Internet.nl adds CAA test and announces TLS test changes

June 2, 2025

As of today, Internet.nl makes it possible to test your domains for Certification Authority Authorization (CAA). The new CAA subtest is part of both the website and the mail test. Currently the subtest does not impact score.

What is CAA?

Certification Authority Authorisation (CAA) allows you as a domain name holder to specify one or more certification authorities authorised to issue certificates for your domain name. A certificate authority must not issue a certificate unless the certificate authority determines that the certificate request is consistent with the applicable CAA records.

Why is CAA important?

For the secure connection to your website or mail server, its certificate is crucial. If a malicious party is able to obtain a certificate for your domain name, it may be able to intercept sensitive data. By limiting the number of authorized certificate authorities, you reduce the risk of mis-issuance.

Note that CAA works differently than DANE. The objective of CAA record is to reduce the risk of certificate mis-issue. While DANE is a mechanism to check the validity of issued certificates and thus to prevent mis-issued certificates from being trusted. Especially for email, it is important to also apply DANE because it is the most widely used standard for authenticated mail transport encryption.

What does the CAA test in Internet.nl check for?

Internet.nl checks if the name servers of your tested domain or the domains of its mail servers (MX) contain one or more CAA records, that are all have correct syntax. At least one of these CAA records must have the issue tag. Otherwise, the test will result in a fail. It is not checked whether the certificate authority of the current TLS certificate matches one or more of the issue and issuewild values, i.e., whether the current certificate could be reissued at this time. Note that the result of the test currently does not weigh into the score.

If your are using the Automatic Certificate Management Environment (ACME) standard and your certificate authority supports it, we recommend you to use the parameters validationmethods and accounturi to further restrict isssuance by the authorised certificate authority. Furthermore, it is recommended to add issuewild, issuemail and issuevmc with an empty ; if you do not use wildcard, S/MIME and/or BIMI certificates respectively. Otherwise, any certificate authority is still allowed to issue these certificates for your domain, since issue does not cover them.

Upcoming release: new TLS guidelines

NCSC-NL recently published a new version of its TLS guidelines (in Dutch). The upcoming release of Internet.nl will use these updated guidelines as the baseline for the TLS test. We expect this new version of Internet.nl to go live around September/October 2025.

About Internet.nl

The test tool Internet.nl is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the Internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The software code of Internet.nl is available under an open source license.

Release notes 1.10.0

Feature changes

A test for CAA records was added for web and mail tests. This checks for the presence of one or more correctly formatted CAA records, of which one must have an issue tag. This test is not required, i.e. does not affect scoring.
The sectxt library, used for validating security.txt files, was updated from 0.9.4 to 0.9.7. This includes:
A new error if a PGP signed message ends with more than one newline, named too_many_line_separators (sectxt/#78).
Improved detection of repeated use of fields that must only occur once. Previously, these were not always detected (sectxt/#83).
Fixed an issue with checking signatures made with AEAD keys (sectxt/#79).
Fixed exception for certain malformed PGP signatures.
The test date and time are now included in the print CSS.

Significant internal changes

The test code no longer interfaces with libunbound, but uses dnspython as a stub resolver.
Periodic tests are no longer enabled by default.
UWSGI cheaper options are used to reduce idle processes and reduce memory consumption.

Possibly required changes to deployments

The resolver-permissive container was obsoleted and removed.
Periodic tests will only run when specifically enabled with the CRON_15MIN_RUN_TESTS, TEST_DOMAINS_SITE and/or TEST_DOMAINS_MAIL settings.
There is now support for running multiple instances per server, sharing a Routinator instance, intended for acceptance testing.

On upgrade from an earlier version, a change in networking setup requires recreation of one of the Docker networks. Before deploy, bring down the entire environment and make sure the network is removed: docker compose --project-name=internetnl-prod down docker network rm internetnl-prod_public-internet

API changes

The API version was updated to version 2.5.0.
The fields caa_enabled, caa_errors, caa_recommendations, caa_records, and caa_found_on_domain have been added (OpenAPI diff).
The API report URL was updated to use HTTPS.