Certification Authority Authorization Record (CAA)
Controls which Certificate Authorities are permitted to issue SSL/TLS certificates for your domain.
Standards: RFC 8659
What is a DNS CAA record?
CAA (Certification Authority Authorization) records let domain owners restrict which Certificate Authorities (CAs) can issue TLS/SSL certificates for their domain. Before issuing a certificate, CAs must check the domain's CAA records and comply. If the CA is not listed, it must refuse to issue. CAA records use three tags: "issue" (permits certificate issuance), "issuewild" (permits wildcard certificates), and "iodef" (specifies a URL or email for violation reports). If no CAA record exists, any CA may issue certificates. CAA records are a defence-in-depth measure against misissuance. They work alongside Certificate Transparency (CT) logs to detect unauthorised certificates.
Record Structure
| Field | Description |
|---|---|
| Name | The domain name, e.g. example.com |
| TTL | Time to live |
| Class | IN |
| Type | CAA |
| Flags | 0 (non-critical) or 128 (critical — fail if tag unrecognised) |
| Tag | "issue", "issuewild", or "iodef" |
| Value | CA domain (e.g. "letsencrypt.org") or contact URL/email |
Examples
example.com. 3600 IN CAA 0 issue "letsencrypt.org"
example.com. 3600 IN CAA 0 issue "letsencrypt.org" example.com. 3600 IN CAA 0 issue "digicert.com"
example.com. 3600 IN CAA 0 issuewild ";"
example.com. 3600 IN CAA 0 iodef "mailto:security@example.com"
Common Issues & Fixes
Certificate issuance blocked by CAA record
Your CA cannot issue a certificate because the CAA record does not list it.
✓ Fix: Add a CAA record authorising your CA, e.g. 0 issue "your-ca.com".