Beep beep... Loading...
Beep beep... Loading...
Learn how CAA records help control which Certificate Authorities can issue SSL/TLS certificates for your domain
A CAA (Certificate Authority Authorization) record specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. It's like having a list of trusted locksmiths who are allowed to make keys for your house.
Format:
domain.com. IN CAA flag tag "value"
Examples:
# Allow Let's Encrypt to issue certificates example.com. IN CAA 0 issue "letsencrypt.org" # Specify email for violation reports example.com. IN CAA 0 iodef "mailto:security@example.com" # Only allow specific CA and wildcards example.com. IN CAA 0 issue "sectigo.com" example.com. IN CAA 0 issuewild "sectigo.com"
Think of CAA records like a VIP guest list for your domain's security:
Control which CAs can issue certificates for your domain and subdomains.
Stop unauthorized CAs from issuing certificates for your domain.
Receive notifications when someone attempts to issue unauthorized certificates.
Setting overly restrictive CAA records can prevent legitimate certificate issuance.
Forgetting to set issuewild tags when wildcard certificates are needed.
Always include an iodef record to receive violation reports.
Periodically review and update your CAA records to match your certificate needs.
Verify CAA records work as expected before deploying to production.
Implement DNSSEC to prevent tampering with CAA records.
Monitor CAA records and certificate issuance attempts.
Have a plan for responding to unauthorized certificate issuance attempts.