What Is a CAA Record
Learn how CAA records control which Certificate Authorities can issue SSL/TLS certificates for your domain. Includes examples for the DNScale dashboard and API.
A CAA (Certification Authority Authorization) record specifies which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for your domain. CAA records are a security measure that helps prevent unauthorized certificate issuance.
How CAA Records Work
When a CA receives a certificate request, it must check for CAA records:
example.com. 3600 CAA 0 issue "letsencrypt.org"This tells CAs: "Only Let's Encrypt may issue certificates for example.com."
If no CAA records exist, any CA can issue certificates. Once you add CAA records, only authorized CAs can issue.
Record Components
| Component | Description | Values |
|---|---|---|
| Flag | Critical flag | 0 (non-critical) or 128 (critical) |
| Tag | Property type | issue, issuewild, iodef |
| Value | CA domain or contact | "letsencrypt.org" |
Tags Explained
| Tag | Purpose |
|---|---|
issue | Authorize CA for regular certificates |
issuewild | Authorize CA for wildcard certificates |
iodef | Report policy violations to this address |
Common Use Cases
Allow Single CA (Let's Encrypt)
example.com. 3600 CAA 0 issue "letsencrypt.org"Allow Multiple CAs
example.com. 3600 CAA 0 issue "letsencrypt.org"
example.com. 3600 CAA 0 issue "digicert.com"
example.com. 3600 CAA 0 issue "sectigo.com"Separate Regular and Wildcard Issuance
; Regular certs from Let's Encrypt
example.com. 3600 CAA 0 issue "letsencrypt.org"
; Wildcard certs from DigiCert only
example.com. 3600 CAA 0 issuewild "digicert.com"Deny All Certificate Issuance
example.com. 3600 CAA 0 issue ";"With Violation Reporting
example.com. 3600 CAA 0 issue "letsencrypt.org"
example.com. 3600 CAA 0 iodef "mailto:security@example.com"
example.com. 3600 CAA 0 iodef "https://example.com/caa-report"Allow Wildcard Only from Specific CA
example.com. 3600 CAA 0 issue "letsencrypt.org"
example.com. 3600 CAA 0 issuewild ";" ; Deny all wildcardsPopular CA Identifiers
| CA | CAA Value |
|---|---|
| Let's Encrypt | letsencrypt.org |
| DigiCert | digicert.com |
| Sectigo (Comodo) | sectigo.com |
| GlobalSign | globalsign.com |
| GoDaddy | godaddy.com |
| Amazon (ACM) | amazon.com |
| Google Trust Services | pki.goog |
| Cloudflare | digicert.com (Cloudflare uses DigiCert) |
| ZeroSSL | sectigo.com |
Record Format
| Field | Description | Example |
|---|---|---|
| Name | Domain (usually apex) | @ or subdomain |
| Type | Record type | CAA |
| Flag | Critical flag | 0 or 128 |
| Tag | Property type | issue, issuewild, iodef |
| Value | CA identifier | letsencrypt.org |
| TTL | Time to live (seconds) | 3600 |
Adding a CAA Record
Using the Dashboard
- Navigate to your zone in the DNScale dashboard
- Click Add Record
- Configure the record:
- Name: Usually
@for apex domain - Type: Select
CAA - Flag: Choose
0(Non-critical) or128(Critical) - Tag: Select
issue,issuewild, oriodef - Value: Enter the CA domain or contact address
- TTL: Set the cache duration (default: 3600)
- Name: Usually
- Click Create Record
Using the API
Allow Let's Encrypt to issue certificates:
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "@",
"type": "CAA",
"content": "0 issue \"letsencrypt.org\"",
"ttl": 3600
}'Add wildcard authorization:
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "@",
"type": "CAA",
"content": "0 issuewild \"letsencrypt.org\"",
"ttl": 3600
}'Add violation reporting:
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "@",
"type": "CAA",
"content": "0 iodef \"mailto:security@example.com\"",
"ttl": 3600
}'API Response:
{
"status": "success",
"data": {
"message": "Record created successfully",
"record": {
"id": "encoded-record-id",
"name": "example.com.",
"type": "CAA",
"content": "0 issue \"letsencrypt.org\"",
"ttl": 3600,
"disabled": false
}
}
}CAA Inheritance
CAA records are inherited by subdomains unless overridden:
; Apex CAA - applies to example.com and all subdomains
example.com. 3600 CAA 0 issue "letsencrypt.org"
; Override for specific subdomain
shop.example.com. 3600 CAA 0 issue "digicert.com"In this case:
example.com- Let's Encrypt onlywww.example.com- Let's Encrypt only (inherited)shop.example.com- DigiCert only (overridden)
Best Practices
-
Start with monitoring - Add
iodefrecords to receive reports before restricting issuance -
Include your actual CA - Before adding restrictive records, verify which CA you use
-
Plan for wildcards - Remember
issuewildis separate fromissue -
Use non-critical flag (0) - Only use flag 128 if you want strict enforcement
-
Update before changing CAs - Add new CA authorization before switching providers
-
Don't forget subdomains - Check if subdomains need different policies
Troubleshooting Certificate Issuance
If certificate issuance fails after adding CAA records:
-
Verify CAA records exist:
dig CAA example.com -
Check for correct CA identifier:
- Contact your CA for exact identifier
- Some CAs use parent company identifiers
-
Verify wildcard authorization:
issuewildis required for wildcard certificates- If only
issueexists, wildcards will fail
-
Check subdomain inheritance:
- Subdomains inherit parent CAA unless overridden
Testing CAA Records
# Query CAA records
dig CAA example.com
# Check with specific nameserver
dig CAA example.com @ns1.dnscale.eu
# Use online tools
# - SSLLabs SSL Test
# - CAA Test (caatest.co.uk)Related Record Types
Conclusion
CAA records are a simple but effective security measure for controlling SSL/TLS certificate issuance. By specifying which CAs can issue certificates for your domain, you reduce the risk of unauthorized certificate creation. DNScale makes it easy to configure CAA records with intuitive tag selection for issue, issuewild, and iodef policies.