Submit a ticket My Tickets
Welcome
Login  Sign up

CAA Records

Certification Authority Authorization (CAA) records allow a DNS domain name holder to specify one or more Certificate Authorities (CAs) authorized to issue certificates for that domain.  (RFC 6844).

1. Select your Domain

A. Select Managed DNS
B. Select Domains from the dropdown

C. Select the domain you want to add a CAA record too.

2. Select CAA Record

Under the CAA Records section, click the (+) to add a record.

3. Enter Record Values

A. Name: The hostname for the record. To set the record for the root domain (@), leave this field blank.
B. TTL: Time to Live, measured in seconds, determines how long the record is cached in resolvers. For more information on best practices for TTLs, click here.

C. Disable Record: Information on the NX Domain feature can be found in the Disabling a Record tutorial.

D. Providers: Specify the domain name of the CA provider to which the CAA record applies. If your CA is not in this list, select Other and enter the domain name in the Value box. The <character-string> encoding of the value field is specified in [RFC1035], Section 5.1.
E. Tag: Allows you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair.

F. Data: This field will automatically populate with the FQDN of the CA provider after you enter the provider in step C.
G. Issuer Critical: A value of 0 = "not critical" and 1 = "issuer critical". All CAA records will have the default issuer critical value of 0. If a CA does not understand the flag value for an issuer critical record, then the CA will return with “no issue” for the certification. 

H. Notes: Add a helpful note with keywords so you can search for records later.
I. Save and Close/Continue: Click Save and Close if you are done entering CAA records, click Save and Continue if you want to enter additional CAA records.

Options:

  • issue: Explicitly authorizes a single certificate authority to issue a certificate (any type) for the hostname.
  • issuewild: Authorization to issue certificates that specify a wildcard domain. Please note: issuewild properties take precedence over issue properties when specified.
  • iodef: (Incident Description Exchange Format) Specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.

Canonical Format
<flags> <tag> <value>
example.com. CAA 0 issuessl.com

Use Cases

  • CAA records are intended to prevent CAs from improperly issuing certificates.
  • CAA records can set the policy for an entire domain, or for specific hostnames.
  • CAA records are also inherited by subdomains, therefore a CAA record set on example.com will also apply to any subdomain, such as subdomain.example.com (unless overridden).
  • CAA records can control the issuance single-name certificates, wildcard certificates, or both.

Let’s create a CAA record for a domain which authorizes certificates to be issued by Comodo and SSL.
example.com. CAA 0 issue “comodo.com”
example.com CAA 0 issue “ssl.com”

What if we want only Comodo to issue certificates? We would change the flag value to 1.
example.com. CAA 1 issue “comodo.com”
example.com CAA 0 issue “ssl.com”

If Comodo does not understand the record information, it will not return a certification. Instead, SSL will respond.

Now, what if we wanted to issue a wild card for SSL? We would change the type value to issuewild.
example.com. CAA 0 issue “comodo.com”
example.com CAA 0 issuewild “ssl.com”

Since wild cards take precedence, Comodo will not be able to issue a wild card certificate.

If you want to receive policy violations from CAs, you can change the type to iodef and replace the provider value with your contact email preceded by mailto: 
example.com. CAA 0 iodef “mailto:admin@example.com”

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.