Skip to content

What’s a CAA record?

There is no requirement for domain owners to implement CAA records in order to receive SSL/TLS certificates from CAs. If no CAA record is set for your domain or subdomain, then any CA can issue you an SSL/TLS certificate – as long as there are no DNS or CAA errors (more on this below).

If you wish to restrict which CAs are allowed to issue certificates to your domain or subdomain as added security, then you may want to take advantage of CAA records; providing that your DNS provider can support them.

CAA records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. They also provide a means of indicating notification rules in case someone requests a certificate from an unauthorized certificate authority. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.

CAA records can set policy for the entire domain or for specific hostnames. CAA records are also inherited by subdomains. For example, a CAA record set on example.com also applies to any subdomain, like subdomain.example.com (unless overridden). CAA records can control the issuance of single-name certificates, wildcard certificates, or both.

The DNS CAA record is specified by RFC 6844.

Examples:

example.com. CAA 0 issue "letsencrypt.org"

Hostname: example.com Type: CAA TTL: 3600 (seconds) / 1 hour Value: issue "letsencrypt.org"

As I am a cloudflare fan I would set this up like this: example.com. CAA 0 iodef "mailto:admin@example.com"

Then create the CAA records from what gets reported

What do the CAA record values mean?

  • Type: CAA is to specify this type of record. It indicates that a CA is authorized to deliver an SSL certificate for the domain.
  • TTL: This is the number of seconds before the record is checked to see if it changed. 10800 is the default value.
  • Name: Leave this empty (@) for just the domain itself. Add the subdomain here if it is for a subdomain.
  • Flags: The default is 0. If you put 1, this blocks the validation if the tag is unknown by the CA.
  • Tag: This lets you choose one of the following:
    • issue: The CA is authorized to provide a certificate for this domain
    • issuewild: the CA can issue wildcard certificates for this domain
    • iodef: URL that the CA can use to send an error message, using the Incident Object Description Exchange Format.