1. Home
  2. Domains and DNS
  3. DNS settings
  4. CAA records
  1. Home
  2. SSL certificates
  3. CAA records
Searching...

CAA records

Guide for intermediate

CAA record (Certification Authority Authorization) – CAA record is used to determine certificate authority (CA) that is granted to distribute SSL certificates for the domains. CAA records can set rules for a whole domain or for specific subdomains.

The purpose of the CAA record is to allow the domain holder to declare which certificate authorities that are allowed to generate certificate for the domain. Certificate authority (CA) is a subject that own the permission to distribute SSL certificates.

It also allows the option to warn if someone askes for a certificate by non-authorised CA. If there is no CAA record on the domain, any certificate authority can generate a SSL certificate for the domain. If the CAA record is created on the domain, only the certificate authority in this DNS record can generate SSL for the domain.

CAA record form

CAA record consist of several parts:

  • For address – if you leave this field prefilled it spans for main domain and all subdomains. If you specify in this field any subdomain naim, record will be created only for this subdomain.
  • CA identifier – identifier of the certification authority that will be able to generate a certificate for your domain. It may be in a form of certificate authority (for issue e.g. letsencrypt.org) or in a form of e-mail or www address (e.g. iodef for reporting a violation of rules).
  • Critical for distributor – also called flag. This parameter defines how much is the record critical. The number is always determined by the certification authority
  • Tag – defines the preferences of CAA record. There are tags issue (all types of SSL from certifate authority), issuewild (for Wildcard certificates) or iodef (e-mails or www address, for reporting a violation of rules)
  • TTL – parametr defines for how long the provider’s servers can remember this DNS setting. Parametr is in seconds.

After the mandatory fields are filled select Create.

Example 1 – certificate authority Let’s Encrypt

Leave the field For address empty, enter letsencrypt.org as CA identifier, check the option Critical for the distributor, keep the tag issue and TTL 600. The record will be as follows:

@  600  IN  CAA   128 issue "letsencrypt.org"

Example 2 – setting an e-mail for contact in the case of problems

Leave For address blank, select CA identifier as mailto:notice@domena.tld, check the “Critical for distributor“, select a tag iodef and leave TTL at 600. The record will be as follows: 

@  600  IN  CAA   128 iodef "mailto:notice@domena.tld"

Updated on September 12, 2024

Was this article helpful?

Yes No

Related Articles