CAA (Certificate Authority Authorization) is a DNS record that lets you define what Certificate Authority that is allowed to represent you and your servers. Complex topic, not the scope of this blog post. If you are interested in the details of CAA, I recommend you read RFC6844. However, what I want to get written down is the steps you have to take to add a CAA-record to your Azure DNS zone.

When adding a record inside of the portal, there is no option for CAA even though Azure states that they support it. Turns out, you have to add it through PowerShell. So, hit that cloud shell icon and execute the following:

# Variables
$zoneName = "example.org"
$resourceGroup = "resourcegroup"
$CA = "your-CA" # Examples: letsencrypt.org, digicert.com
$incidentReport = "[email protected]"

# Setting the DNS Record
$recordConfig = @()
$recordConfig += New-AzDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue $CA
$recordConfig += New-AzDnsRecordConfig -Caaflags 0 -CaaTag "iodef" -CaaValue "mailto:$incidentReport"
New-AzDnsRecordSet -Name "@" -RecordType CAA -ZoneName $zoneName -ResourceGroupName $resourceGroup -Ttl 3600 -DnsRecords ($recordConfig)

First, we set some variables. Should be pretty self-explanatory. We need to define our Zone (A.K.A domain name) and the resource group in which it exists.

You don’t really have to, but I usually set the incident report email as well. This will let the CA know that if they receive an SSL certificate request they will let you know if they aren’t one of the authorized issuers. If you don’t want this, can’t understand why not, you could remove the second DNS-record config.

That’s it. Feel free to ask any questions about CAA and Azure through any social media or by adding a comment here.