CAA
Certification Authority Authorization
CAA records control which certificate authorities may issue TLS/SSL certificates for your domain. Learn the tags, flags, and how to combine entries.
Record Type
CAA
Category
Security
Security
RFC
RFC 8659
RFC 8659
Email Relevant
Indirect
Indirect
Format
CAA <flags> <tag> "<value>"
Example
CAA 0 issue "letsencrypt.org"
TTL Guidance
3600–86400 s; CAs check this before issuance so changes propagate before requesting a cert
3600–86400 s; CAs check this before issuance so changes propagate before requesting a cert
💬 What This Record Does
CAA (Certification Authority Authorization) records let you restrict which certificate authorities (CAs) are allowed to issue TLS/SSL certificates for your domain. Before issuing a certificate, compliant CAs must check for CAA records and refuse to issue if they are not listed. If no CAA records exist, any CA can issue certificates. Three tags are defined: "issue" (allow DV and OV certs), "issuewild" (allow wildcard certs), and "iodef" (receive violation reports via email or URL).
Common Uses
- Restricting certificate issuance to a single CA (e.g., only Let's Encrypt)
- Preventing misissued certificates by unauthorised CAs
- Receiving alerts if a CA attempts to issue a certificate that violates your CAA policy
⚠️ Watch Out For
- A domain with only an "issue" record (and no "issuewild") still allows any CA to issue wildcard certs — add "issuewild" explicitly to restrict wildcards.
- CAA is checked by compliant CAs, but a compromised or rogue CA might not honour it.
- You can have multiple CAA records on the same name — one per allowed CA.