CS · EN

DNS - CAA, HTTPS, SSHFP, and TLSA Records


This article explains in detail DNS record types CAA, SSHFP, and TLSA. A general guide to DNS records and their setup in the customer administration can be found in the article DNS – Domain Records.

In this article you will learn:


CAA Records

The Certification Authority Authorization (CAA) record allows you to specify which certificate authorities (CA) are allowed to issue an SSL certificate for a domain. The record variant also allows you to define a rule for how and to whom the issuing CA will notify the event when someone tries to issue a certificate to the domain by a certificate authority that is not authorized by the record to do so.

If a domain or subdomain has no CAA record set, any CA can issue a certificate for it without restriction. A certificate authority also does not have to support CAA records - in that case, it behaves as if they did not exist.

CAA records set for the main domain also apply to all subdomains that do not have their own CAA record set with different rules.

Entering CAA Records

General instructions for setting up DNS records in the customer administration can be found in the article DNS – Domain Records.

If the domain uses different DNS servers, automatic or manual changes made by WEDOS will not affect its behavior.

The data in a CAA record consists of these parts:

  1. Flag: positive number with a value of 0-255 ⧉ (usually 0)
  2. Tag: defines the property of the CAA record
  3. Value: the value assigned to the tag

The supported tags are:

  • issue: authorizes the defined CA to issue any type of certificate
  • issuewild: authorizes the defined CA to issue only a wildcard certificate
  • iodef: specifies the URL to which the issuing CA will report a violation of the CAA rules defined for the domain

When filling in a CAA record, follow these rules:

  • Assign exactly one tag-value rule to each record.
  • If you need to enter multiple rules for one record, split them into separate records.
  • Write the tag values (value) in quotation marks.

A general CAA record therefore looks like this:

Name                         TTL    Type  Data
(domain or subdomain name) 300 CAA 0 (flag) "(value)"

Examples of CAA Records

Example: The domain allows certificates to be issued by letsencrypt.org. If another authority tries to issue the certificate, it will send the information by e-mail to info@wds-test.cz.

Sample CAA records with issue and iodef tags
Sample CAA records with issue and iodef tags

HTTPS Record

The HTTPS record helps clients find a secure connection, among other things by providing information about supported protocols and ports.

HTTPS Record Format

DNS record type HTTPS (RFC 9460 ⧉) contains priority, target (if different from the domain), and additional parameters (for example, supported HTTP versions, IP address hints).

SSHFP Record

When establishing a connection to a server using the SSH protocol, authentication takes place by verifying the server's identity using keys. The security of the connection therefore depends on comparing the fingerprint provided by the server with the expected fingerprint of the server's public key.

The SSHFP DNS record (RFC 4255 ⧉) gives SSH clients a new authentication method by comparing the fingerprint provided by the server against the fingerprint stored in the domain's DNS zone. When comparing, all parameters of the SSHFP record must match - the algorithms used to generate the key and its fingerprint, as well as the key fingerprint itself.

Using DNS SSHFP makes sense only if this record is signed with DNSSEC technology and therefore cannot be spoofed.

SSHFP Record Format

The SSHFP record consists of three parts: the number of the algorithm used to generate the key, the number of the algorithm used to generate the fingerprint, and the server's public key fingerprint itself.


TLSA Record

DNS record type TLSA (RFC 6698 ⧉) specifies the service certificate for a combination of data - FQDN, protocol, and port. Using a TLSA record, it is therefore possible to verify whether the certificate has been altered along the way between the recipient and the sender.

TLSA Record Format

A TLSA record has a specific form for both its name and data. The symbolic name of an SRV record usually has the form _port._protocol, e.g. _443._tcp.

The TLSA record data itself contains three parameters and then binary data for certificate association: the certificate-to-domain-name matching number, the selector number, the certificate-chain matching type number against the data in the TLSA record, and finally the data for comparison with the provided certificate.

Sample SSHFP and TLSA records
Sample SSHFP and TLSA records

Frequently Asked Questions

Is it necessary to set CAA, SSHFP, and TLSA records for a domain?

No, most domains work without problems even without these records.