CAA Checking for SSL Certificates

Mar 1, 2024

CAA Checking for SSL Certificates

Introduction

In line with the CA/B Forum's Ballot 187 - Make CAA Checking Mandatory, GlobalSign implements CAA Checking for SSL Certificates. CAA is validated before issuance of all publicly trusted SSL Certificates, namely: AlphaSSL, DomainSSL, OrganizationSSL, ExtendedSSL, CloudSSL and CloudSSL SAN orders, and upon issuance of MSSL domains. For Domain Validated SSL products, if the CAA is set up incorrectly, you will receive an error during the domain validation steps, if you have purchased a higher validation product then you will be contacted by the verification agent if your DNS CAA record is not compatible with GlobalSign.

CAA Checking is carried out to improve the strength of the PKI ecosystem with a control to restrict which CAs can issue certificates for a particular domain name. Certificate Authorities will be obligated to check for DNS CAA records and honor those preferences. If no DNS CAA record is present, any CA is allowed to issue a certificate for the domain. If a DNS CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. Also, when processing DNS CAA records, GlobalSign will process the issue, issuewild, and iodef property tags as specified in RFC 6844.

Common Errors

Error Message	Reason	Solution
issuer = other CA	Our system has detected that your DNS CAA records contain, entries, and "globalsign.com" is not one of them.	Add "globalsign.com" in your CAA entries, and try again. Please note that this may take up to an hour to propagate so as to make sure the DNS CAA record cache has been cleared.
servfail	This issue stems from a DNSSEC validation chain failure. It could be that your domain zone is not signed, or is incorrectly signed.	You can try to use a DNSSEC Debugger to address the problem. If you have multiple nameservers, or master and slave nameservers, please make sure that all nameservers have the correct DNSKEY and RRSIGs. Please contact your DNS provider to verify what causes the error, and work with them to resolve the issue. When your DNS server is properly set up, you can try again to verify your order. Please note that CAA check responses are cached for a maximum of one (1) hour. Note: This DNS Debugger is not managed by GlobalSign. If you have issues using the tool, please contact them directly.
i/o timeout (non-responsive)	The timeout error implies that your nameservers are down. This error can only happen for DNSSEC enabled domains with non-responsive nameservers.	If you are presented with this error message, please make sure that your nameservers are up and running and externally reachable. Please contact your DNS provider to verify what causes the failed response from the DNS server, and work with them to resolve the issue. In case there's a firewall in place, please make sure that this IP address is allowed access to your DNS records: 133.88.7.1 and/or 133.88.7.2. When your DNS server is properly set up, you can try again to verify your order. Please note that CAA check responses are cached for a maximum of one (1) hour.

Error Message

Reason

Solution

issuer = other CA

Our system has detected that your DNS CAA records contain, entries, and "globalsign.com" is not one of them.

Add "globalsign.com" in your CAA entries, and try again. Please note that this may take up to an hour to propagate so as to make sure the DNS CAA record cache has been cleared.

servfail

This issue stems from a DNSSEC validation chain failure. It could be that your domain zone is not signed, or is incorrectly signed.

You can try to use a DNSSEC Debugger to address the problem. If you have multiple nameservers, or master and slave nameservers, please make sure that all nameservers have the correct DNSKEY and RRSIGs.

Please contact your DNS provider to verify what causes the error, and work with them to resolve the issue. When your DNS server is properly set up, you can try again to verify your order. Please note that CAA check responses are cached for a maximum of one (1) hour.
Note: This DNS Debugger is not managed by GlobalSign. If you have issues using the tool, please contact them directly.

i/o timeout (non-responsive)

The timeout error implies that your nameservers are down. This error can only happen for DNSSEC enabled domains with non-responsive nameservers.

If you are presented with this error message, please make sure that your nameservers are up and running and externally reachable.

Please contact your DNS provider to verify what causes the failed response from the DNS server, and work with them to resolve the issue. In case there's a firewall in place, please make sure that this IP address is allowed access to your DNS records: 133.88.7.1 and/or 133.88.7.2. When your DNS server is properly set up, you can try again to verify your order. Please note that CAA check responses are cached for a maximum of one (1) hour.

Overview of CAA Checking for SSL

What is CAA Checking?

CAA (Certificate Authority Authorization) Checking is a control to restrict which CAs can issue certificates for a particular domain name. By configuring the DNS CAA record, domain owners can specify which Certification Authorities are authorized to issue certificates to that domain name. There are 2 different ways to modify your DNS CAA records. Please refer to the following guidelines below:

Note: If you have any issues or questions whether CAA is supported with your setup, contact your DNS manager for further details.

How does it work?

Domain owners create DNS CAA records that list the CAs they permit to issue certificates to the domain. If a domain has a DNS CAA record, only the CAs listed in the record(s) are allowed to issue certificates for that domain. If no DNS CAA record is present, any CA is allowed to issue certificates for that domain name.

Why is it needed?

Previously, any CA can issue a certificate for any domain name, which makes the PKI ecosystem vulnerable. Hence, the CA/Browser Forum through Ballot 187, made the CAA Checking mandatory to improve the strength of the PKI system.

What happens to the SSL certificates I already have?

This change doesn't affect existing SSL certificates. However, for new, reissues, and renewals, if a domain has a DNS CAA record(s) and none of those records contained globalsign.com as a permitted issuer, then GlobalSign would be prohibited from reissuing a certificate to that domain (or subdomain).
Your DNS CAA record should contain "globalsign.com" as shown below.

References

1. Ballot 187 - Make CAA Checking Mandatory
2. Baseline Requirements
3. DNS Certification Authority Authorization (CAA) Resource Record
4. What is the CA/Browser Forum and What is its Role in Internet Security

DomainSSL Overview

Feb 28, 2020, 7:27 AM

An Overview of DomainSSL As one of the most popular SSL Certificates on the web, DomainSSL is one of the fastest and most affordable ways to activate strong SSL protection for your website. DomainSSL is fully automated which means you'll be able to start protecting your ecommerce, logins, webmail and more in just a few minutes, 24/7. keywords: domain ssl overview, domain ssl certificates, dv ssl certificates, dvssl, dv, ssl, domain overview

OrganizationSSL Overview

Mar 2, 2020, 7:38 AM

High assurance OrganizationSSL Certificates provide instant identity confirmation and strong SSL protection for your website. Your customers see that GlobalSign has authenticated your identity - strengthening their trust that they're doing business with the right people.

How to add DNS CAA record in a hosted DNS

Mar 8, 2020, 3:46 PM

This article will provide the guidelines in adding a Certification Authority Authorization (CAA) record in a hosted DNS. If this is not the solution you are looking for, please search for your solution in the search bar above. Note: If you have any issues or questions whether CAA is supported with your setup, contact your DNS manager for further details.

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support

If you are an Atlas portal user, please submit request to support-atlas@globalsign.com.

GlobalSign Support

CAA Checking for SSL Certificates