← DNS RecordsRecord Type / Security

CAA Record

Restricts which Certificate Authorities may issue TLS certificates for your domain — a key DNS-layer defense against certificate misissuance.

Overview

Certification Authority Authorization

CAA records (RFC 8659) allow domain owners to specify which Certificate Authorities (CAs) are permitted to issue TLS certificates for their domain. Before issuing a certificate, CAs are required (by CA/Browser Forum rules since 2017) to check for CAA records and refuse to issue if they are not listed.

Without CAA records, any of the hundreds of trusted CAs in browser root stores can issue a certificate for your domain — creating risk from compromised or misissuing CAs. CAA records dramatically reduce this attack surface to just the CAs you explicitly authorize.

  • CAs must check CAA records before issuing — the check is mandatory per CA/B Forum Baseline Requirements
  • Multiple CAA records are allowed and combined: a CA is authorized if it appears in any issue record
  • CAA records are inherited by subdomains unless the subdomain has its own CAA records
  • An empty/absent CAA record = any CA may issue
  • Does not affect certificates already issued — only prevents future issuance
  • Does not prevent a CA from issuing if they have a bug/policy violation — it's a policy control, not a cryptographic one
; Syntax ; Name [TTL] IN CAA flags tag "value" ; Flags: 0 = non-critical, 128 = critical ; Tags: issue, issuewild, iodef ; Allow Let's Encrypt and Sectigo @ IN CAA 0 issue "letsencrypt.org" @ IN CAA 0 issue "sectigo.com" ; Restrict wildcard certs to one CA @ IN CAA 0 issuewild "sectigo.com" ; Block all wildcard certificate issuance @ IN CAA 0 issuewild ";" ; Receive violation reports by email @ IN CAA 0 iodef "mailto:security@example.com" ; Allow only Let's Encrypt (nothing else) @ IN CAA 0 issue "letsencrypt.org" ; (omitting all other CAs blocks them)
issuewild is Separate from issueissue controls DV and OV certificates. issuewild controls wildcard certificates (*.example.com) separately. If you publish issue but no issuewild, wildcards inherit from issue. Use issuewild ";" to explicitly block all wildcard issuance.
Tag Reference

CAA Tags Explained

issue

Authorizes a CA to issue standard (non-wildcard) certificates for the domain and all subdomains. The value is the CA's domain as listed in their CAA policy. Use ";" as the value to prohibit all issuance.

@ CAA 0 issue "letsencrypt.org" @ CAA 0 issue "pki.goog" ; Google Trust Services @ CAA 0 issue ";" ; prohibit all issuance
issuewild

Authorizes a CA to issue wildcard certificates (*.example.com) specifically. If absent, wildcards inherit from issue. If present, only CAs listed in issuewild may issue wildcards.

@ CAA 0 issuewild "sectigo.com" ; only Sectigo wildcards @ CAA 0 issuewild ";" ; block all wildcards
iodef

Specifies a URL where CAs should send violation reports when they receive a certificate request that would violate the CAA policy. Supports mailto: and https: URLs. Not all CAs implement this.

@ CAA 0 iodef "mailto:security@example.com" @ CAA 0 iodef "https://example.com/caa-report"
Critical flag (128)

Setting the flag to 128 (critical) means a CA must refuse to issue if it does not understand the tag. Use 0 (non-critical) for standard tags. Critical flag prevents issuance by CAs that ignore unknown tags.

@ CAA 128 issue "letsencrypt.org" ; A CA that doesn't recognize "issue" ; must refuse to issue — critical flag
Diagnostics

Querying CAA Records

Look up CAA records

# Query CAA records dig thedns.guru CAA +short # Full response dig thedns.guru CAA # Check subdomain inheritance dig sub.thedns.guru CAA +short # Empty = inherits from parent domain

Find your CA's CAA identifier

# Look up what identifier to use # in your CAA record for major CAs: # Let's Encrypt: # "letsencrypt.org" # DigiCert / GeoTrust / Thawte: # "digicert.com" # Sectigo (formerly Comodo): # "sectigo.com" # Google Trust Services: # "pki.goog" # ZeroSSL: # "sectigo.com" (same infra)

Related Topics

TXT Record

TXT records carry other security policies like SPF, DKIM, and DMARC alongside CAA.

Cache Poisoning

CAA records help limit damage from rogue certificates issued after a resolver is poisoned.

Authoritative Nameserver

CAA records must be present on the authoritative nameserver for the CA to check them at issuance time.