What is CAA record?

The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA records can set policy for the entire domain, or for specific hostnames. They are also inherited by subdomains, therefore a CAA record set on domain.com will also apply to any subdomain, such as subdomain.domain.com (unless overridden). CAA records can control the issuance single-name certificates, wildcard certificates, or both.

Flag in the CAA records

All CAA records will have the default issuer critical value of 0, which means they are “not critical”. Flag 128 is used for "critical"

Type in the CAA records

Type allows you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair.

issue: Explicitly authorizes a single certificate authority to issue a certificate (any type) for the hostname.

issuewild: Authorization to issue certificates that specify a wildcard domain. Please note: issuewild properties take precedence over issue properties when specified.

iodef: (Incident Description Exchange Format) Specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.

Value in the CAA records

The Value field in the CAA records specify the domain name of the CA provider who is allowed to issue SSL certificated for your domain.

How to add a CAA record - Step by Step video:

Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more