CAA Records in the Business.ID

What does CAA mean?

DNS Certification Authority Authorization (CAA) is a security mechanism in the Domain Name System 
(DNS) that controls the issuance of SSL/TLS and S/MIME certificates. CAA records allow domain 
owners to specify which Certificate Authorities (CAs) are authorized to issue certificates for their 
domain. This reduces the risk of an unauthorized CA issuing a certificate for the domain, which could 
lead to security issues. The examination of CAA entries is based on the requirements of RFC 9495.
ne potential problem is CAA's dependence on DNS. Unless a domain owner secures their name 
services, this can be an attack vector. RFC 6844 proposes to implement Domain Name System 
Security Extensions (DNSSEC), which uses digitally signed DNS records to authenticate data and 
combat the threat of DNS spoofing.

How does the CAA check work?

First, the domain owner creates one or more CAA records in their domain's DNS zone. Once this is 
done, the domain owner can request an SSL/TLS or S/MIME certificate for their domain from a CA. 
Before the CA issues a certificate, it must query the CAA record of the domain. This is done by making 
a DNSSEC/DNS query of the CAA record for the domain. If the CA is listed as authorized in the CAA 
record, it proceeds with the issuance of the certificates. If this is not the case, it rejects the issuance 
and, if necessary, reports an incident.
Basically, empty CAA records mean that all CAs are allowed to issue certificates

Error cases

One of the most common errors is SERVFAIL. This usually indicates an error in DNSSEC validation. If 
you get a SERVFAIL error, the first thing you should do is use a DNSSEC debugger like dnsviz.net. If this 
doesn't work, it's possible that your nameservers will only generate incorrect signatures if the 
response is empty. CAA responses are mostly empty

Typical entries for CAA Records

*  Details can be found in RFC 9495