CAA Records

What Are CAA Records?

CAA (Certificate Authority Authorization) records are DNS records that allow domain owners to specify which Certificate Authorities (CAs) are authorized to issue SSL/TLS certificates for their domain. CAA records help prevent unauthorized certificate issuance and improve security.

How CAA Records Work

When a Certificate Authority receives a request to issue a certificate for a domain, it checks the domain’s CAA records. If CAA records exist:

• If the CA is listed in the CAA record, it may proceed with issuing the certificate.
• If the CA is not listed, it must refuse issuance.
• If no CAA records exist, any CA may issue a certificate for the domain.

CAA Record Format

A CAA record has three components:

Tag Types

• issue — Authorizes a CA to issue standard (non-wildcard) certificates for the domain.
• issuewild — Authorizes a CA to issue wildcard certificates for the domain.
• iodef — Specifies an email address or URL where CAs can report policy violations.

Example CAA Records

Steps to Add a CAA Record

1. Log in to your domain registrar account.
2. Navigate to your domains list and select the target domain.
3. Click Manage DNS Records.
4. Select CAA as the record type.
5. Enter the Flag (usually 0).
6. Choose the Tag (issue, issuewild, or iodef).
7. Enter the Value (CA domain or reporting address).
8. Click Add Record.

Note: Not all DNS providers support CAA records. If your registrar does not offer CAA records directly, you may need to use a third-party DNS provider that does, such as Cloudflare or AWS Route 53.

Best Practices

• Always add CAA records if you want to restrict which CAs can issue certificates for your domain.
• Include an iodef record so you can be notified of policy violation attempts.
• If you use Let’s Encrypt, add: 0 issue "letsencrypt.org"
• Test your CAA records with online tools like SSLMate’s CAA Record Helper.