What Is a CAA Record in DNS?

Controlling Which Certificate Authorities Can Issue for Your Domain

In the world of HTTPS and secure web browsing, SSL/TLS certificates play a crucial role in proving your domain's authenticity. But how do you stop just anyone from requesting a certificate for your site? That is where CAA records come in.

CAA stands for Certification Authority Authorization, and it is a DNS record that tells certificate authorities (CAs) whether they are allowed to issue certificates for your domain. Think of it as an access control list that lives right in your DNS settings.

Why CAA Records Matter

Without a CAA record, any trusted certificate authority can issue certificates for your domain. That may sound fine at first, but it opens the door to accidental or malicious issuance. A poorly configured CA could create a fake certificate for your site, putting your users at risk.

A CAA record lets you take control. You can specify exactly which CA is allowed to issue certificates and block everyone else.

What a CAA Record Looks Like

example.com. IN CAA 0 issue "letsencrypt.org"

This line means only Let's Encrypt is authorized to issue certificates for example.com.

You can also allow reporting if unauthorized issuance is attempted:

example.com. IN CAA 0 iodef "mailto:[email protected]"

Key Components

Flag (0 or 128): 0 is most common. 128 marks the record as critical.
Tag: Defines the purpose. Common ones are:
- issue: Authorizes a CA to issue normal certificates.
- issuewild: Authorizes wildcard certificates.
- iodef: Provides a contact email or URL for reports.
Value: The CA's domain or email/reporting address.

How to Check a CAA Record

Use the dig command like this:

dig CAA example.com

This will return all configured CAA records for the domain.

Best Practices

Always define at least one issue record, even if you use only one CA.
Use iodef to get alerts on any unauthorized attempts.
Add issuewild separately if you need wildcard certificates.
Test your configuration with your CA's validation tools.

Summary

CAA records give you direct control over who can issue SSL certificates for your domain. They reduce the risk of mis-issuance and increase your visibility into certificate activity. If you manage a domain that uses HTTPS, adding a CAA record is a smart move for security and compliance.