The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA records can set policy for the entire domain, or for specific hostnames. They are also inherited by subdomains, therefore a CAA record set on domain.com will also apply to any subdomain, such as subdomain.domain.com (unless overridden). CAA records can control the issuance single-name certificates, wildcard certificates, or both.
All CAA records will have the default issuer critical value of 0, which means they are “not critical”. Flag 128 is used for "critical"
Type allows you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair.
issue: Explicitly authorizes a single certificate authority to issue a certificate (any type) for the hostname.
issuewild: Authorization to issue certificates that specify a wildcard domain. Please note: issuewild properties take precedence over issue properties when specified.
iodef: (Incident Description Exchange Format) Specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.
The Value field in the CAA records specify the domain name of the CA provider who is allowed to issue SSL certificated for your domain.