CAA Record

What is a CAA record

A CAA (Certification Authority Authorization) record defines which Certificate Authorities (CAs) are permitted to issue SSL certificates for your domain. It is a protection mechanism against certificate mis-issuance: if an attacker approaches a different CA to obtain a certificate for example.com, the CA is required to check the CAA record and refuse.

Example

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issue "digicert.com"
example.com.  IN  CAA  0 issuewild ";"
example.com.  IN  CAA  0 iodef "mailto:security@example.com"

Fields:

• 0 — flags (usually 0)
• issue — which CA is allowed to issue standard certificates
• issuewild — which CA is allowed for wildcard certificates. ";" means "none."
• iodef — if the CAA policy is violated, send a report here

How it is enforced

Since September 2017, all CAs are required to check the CAA record before issuing a certificate. If no CAA record exists, any CA is permitted. If one exists but does not list the CA, issuance is refused.

When it is worth using

• For corporate domains where you know you will always use 1–2 specific CAs.
• When you want an audit trail (via iodef) for issuance attempts.
• To prevent surprises from rogue certificates.

Common mistakes

• You add a CAA for letsencrypt.org and forget that your CDN uses Cloudflare/AWS which has its own CAs → certificate renewal fails.
• Wildcards require issuewild in addition to issue. If you need a wildcard certificate, add both.

Common CA names for issue: letsencrypt.org, digicert.com, sectigo.com, globalsign.com, pki.goog, amazon.com.