CAA Record Security

The CAA record (Certification Authority Authorization) specifies which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. This prevents unauthorized CAs from issuing certificates, adding an extra layer of security against fraudulent certificates.

What Is a CAA Record?

Since 2017, certificate authorities are required to check CAA records before issuing certificates. If a CAA record exists, the CA can only issue a certificate if it's listed in the record. This protects against:

• Unauthorized certificate issuance by CAs you don't use
• Domain validation attacks
• Certificate misissuance due to CA errors

CAA Record Format

A CAA record consists of three parts:

example.com.    3600    IN    CAA    0 issue "letsencrypt.org"

CAA Tags

issue — Standard Certificates

Specifies CAs that can issue certificates for the domain:

example.com.    CAA    0 issue "digicert.com"
example.com.    CAA    0 issue "letsencrypt.org"

issuewild — Wildcard Certificates

Specifies CAs that can issue wildcard certificates (*.domain.com):

example.com.    CAA    0 issuewild "digicert.com"

If no issuewild record exists, the issue record applies to wildcards too.

iodef — Incident Reporting

Where to report CAA violations:

example.com.    CAA    0 iodef "mailto:[email protected]"
example.com.    CAA    0 iodef "https://example.com/caa-report"

Common CA Identifiers

Example CAA Configurations

1. Single CA (Let's Encrypt only)

example.com.    CAA    0 issue "letsencrypt.org"
example.com.    CAA    0 iodef "mailto:[email protected]"

2. Multiple CAs

example.com.    CAA    0 issue "digicert.com"
example.com.    CAA    0 issue "letsencrypt.org"
example.com.    CAA    0 issuewild "digicert.com"

3. Prevent All Certificate Issuance

example.com.    CAA    0 issue ";"

4. Wildcard Restriction

example.com.    CAA    0 issue "letsencrypt.org"
example.com.    CAA    0 issuewild ";"

This allows regular certificates but blocks wildcard certificates.

CAA Inheritance

CAA records are inherited by subdomains. If no CAA record exists for a subdomain, the parent domain's CAA record applies:

• www.example.com checks for CAA at www.example.com
• If not found, checks example.com
• If not found, checks com (typically no CAA)
• If no CAA found anywhere, any CA can issue

To set different policies for subdomains, create CAA records at the subdomain level.

CAA Best Practices

• List only CAs you use — Don't authorize CAs you don't plan to use.
• Set up iodef reporting — Get notified of unauthorized certificate requests.
• Consider wildcard restrictions — Use issuewild to control wildcard certificate issuance separately.
• Include all environments — Remember to authorize CAs for staging/dev certificates too.
• Use low TTL when changing CAs — Before switching CAs, lower the TTL so the change propagates quickly.

Troubleshooting CAA

Common issues and solutions:

• Certificate issuance failing — Check that your CA is listed in your CAA record.
• Forgot to include a CA — Add another issue record for the missing CA.
• Wildcard certificate failing — Check issuewild records (or ensure issue applies).
• CAA lookup error — CAs retry on DNS errors, but ensure your DNS is reliable.

Related Record Types

• TLSA Record — DANE certificate pinning
• TXT Record — Domain verification for CAs
• A Record — IPv4 address (required for certificate issuance)