CAA Record — Certificate Authority Authorization

Q: What is a CAA record in DNS?

## What Is a CAA Record? A CAA record (Certificate Authority Authorization) specifies which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for your domain. Since 2017 (per the CA/Browser Forum Ballot 187), all CAs are required to check CAA records before issuing a certificate. ### BIND Zone File Syntax dns ; Allow only Let's Encrypt to issue certificates example.com. 3600 IN CAA 0 issue "letsencrypt.org" ; Allow Let's Encrypt for regular certs, deny all

Learn how CAA DNS records restrict which Certificate Authorities can issue SSL/TLS certificates for your domain. Prevent unauthorized certificate issuance.

CAASecurity

Zone File Entry

example.com.    IN    CAA    0 issue "letsencrypt.org"
example.com.    IN    CAA    0 issuewild "letsencrypt.org"
example.com.    IN    CAA    0 iodef "mailto:security@example.com"

Detailed Explanation

What Is a CAA Record?

A CAA record (Certificate Authority Authorization) specifies which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for your domain. Since 2017 (per the CA/Browser Forum Ballot 187), all CAs are required to check CAA records before issuing a certificate.

BIND Zone File Syntax

; Allow only Let's Encrypt to issue certificates
example.com.    3600    IN    CAA    0 issue "letsencrypt.org"

; Allow Let's Encrypt for regular certs, deny all wildcards
example.com.    3600    IN    CAA    0 issue "letsencrypt.org"
example.com.    3600    IN    CAA    0 issuewild ";"

; Multiple CAs allowed
example.com.    3600    IN    CAA    0 issue "letsencrypt.org"
example.com.    3600    IN    CAA    0 issue "digicert.com"
example.com.    3600    IN    CAA    0 issue "sectigo.com"

; Report violations
example.com.    3600    IN    CAA    0 iodef "mailto:security@example.com"

CAA Tags

Tag	Description
`issue`	Authorize a CA to issue non-wildcard certificates
`issuewild`	Authorize a CA to issue wildcard certificates
`iodef`	Report policy violations to this contact (email or URL)

How CAA Checking Works

When a CA receives a certificate request for www.example.com:

The CA queries CAA records for www.example.com
If none exist, it checks example.com
If none exist, it checks com. (the parent zone)
If no CAA records are found at any level, the CA is permitted to issue
If CAA records exist and the CA is not listed, issuance is denied

This means adding any CAA record immediately restricts issuance to only the listed CAs.

The Flags Field

The number before the tag (typically 0) is the flags field:

0: Non-critical — if the CA does not understand the tag, it may proceed
128: Critical — if the CA does not understand the tag, it must refuse to issue

In practice, always use 0 for standard tags since all CAs understand issue, issuewild, and iodef.

Wildcard Certificate Control

The issuewild tag specifically controls wildcard certificates (*.example.com). If only issue records exist, they apply to both regular and wildcard certificates. If issuewild records exist, they override issue for wildcard requests only.

To block all wildcard certificates:

example.com.    IN    CAA    0 issuewild ";"

Security Benefits

Prevent mis-issuance: Stop unauthorized CAs from issuing certificates for your domain
Incident notification: The iodef tag alerts you when a CA denies a request based on your policy
Defense in depth: Complements Certificate Transparency logging and HSTS preloading
Subdomain protection: CAA records are inherited by subdomains unless overridden

Use Case

Add CAA records to restrict which Certificate Authorities can issue SSL/TLS certificates for your domain, reducing the risk of fraudulent certificate issuance.

Try It — DNS Record Generator

Open full tool →