Adding CAA Records


Certification Authority Authorization (CAA) records are a security policy used by DNS Administrators in order to let Certificate Authorities (CAs) know who is allowed to issue SSL certificates for that particular domain. The idea was drafted in January 2013. If you would like to learn more about CAA records, you can view the entirety of RFC 6844 here. This guide will walk you through creating CAA records inside of your No-IP account.

Log into your No-IP account
Login

On the left side, click on My Services and then DNS Records
DNS Records

Click on Modify next to the domain you wish to add the CAA record to
Modify

Halfway down the page you will see Advanced Records. Click on the CAA button
CAA

Here you can create your record
Edit CAA Record

There are three options to edit:
• Flags
• Tag
• Value

Flags is mostly for future usage of CAA records. Currently only 0 and 128 are recognized. 0 is default and 128 is designated as Critical Flag. This means that if you have your record set to 0, any unrecognized tags in your record will be ignored and other requests will be processed. If it is set to 128, then any unrecognized tags will halt the certificate issuance (assuming the issuer is Standards Compliant).

Tags offer three different options – Issue, issuewild, and iodef. Using issue authorizes the CA to issue a certificate to that specific hostname the CAA record is one. If you need to authorize multiple hostnames, you will need to add a CAA record to each host. Using issuewild authorizes the CA to create a wildcard certificate (and only a wildcard cert) for that specific hostname the CAA record is on. Again, If you need to authorize multiple hostnames, you will need to add a CAA record to each host. Using iodef defines where people can send policy violation reports.

Value is where you designate which CA is allowed to issue certificates for your domain/hostname.

Once you are done setting your Flag, Tag, and Value, click Add to complete the process. Here are some examples and what they do:

This examples shows a basic CAA record which will allow LetsEncrypt to issue SSL certificates example.com
Example CAA 1

This example shows a CAA record that establishes where policy violations should be mailed to:
Example CAA 2