority DigiCert to issue SSL wildcard certificates for example.com:
Command
command = modifydnszone
dnszone = example.com
rr0 = @ IN CAA 0 issuewild digicert.com
Allow the Certificate Authority DigiCert to issue SSL wildcard certificates for example.com, but disallow single domain SSL certificates:
Command
command = modifydnszone
dnszone = example.com
rr0 = @ IN CAA 0 issue ";"
rr1 = @ IN CAA 0 issuewild digicert.com
Define email address to send incident reports to:
Command
command = modifydnszone
dnszone = example.com
rr0 = @ IN CAA 0 iodef mailto:[email protected]
Define URL to send incident reports to:
Command
command = modifydnszone
dnszone = example.com
rr0 = @ IN CAA 0 iodef http://www.example.com/script.php
There's currently no standard format for receiving incident reports. And it might not be supported by all Certificate Authorities.
Certificate Authorities offered at CentralNic Reseller
Certificate Authority used by our CentralNic Reseller hosting (HOMER)
