Updated on:  
January 21, 2025

What is CAA record

A CAA record, or Certificate Authority Authorization record, is a type of DNS record that adds an extra layer of security to your domain. It specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. This helps prevent unauthorized or fraudulent certificates from being created.

colourful collage of abstract shapes and lock with people

How does an CAA record work

When you request an SSL/TLS certificate for your domain, the CA checks your DNS for a CAA record. If the record exists, the CA verifies whether it is authorized to issue the certificate. If the CAA record does not include the CA’s name, the request is denied.

For example, if your CAA record specifies “letsencrypt.org,” only Let’s Encrypt can issue a certificate for your domain. If another CA, like DigiCert, tries to issue a certificate, it will fail.

This process ensures that only trusted CAs, approved by you, can issue certificates. It reduces the risk of unauthorized certificates being used for phishing or other malicious activities.

Understanding key components

CAA records consist of a few key components that define their function.

  • Flag: This value is typically set to “0” for standard rules. It indicates how the record should be interpreted. A flag of “1” enforces critical rules.
  • Tag: The tag specifies the type of rule being set. Common tags include:
    • issue: Authorizes a CA to issue certificates for your domain.
    • issuewild: Authorizes a CA to issue wildcard certificates for subdomains.
    • iodef: Specifies an email address or URL where reports of unauthorized certificate requests should be sent.
  • Value: This is the name of the authorized CA, such as “letsencrypt.org” or “digicert.com.”

How to check your CAA records

Checking your CAA records is important for verifying your domain’s security setup. Start by logging into your domain registrar or DNS hosting provider. Navigate to the DNS management section, where you’ll find all your DNS records.

Look for entries labeled as “CAA.” These will display the flag, tag, and value associated with each record. Verify that the records list the correct CAs you want to authorize.

You can also use external tools like MXToolbox or command-line utilities like dig to query your domain’s DNS.

Common problems and how to fix them

Issues with CAA records can disrupt your domain’s security or certificate issuance. Understanding and fixing these problems is key to maintaining control over your domain.

  • Missing CAA Records: If no CAA record exists, any CA can issue certificates for your domain. Add CAA records to specify which CAs are authorized.
  • Incorrect CA Name: If the value in the CAA record is incorrect, authorized CAs may fail to issue certificates. Double-check the CA name provided in the record.
  • Conflicts Between Records: If multiple CAA records exist with conflicting rules, certificate requests may be denied. Ensure all CAA records align with your intended setup.
  • Propagation Delays: Changes to CAA records can take time to propagate across the internet. Plan updates in advance and verify the records once propagation is complete.
  • Unclear Reporting Configuration: If you use the iodef tag for incident reports, ensure the email address or URL is monitored and active. Otherwise, you might miss critical security alerts.
pages
HomeGuidesIntegrationsGlossarySearch
Popular GLOSSARY
MX recordCNAME recordA recordNS recordSRV recordTTL time
Popular guides
GoDaddy domain to Office 365
ConnectDomain.io, All Rights Reserved, 2025