The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA records can set policy for the entire domain, or for specific hostnames. They are also inherited by subdomains, therefore a CAA record set on domain.com will also apply to any subdomain, such as subdomain.domain.com (unless overridden). CAA records can control the issuance of single-name certificates, wildcard certificates, or both.
CAA records allow you to determine which certification authorities may issue certificates for your domain and subdomains. For that reason, it is always a good idea to control this via proper CAA record(s). CAA record helps CAs to better control the process of issuing certificates and to reduce the possibility of mis-issue certificates for the domain. Additionally, by adding such a DNS record, you limit the abuse and prevent issuing fake certificates for your domain.
Log in your ClouDNS account, enter your DNS zone management page, and click on Add new record. For Type choose CAA and type as follow:
Example of the CAA record in your ClouDNS Control Panel:
Host | Type | Points to: | TTL |
hostname.com | CAAA | 0 issue "letsencrypt.org" | 1 Hour |
Every CAA record includes the following components:
All records will have the default issuer critical value of 0, which means they are not critical. Flag 128 is used for critical
Type allows you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair.
issue: Explicitly authorizes a single certificate authority to issue a certificate (any type) for the hostname.
issuewild: Authorization to issue certificates that specify a wildcard domain. Please note: issuewild properties take precedence over issue properties when specified.
iodef: (Incident Description Exchange Format) Specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.
Specify the domain name of the CA provider to which the CAA record applies.
Here are the main benefits of adding CAA records to your domain name:
It is actually really easy to check your CAA record. Here is how to do it in several different ways depending on your operating system (OS):
If you are a macOS or Linux user, you can use the Dig command to check your CAA record. Open the Terminal and type the following command:
dig example.com caa
If you are using Windows, we recommend you to check your CAA record with our Free DNS tool.
Common errors in CAA record configurations, like incorrect syntax or DNS propagation delays, can impede SSL/TLS certificate issuance. Errors often arise from format issues—misplaced quotation marks or wrongly specified CA domain names—leading to DNS resolver failures. To resolve these, first, ensure the CAA record adheres to the correct format using DNS lookup tools such as ClouDNS Free DNS tool. Then, after updating CAA records, check for DNS propagation consistency across various resolvers using tools like dig or nslookup. This approach helps maintain alignment between certificate issuance and security policies.
ClouDNS provides full support for CAA records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your CAA records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.
Question: What should my CAA record look like if I purchase an SSL certificate from ClouDNS?
Answer: The Certificate Authority we work with is Sectigo. They recognizes the following domain names in issue and issuewild property tags as permitting them to issue:
Question: Does a CAA record affect the SSL/TLS certificates I already have?
Answer: No, CAA records do not affect existing SSL/TLS certificates. They only come into play when a Certificate Authority (CA) is attempting to issue a new certificate. Existing certificates remain valid until they expire, regardless of the CAA record's contents.
Question: Can I specify multiple CAs in CAA records?
Answer: Yes, you can specify multiple CAs in your CAA records. You can do this by creating multiple CAA records for your domain, each with a different CA's domain name.