We see CAA records more and since CAs are now obligated to check for CAA records when issuing SSL certificates. With this comes the question - How to create a CAA record in Azure DNS? Because it's not currently on the dropdown when selecting the type of DNS record.

What is CAA record?

The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA Resource Records allow a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue. It's a really good security measure which gives you control over SSL issuence under your domain. Basically, you set the CAA record which tells which CAs can issue a certificate for your domain. You need to list them.

You can find a list of CA names and domains here - https://sslmate.com/caa/

CloudFlare questions related to CAA answered here - https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ


Let's see how we can do this with PowerShell. The Azure documentation on DNS tells us a little bit about how to build the command but it doesn't tell us the whole stroy.


The simple command looks like this:

New-AzDnsRecordSet -Name "test-caa" -RecordType CAA -ZoneName "contoso.com" -ResourceGroupName "MyResourceGroup" -Ttl 3600 -DnsRecords (New-AzDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue "ca1.contoso.com")

Let's do it for one of my domains. Let's say that i want to allow Let's Encrypt to issue certificates for my domain.

New-AzDnsRecordSet -Name "CAA" -RecordType CAA -ZoneName "domain.com" -ResourceGroupName "xxxx" -Ttl 3600 -DnsRecords (New-AzDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue "letsencrypt.org")

Here is the result:

VERBOSE: Authenticating to Azure ...
VERBOSE: Building your Azure drive ...


Azure:\> New-AzDnsRecordSet -Name "CAA" -RecordType CAA -ZoneName "gamerz-bg.com" -ResourceGroupName "web-rg-we" -Ttl 3600 -DnsRecords (New-AzDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue "letsencrypt.org")

Id : /subscriptions/xxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/xxxx/providers/Microsoft.Network/dnszones/gamerz-bg.com/CAA/caa
Name : caa
ResourceGroupName : web-rg-we
Ttl : 3600
Etag : 098e23f8-c657-4b0c-9f89-3b9273cc38de
RecordType : CAA
TargetResourceId :
Records : {[0,issue,letsencrypt.org]}
ProvisioningState : Succeeded

 The CAA records also allow for an email to be sent to a desginated email address if an attempt was made to issue a certificate

$rs = Get-AzDnsRecordSet -Name "@" –ZoneName "domain.com" -ResourceGroupName "xxxx" -RecordType CAA
Add-AzDnsRecordConfig -RecordSet $rs -Caaflags 0 -CaaTag "iodef" -CaaValue "mailto:This email address is being protected from spambots. You need JavaScript enabled to view it."
Set-AzDnsRecordSet -RecordSet $rs

Id : /subscriptions/xxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/xxxx/providers/Microsoft.Network/dnszones/gamerz-bg.com/CAA/@
Name : @
ResourceGroupName : xxxx
Ttl : 3600
Etag : 57620f5a-764d-497f-9dc1-9c182c1f3e20
RecordType : CAA
TargetResourceId :
Records : {[0,issue,letsencrypt.org], [0,iodef,mailto:This email address is being protected from spambots. You need JavaScript enabled to view it.]}
Metadata :
ProvisioningState : Succeeded

Now, let's say you want GoDaddy to be able to issue SSL certificates for your domain too (like in the form of App Service Certificates). This is adding to an existing record

$rs = Get-AzDnsRecordSet -Name "@" –ZoneName "domain.com" -ResourceGroupName "xxxx" -RecordType CAA
Add-AzDnsRecordConfig -RecordSet $rs -Caaflags 0 -CaaTag "issue" -CaaValue "godaddy.com"
Set-AzDnsRecordSet -RecordSet $rs

Check your results in a DNS utility such as: digwebinterface.com

Useful links

Official RFC - https://tools.ietf.org/html/rfc6844

CAA record generator (good for outside of Azure DNS too) - https://sslmate.com/caa/

Wikipedia - https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization