About CAA Records

What is a DNS CAA record?

A Certification Authority Authorization (CAA) record uses your DNS records to restrict which companies are allowed to issue SSL certificates for the domains that you own.
Restricting this with a CAA record reduces the chance of an SSL certificate being issued to someone that's not you, and provides logging to report back in such cases.


A typical CAA record might look like:

		CAA 128 issue "letsencrypt.org"

This would tell the issuer that you only allow Let's Encrypt to issue certificates for your domain


To break down the parts of that example record:

		CAA 128 issue "letsencrypt.org"

This initial CAA is the record type, similar to other A or TXT records on your domain.

		CAA 128 issue "letsencrypt.org"

This 128 is a binary flag, i.e. `10000000`, most of this is to allow for future flags to be set, but the importance of the first bit is to specify how an issuer should behave if it encounters a tag it doesn't understand. In our case the only tag we're using is the next word, the 'issue', but this allows future expansion for improvements to the CAA spec.
Right now this means that if the issuer adheres to the CAA record, they must match and understand that 'issue' tag and adhere to it.

		CAA 128 issue "letsencrypt.org"

This issue field tells the issuer that you're authorizing issuing for this single domain, 'issuewild' is also supported to allow for a wildcard certificate to be issued for this domain.

		CAA 128 issue "letsencrypt.org"

The final field specified which issuer is allowed to issue this certificate.

Full example

A key part of the CAA spec allows you to specify multiple of these records, so your total CAA setup could look like:

		CAA 128 issue "letsencrypt.org"
		CAA 128 issuewild "letsencrypt.org"
		CAA 128 issue "amazon.com"
		CAA 128 issuewild "amazon.com"
		CAA 128 iodef "mailto:caareport@example.com"
The key thing here being that you'd be allowing both Amazon and Let's Encrypt to issue certificates and wildcard certificates for your domain.
We've also dropped in an extra supported tag here:
		CAA 128 iodef "mailto:caareport@example.com"
This tells the issuers that if a certiicate is requested from them, but they're not whitelisted by your issue/issuewild records, then an email should be triggered to that address.

Now continue and test your domain's CAA record:

If you're not quite ready to test your DNS CAA record yet, then perhaps worth a visit to: