Reporting Demos — Supported by

Certification Authority Authorization (CAA) reports

Certification Authority Authorization (CAA) allows a domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA is an optional DNS record but if present, CAs must check if their domain name is in the issue or issuewild (for wildcard certificates) properties.

Example CAA DNS record

CAA 0 issue "letsencrypt.org"
CAA 0 issue "example.com"
CAA 0 iodef "mailto:security@example.net"

• 0: "Critical Flag" intended to introduce new properties in the future, at the moment only 0 is allowed
• issue: which CAs (Let's Encrypt in this case and a hypothetical Example CA) can issue both regular and wildcard certificates for this domain – add issuewild if you want some other CA to issue wilcard certificates, in that case any existing issues are ignored by the CA when processing a request for a wildcard certificate
• iodef: URL (mailto:, http:, https:) where reports of invalid certificate requests may be sent to, in Incident Object Description Exchange Format

The canhas.report domain has a similar DNS CAA record.

Example report

I'm currently not aware of any certification authority sending CAA reports and the Incident Object Description Exchange Format is quite extensive to come up with an artificial example report. Let me know if you are a CA sending CAA reports or if you know about one.

Related specs & documents

• DNS Certification Authority Authorization (CAA) Resource Record (RFC 8659)

By Michal Špaček, @spazef0rze, supported by – real time security monitoring and error tracking