What is a CAA Record?
A CAA record (Certificate Authority Authorization) allows a domain owner to specify which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for that domain. It's a security measure designed to prevent unauthorized or fraudulent certificate issuance.
Structure of a CAA Record
example.com. 3600 IN CAA 0 issue "letsencrypt.org"
How It Works
When a Certificate Authority receives a request to issue a certificate for your domain, they are required by law to check your DNS for any CAA records.
- If no CAA record exists, any CA can issue a certificate for your domain.
- If a CAA record exists, only the CAs listed in the record can issue a certificate.
- If multiple CAA records exist, any of the listed CAs can issue certificates.
Components of a CAA Record
- Flags: Usually set to
0(Non-critical). If set to128(Critical), a CA must refuse issuance if it doesn't understand the tag. - Tag:
issue: Authorizes a CA to issue any type of certificate.issuewild: Authorizes a CA to issue wildcard certificates only.iodef: Specifies an email address or URL for the CA to report invalid certificate requests to.
- Value: The domain name of the authorized CA (e.g.,
"letsencrypt.org","digicert.com").
Example: Multi-CA Setup
0 issue "letsencrypt.org" 0 issue "sectigo.com" 0 iodef "mailto:[email protected]"