Skip to main content

What is a CAA record?

The DNS lock that only allows specific Certificate Authorities to issue SSL certificates for your domain.

What problem does CAA solve?

Worldwide there are over 100 trusted Certificate Authorities (CAs) — Let's Encrypt, DigiCert, Sectigo, GoDaddy, GlobalSign and many smaller ones. Until a few years ago, any of these CAs could issue a valid SSL certificate for any domain. If even a single CA was hacked or compromised, attackers could obtain certificates for any domain they wanted — the DigiNotar incident in 2011 is the most famous example: Iranian authorities had certificates issued for Google, Facebook and others and used them for mass MITM attacks.

CAA records (Certification Authority Authorization, RFC 8659) are the answer: via DNS you declare which CAs are allowed to issue certificates for your domain. Other CAs are required to check the CAA record before issuing any certificate — and must refuse if they aren't authorized. CAA checking has been mandatory for all CAs since September 2017 (CA/Browser Forum Baseline Requirements).

Record structure

Example:

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issue "digicert.com"
example.com.  CAA  0 issuewild "letsencrypt.org"
example.com.  CAA  0 iodef "mailto:security@example.com"

Three properties (tags):

  • issue — this CA is allowed to issue regular certificates.
  • issuewild — this CA is allowed to issue wildcard certificates (*.example.com).
  • iodef — address where CAs should report violations (RFC-compliant: mailto: or URL for incident reporting).

The flag field at the front (here 0) is a bit field; with 128 you mark the record as critical — CAs that don't understand the property must then refuse. Today, 0 is the standard.

Blocking issuance entirely

If no CA at all should be allowed to issue certificates (for example for a mail-only domain), use: 

example.com.  CAA  0 issue ";"

Which value strings for which CA?

  • Let's Encrypt: letsencrypt.org
  • DigiCert: digicert.com
  • Sectigo (formerly Comodo): sectigo.com or comodoca.com
  • GlobalSign: globalsign.com
  • Google Trust Services: pki.goog
  • Amazon AWS: amazon.com (or amazontrust.com)

Which value strings your CA expects is documented by the CA itself — some accept multiple spellings, others are strict.

Common mistakes

  • No CAA record: any CA in the world is allowed to issue certificates. Not the end of the world — every modern CA also checks domain ownership — but an important extra safeguard.
  • Forgetting the CAA record when switching providers: if you move from Let's Encrypt to e.g. AWS, certificate issuance will fail until the CAA record is updated accordingly.
  • Treat wildcards separately: if you set issue but not issuewild, you can no longer obtain wildcard certificates.
  • Subdomain inheritance: CAA records are inherited from the parent domain on subdomains, as long as the subdomain doesn't have one of its own.

Checking CAA

With dig:

dig CAA example.com +short

Or directly in the Webscan Radar DNS tool — the CAA entry is shown alongside the lookup results.

Check it yourself: DNS-Lookup

A, AAAA, MX, NS, TXT, CAA, SOA. Enter a domain and see in seconds how your CAA-RECORD is doing.

Also in the glossary

DMARC erklärt

DMARC

HSTS erklärt

HSTS

SSL/TLS erklärt

SSL

SPF erklärt

SPF

CSP erklärt

CSP

DKIM erklärt

DKIM

X-Frame-Options erklärt

X-FRAME-OPTIONS

Subresource Integrity erklärt

SUBRESOURCE-INTEGRITY

CORS erklärt

CORS

Cookie-Flags erklärt

COOKIE-FLAGS

DNSSEC erklärt

DNSSEC

Referrer-Policy erklärt

REFERRER-POLICY

Permissions-Policy erklärt

PERMISSIONS-POLICY

MIME-Sniffing & X-Content-Type-Options erklärt

MIME-SNIFFING