↩ Back

Certification Authority Authorization (CAA) reports

Certification Authority Authorization (CAA) allows a domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA is an optional DNS record but if present, CAs must check if their domain name is in the issue or issuewild (for wildcard certificates) properties.

Example CAA DNS record

CAA 0 issue "letsencrypt.org"
CAA 0 issue "example.com"
CAA 0 iodef "mailto:security@example.net"

The canhas.report domain has a similar DNS CAA record.

Example report

I'm currently not aware of any certification authority sending CAA reports and the Incident Object Description Exchange Format is quite extensive to come up with an artificial example report. Let me know if you are a CA sending CAA reports or if you know about one.

Related specs