Skip to content

CAA Record

A Certification Authority Authorization (CAA) DNS record is a type of DNS resource record that allows domain owners to specify which certificate authorities (CAs) are authorized to issue SSL/TLS certificates for their domain. CAA records are used to enhance the security of the SSL certificate issuance process and to give domain owners more control over the issuance of certificates for their domains.

A CAA record typically contains the following information:

  • Domain Name: The fully qualified domain name (FQDN) to which the CAA record applies.

  • Flags: Flags that specify how the CAA record should be processed. The most common value is "0," which means the record is to be processed according to standard rules. Other values are reserved for future use.

  • Tag: A tag that specifies the purpose of the record. The most common tag used is "issue," which indicates the CA(s) that are permitted to issue certificates for the domain. Other tags include "issuewild" (for wildcard certificates) and "iodef" (for specifying a reporting email address).

  • Value: The value associated with the tag, which is a domain name or a comma-separated list of domain names for the authorized CAs. For example, if you want to allow only "example-ca.com" to issue certificates for your domain, the value would be "example-ca.com."

CAA records are published in a domain's DNS zone file, and when a CA receives a certificate request for a domain, it will check the domain's CAA records to determine whether it is authorized to issue a certificate. If there are no CAA records for a domain or if the CAA record doesn't explicitly authorize any CAs, then any CA can issue a certificate for that domain.

By using CAA records, domain owners can have more control over their certificate issuance process and prevent unauthorized CAs from issuing certificates for their domains, thereby enhancing the security of their websites.

Creating a CAA Record

  1. Access DNS Controll panel from your DNS provider: Access the platform where you manage your domain's DNS settings. Locate the domain for which you want to add the CAA record. You can create CAA records for the main domain (example.com) or subdomains (sub.example.com).

  2. Add a new CAA record: Find the option to add a new DNS record, often labeled as "Add Record" or "Add DNS Record." Select the CAA record type from the options. Some provider may support BIND notation. If this is the case, you can use the CAA Generator tool to generate a CAA record.

  3. Fill in the CAA record details: When creating the CAA record, you'll need to provide the following information:

  • Name: The name or subdomain for which you're creating the CAA record. This can be left blank for the main domain.
  • TTL (Time to Live): Set the Time to Live value, which determines how long the DNS record is cached by DNS resolvers. The default value is usually fine, but you can adjust it if needed.
  • Flags: The CAA record's flags field specifies the purpose of the record. Common values include "0" (for issuance) and "128" (for refusal). If you want to allow a specific CA to issue certificates for your domain, use "0."
  • Tag: The tag field specifies the parameter type. For CAA records, you typically use "issue" to indicate which CAs are allowed to issue certificates for your domain.
  • Value: The value field contains the domain name of the certificate authority (CA) you want to authorize. For example, to allow Let's Encrypt, you would specify "letsencrypt.org."
  1. Save or publish the record: Once you've filled in the necessary information, save or publish the CAA record. The process for saving or publishing records may vary depending on your DNS hosting provider.

  2. Verify the CAA record: Use the CAA Check to verify the presence and correctness of your CAA record.