認証機関認可 (CAA) FAQ
以下のページでは、認証機関認可(CAA)レコードに関する一般的な質問に答えています。
A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.
詳細については、CAAレコードの作成を参照してください。
CAAレコードはCloudflareではなく、CAによって評価されます。
大規模な組織の一部である場合や、複数の関係者がSSL証明書の取得を担当している場合は、組織に適用されるすべてのCAに対して発行を許可するCAAレコードを含める必要があります。これを怠ると、組織の他の部分でのSSL発行が意図せずブロックされる可能性があります。
Cloudflare adds CAA records automatically in two situations:
- When you have Universal SSL or advanced certificates and add any CAA records to your zone.
- When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges.
These records make sure Cloudflare can still issue Universal certificates on your behalf.
If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare (replacing example.com with your own domain on Cloudflare):
➜ ~ dig example.com caa +short# CAA records added by DigiCert0 issue "digicert.com; cansignhttpexchanges=yes"0 issuewild "digicert.com; cansignhttpexchanges=yes"
# CAA records added by Sectigo0 issue "sectigo.com"0 issuewild "sectigo.com"
# CAA records added by Let's Encrypt0 issue "letsencrypt.org"0 issuewild "letsencrypt.org"
# CAA records added by Google Trust Services0 issue "pki.goog; cansignhttpexchanges=yes"0 issuewild "pki.goog; cansignhttpexchanges=yes"