About

The CAA (Certificate Authority Authorization) record specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for a domain. This is a security measure to prevent unauthorized certificate issuance, which could be used in man-in-the-middle attacks.

When a CA receives a certificate request, it must check for CAA records. If CAA records exist and the CA is not listed, the CA must refuse to issue the certificate. If no CAA records exist, any CA can issue certificates.

CAA records can also specify an email address to notify when certificate requests are received, providing visibility into certificate issuance for your domain.

Format & Example

Record Format

domain.com. IN CAA 0 issue "ca.example.com"

Example

example.com. 3600 IN CAA 0 issue "letsencrypt.org"
example.com. 3600 IN CAA 0 iodef "mailto:[email protected]"

Only Let's Encrypt can issue certificates, and [email protected] will be notified of certificate requests.

Common Uses

•Restricting which CAs can issue certificates
•Preventing unauthorized certificate issuance
•Receiving notifications about certificate requests
•Compliance with security policies

Best Practices & Tips

•Add CAA records even if using only one CA
•Include an iodef record for violation notifications
•Use 'issuewild' to control wildcard certificate issuance
•Test CAA records before relying on them

Related Record Types

A AAAA TXT

Related Tools

SSL Checker

Analyze SSL certificates

Certificate Authority Authorization Record