Citrix ADC

Create CAA records for a domain name

Certificate Authority Authorization (CAA) is a type of DNS record that allows the domain owners to specify which Certificate Authority (CA) can issue SSL certificates for the domain.

A secure connection to a service requires SSL/TLS certificates to ensure the identity of the host and establish a secure channel. Not having CAA records can cause a security risk as anybody can generate a Certificate Signing Request (CSR) for the domain and get the certificate signed by any CA.

CAA records provide an extra layer of protection to your web presence by allowing the domain owner to declare which certificate authorities are allowed to issue a certificate for the domain. If there is a request for a certificate from a non-authorized CA, then the CAA record notifies the domain owner about the same. If a CAA record is not present for a domain, any CA is allowed to issue the certificate for that domain.

The Citrix ADC appliance supports DNS CAA records in the following modes:

  • Proxy: The appliance caches CAA record response from back-end servers and responds to further queries of the same type from the cache.
  • ADNS: The appliance responds to the CAA record type DNS queries from the configured DNS records.

Note:

  • You can add a maximum of 20 CAA records per domain name.
  • Recursive resolver and forwarder modes are not supported.

Add a CAA record using the CLI

At the command prompt, type the following command:

add dns caaRec <domain> <issuer-string> -tag <tag-string> -flag [None|Critical] [-TTL <secs>]
<!--NeedCopy-->

Example:

> add dns caaRec newdomain string1 -tag Issue -flag None [-TTL 3600]
<!--NeedCopy-->

Show command details

> show dns caaRec

1)  Domain : newdomain  ECS Subnet : None      Record id: 39423 TTL : 3600 secs Record Type : ADNS

Value: string1

Tag: issue

Flag: NONE

2)  Domain : test.com  ECS Subnet : None      Record id: 2572   TTL : 5 secs    Record Type : ADNS

Value: ca1.test.com

Tag: issue

Flag: NONE
<!--NeedCopy-->

To remove a CAA record, type the following command at the command prompt:

rm dns caaRec <domain> <issuer-string> -tag <tag-string> | -recordId <positive_integer>@)
<!--NeedCopy-->

Example:

rm dns caaRec newdomain -recordId 39423
<!--NeedCopy-->

Note:

-recordId @ is not supported in a cluster.

Add a CAA record using the GUI

Navigate to Traffic Management > DNS > Records > CAA Records and create an Address record.

Create CAA records for a domain name