The aim of this page is to explain Certificate Authority Authorization (CAA) DNS records and how they function. Why? Because I am having an issue creating a TLS cert with Traefik as the CAA record of the vendor is not listing Let's Encrypt as an allowed Certificate Authority.

• CAA records authorize specific Certificate Authorities (CAs) to issue SSL/TLS certificates for a domain.
• Enhances security by preventing unauthorized CAs from issuing certificates.
• Contains fields: Flags, Tag, and Value.
• Flags: Integer value, typically 0.
• Tag: Specifies the type of policy, e.g., issue, issuewild, iodef.
• Value: Domain of the authorized CA.
• Real-world example:

doggo CAA google.com
NAME        TYPE    CLASS   TTL     ADDRESS             NAMESERVER
google.com. CAA     IN      9550s   0 issue "pki.goog"  8.8.8.8:53  

• The record type is Defined in RFC 8659.

LINKS

• https://tools.ietf.org/html/rfc8659