Add DNS Alias and CAA records for more domain name control

Our new DNS infrastructure enables you to access two important record types. CAA records allow domain holders to decide who can issue SSL certificates for a domain name. And Apex Alias provides a way to get around root domain CNAME restrictions. Check out how they work and how you can set them up!    

by Daniel - 22.01.2018

CAA records for greater security

A CAA record lets you select one or more Certificate Authority (CA) to issue specific certificates for your domain: Alpha, Domain Validation, Organisation Validation, and Extended Validation. 

The CA ensures a digital certificate’s authenticity with a digital signature so that end users (or their software) can trust that the server is really the site it purports to be. 

CAA records are beneficial in that they:

  • Give domain holders final say on which CA can issue a certificate, making it more difficult for CAs to improperly issue a certificate   
  • Set policy for the domain, or for specific host names
  • Are used by subdomains; for example the CAA record set on example.fr will also apply to subdomain.example.fr (unless overwritten)
  • Control the issuance of a single-name certificate, wildcard certificate, or both

Every CA is obligated to check a domain’s CAA record before issuing a certificate. Without CAA records, you’re basically allowing any CA to issue a certificate for your domain. 

Though CAA records are optional, for the sake of increased security, it’s a very good idea to add them. 

To configure CAA records, see our quick and easy set up guide which will walk you through the necessary steps. 

Apex Alias for CNAME functionality

According to the DNS RFCs (Request for Comments), it isn’t possible to create a CNAME record at the apex – or root – of a domain. 

By design, a CNAME cannot coexist with another record on the same hostname. Minimal setup of a DNS zone requires that NS (Name Server) and SOA (State of Authority) records point to the apex. Furthermore, when a domain hosts a mail server, a MX (mail exchanger) record must also point to the apex.

But greater CNAME flexibility could be advantageous - for example, if you want to use AWS (Amazon Web Services) like Elastic IP, a specific kind of load balancer, or a CDN (content delivery network).

For this reason, we've implemented a new type of record called Apex Alias, also known as ANAME or ALIAS.

Apex Alias will create A-records on the apex pointing to the IP matching the alias target. These record will be automatically maintained.

To configure Alias records, follow these step-by-step instructions.

Do more with our managed DNS services!

In early January, EuroDNS began migrating all our customers to a new and improved DNS infrastructure – at no additional cost.

We’ve already outlined the numerous benefits of our new Anycast infrastructure - enhanced speed, reliability, and security – all of which you can read about here

And now: DNS Alias and CAA records! What’s next? Watch this space to find out!


Photo credit


How to guidesSSL

Next article:
Anycast DNS: blast off with our new premium DNS service!

Previous article:
Our domain reseller programme, solutions for all your needs!

Related articles: