What are CAA records

Certification Authority Authorization (CAA) records allow a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.  (RFC 6844)


Field Description

A) Name This is the host name for the record, typically a computer or server within your domain. Your domain name is automatically appended to the end of the “Name” field. For example, if you create a record with the name “www” the record would be defined as “www.example.com”. If the “Name” field is left blank, then it represents the root record of the domain. The root record for the base domain can also be referred to as the apex record and is represented using an @ symbol in some documentation.

B) TTL The TTL (Time to Live) in seconds is the length of time the record will cache in resolving name servers and web browsers. The longer the TTL, then remote systems will lookup the DNS record less frequently. Your nameservers will also receive less query traffic since most queries are answered by resolving name servers. Conversely, the shorter the TTL the faster any changes you make to your DNS will propagate in servers that have cached data. However, your domain will receive more query traffic.

Recommended values:

Records that are static and don’t change often should have TTL’s set between 1800 (being on the low end) to 86400 seconds (30 minutes to 1 day cache).

Records configured with Failover or that change often should have TTL’s set anywhere from 180 to 600 (3 to 10 minutes cache).

If a change is needed for a record with a high TTL, then the TTL can be lowered prior to making the change and then raised back up again after the changes were made.

C) Providers Specify the domain name of the CA provider to which the CAA record applies. The “Data” field will automatically populate with the FQDN of the CA provider. If your CA is not in this list, select Other and enter the domain name in the Value box.

The <character-string> encoding of the value field is specified in [RFC1035], Section 5.1.

D) Tag Allows you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair.


  • issue: Explicitly authorizes a single certificate authority to issue a certificate (any type) for the hostname.
  • issuewild: Authorization to issue certificates that specify a wildcard domain. Please note: issuewild properties take precedence over issue properties when specified.
  • iodef: (Incident Description Exchange Format) Specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.

E) Issuer Critical There is currently only one flag defined, “issuer critical” at a value of 1. If a CA does not understand the flag value for an issuer critical record, then the CA will return with “no issue” for the certification.

All records will have the default issuer critical value of 0, which means they are “not critical”.

F) Notes Add a helpful note with keywords so you can search for your records later.

G) Save Save your record changes and don’t forget to commit your changes after you’re done making record changes for this domain!

CAA Record

Canonical Format

When you are configuring CAA records you will need to present the record values in the following format:

<flags> <tag> <value>

example.com. CAA 0 issuessl.com


Use Cases

  • CAA records are intended to prevent CAs from improperly issuing certificates.
  • CAA records can set policy for the entire domain, or for specific hostnames.
  • CAA records are also inherited by subdomains, therefore a CAA record set on example.com will also apply to any subdomain, such as subdomain.example.com (unless overridden).
  • CAA records can control the issuance single-name certificates, wildcard certificates, or both.

Let’s create a CAA record for a domain which authorizes certificates to be issued by Comodo and SSL.

example.com. CAA 0 issue “comodo.com”

example.com CAA 0 issue “ssl.com”

What if we want only Comodo to issue certificates? We would change the flag value to 1.

example.com. CAA 1 issue “comodo.com”

example.com CAA 0 issue “ssl.com”

If Comodo does not understand the record information, it will not return a certification. Instead, SSL will respond.

Now, what if we wanted to issue a wild card for SSL? We would change the type value to issuewild.

example.com. CAA 0 issue “comodo.com”

example.com CAA 0 issuewild “ssl.com”

Since wild cards take precedence, Comodo will not be able to issue a wild card certificate.

If you want to receive policy violations from CAs, you can change the type to iodef and replace the provider value with your contact email preceded by mailto: 

example.com. CAA 0 iodef “mailto:admin@example.com”


How to Configure CAA Records

1.Select Managed DNS and click on Domains

2. Select the Domain Name you want to add an A record to.
select a domain

3. Under the CAA Records section, click the plus_icon to add a record.
caa record 1

4. In this screen, you will add the record information. Follow the steps below:

A) Name: This will be the identifier for your record. It is important to note, the domain name is automatically appended to the “Name” field of the record.
B) TTL: Edit the TTL. Time to Live is measured in seconds and is the amount of time the record will cache in resolving name servers and web browsers.
C) Providers: In the drop down menu choose your CA (certificate authority) provider. The hostname of your provider will automatically populate the Value box. If your provider is not listed, then choose other, and enter the hostname of the provider in the Value box.
D) Tag: Tags allow you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair. Refer to the Configuration section for more details on the kinds of tags.
E) Note: Add a helpful note with keywords so you can search for your records later.
F) Save and Close: Save your changes. Don’t forget to commit your changes.add caa record 2

 Information on the NX Domain feature can be found in the Disabling a Record tutorial.

Was this article helpful to you?

Comments are closed.