DNS CAA Record
Certification Authority AuthorizationWhat is a CAA Record?
A DNS CAA record (Certification Authority Authorization) specifies which Certificate Authorities (CAs) are authorized to issue SSL/TLS certificates for a domain. Introduced in RFC 8659, CAA records provide domain owners with a way to restrict certificate issuance, reducing the risk of unauthorized or fraudulent certificates being issued for their domain.
Since September 2017, all publicly trusted Certificate Authorities are required to check CAA records before issuing a certificate. If a CAA record exists and the requesting CA is not listed, the CA must refuse to issue the certificate. If no CAA record exists, any CA may issue certificates for the domain. CAA checking is hierarchical — if no CAA record exists at the exact domain, the CA will check parent domains up to the zone apex.
CAA records support three property tags: 'issue' (which CAs can issue regular certificates), 'issuewild' (which CAs can issue wildcard certificates), and 'iodef' (where to report policy violations). This granular control allows you to, for example, allow Let's Encrypt for regular certificates but only DigiCert for wildcard certificates. CAA records are an important part of a defense-in-depth security strategy for your domain's TLS configuration.
Syntax & Examples
The syntax of a DNS CAA record uses a flags-tag-value format:example.com. 3600 IN CAA 0 issue "letsencrypt.org"
example.com. 3600 IN CAA 0 issuewild "digicert.com"
example.com. 3600 IN CAA 0 iodef "mailto:[email protected]"The fields are: domain, TTL, class, record type, flags (0 = non-critical, 128 = critical), property tag (issue/issuewild/iodef), and the value in quotes. To restrict issuance to only Let's Encrypt and deny all wildcard certificates:example.com. 3600 IN CAA 0 issue "letsencrypt.org"
example.com. 3600 IN CAA 0 issuewild ";"How to Query CAA Records
To query CAA records using dig, run: dig example.com CAA or dig example.com TYPE257. For concise output: dig +short example.com CAA. The output will show the flags, tag, and value for each CAA record. To check if a parent domain has CAA records that might affect a subdomain: dig example.com CAA, then check the parent zones.
With nslookup, use: nslookup -type=CAA example.com (note: older versions of nslookup may not support CAA). On Windows PowerShell: Resolve-DnsName -Name example.com -Type CAA. You can also use online tools like SSLMate's CAA Record Generator to create correct CAA records, and SSL Labs to verify your CAA configuration alongside other TLS settings.
Related Record Types
Frequently Asked Questions
What is a DNS CAA record?
A DNS CAA (Certification Authority Authorization) record specifies which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for a domain. It's a security measure that prevents unauthorized CAs from issuing certificates, reducing the risk of domain impersonation and man-in-the-middle attacks.
Are CAA records required?
CAA records are not required for domain owners, but all publicly trusted CAs are required to check them before issuing certificates. If no CAA records exist, any CA can issue certificates for your domain. Adding CAA records is strongly recommended as a security best practice.
What is the difference between issue and issuewild?
The 'issue' tag controls which CAs can issue regular (non-wildcard) certificates, while 'issuewild' specifically controls wildcard certificate issuance. If only 'issue' is set, it also applies to wildcard certificates. You can use 'issuewild ";"' to deny all wildcard certificates while allowing regular ones.
What happens if the CA is not in my CAA record?
If a CA checks your domain's CAA records and finds it is not authorized, the CA must refuse to issue the certificate. The CA may report the failed attempt to the address specified in the iodef tag. You would need to update your CAA records to include the new CA before they can issue a certificate.
Do CAA records affect existing certificates?
No, CAA records only affect future certificate issuance. Existing certificates that were validly issued before CAA records were added will continue to work until they expire. CAA is checked at the time of issuance or renewal, so ensure your records include CAs you use before renewal time.