Certificate Authority Authorization (CAA) DNS records specify which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. CAA records are a critical security control that prevents unauthorized certificate issuance — even if an attacker compromises a CA, they cannot issue certificates for your domain if your CAA records do not authorize that CA.
How CAA Works
Before issuing a certificate, CAs are required (since September 2017) to check CAA records. If CAA records exist and do not authorize the CA, the certificate request is denied.
CAA Record Format
# Basic CAA record syntax
# domain CAA flags tag value
# Allow Let's Encrypt to issue certificates
example.com. CAA 0 issue "letsencrypt.org"
# Allow DigiCert for wildcard certificates
example.com. CAA 0 issuewild "digicert.com"
# Send violation reports to an email address
example.com. CAA 0 iodef "mailto:security@example.com"
# Send violation reports via HTTPS
example.com. CAA 0 iodef "https://example.com/caa-report"Common CA Identifiers
# Let's Encrypt
example.com. CAA 0 issue "letsencrypt.org"
# DigiCert (includes GeoTrust, Thawte, RapidSSL)
example.com. CAA 0 issue "digicert.com"
# Sectigo (formerly Comodo)
example.com. CAA 0 issue "sectigo.com"
# Google Trust Services
example.com. CAA 0 issue "pki.goog"
# Amazon (ACM)
example.com. CAA 0 issue "amazon.com"
example.com. CAA 0 issue "amazontrust.com"
# Cloudflare (uses DigiCert and Google)
example.com. CAA 0 issue "digicert.com"
example.com. CAA 0 issue "pki.goog"
example.com. CAA 0 issue "letsencrypt.org"Practical Configurations
Let's Encrypt Only
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "letsencrypt.org"
example.com. CAA 0 iodef "mailto:security@example.com"Multiple CAs
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "digicert.com"
example.com. CAA 0 issuewild "digicert.com"
example.com. CAA 0 iodef "mailto:security@example.com"Block All Certificate Issuance
# Prevent any CA from issuing certificates
example.com. CAA 0 issue ";"
example.com. CAA 0 issuewild ";"Subdomain CAA Records
# CAA records are inherited — subdomains use parent CAA if none set
# Override for specific subdomains:
staging.example.com. CAA 0 issue "letsencrypt.org"
internal.example.com. CAA 0 issue ";" # No certs allowedVerifying CAA Records
# Check CAA records
dig example.com CAA +short
# Expected output:
# 0 issue "letsencrypt.org"
# 0 iodef "mailto:security@example.com"
# Online tools:
# https://caatest.co.uk
# https://mxtoolbox.com/SuperTool.aspx?action=caaTroubleshooting Certificate Issuance
# Let's Encrypt fails with "CAA check failed"
# 1. Verify CAA records include letsencrypt.org
dig example.com CAA
# 2. Check parent domain — CAA is inherited
dig com. CAA # Should not block
# 3. Wait for DNS propagation after adding CAA records
# CAA lookups use the authoritative nameservers
# 4. Check for DNSSEC issues — CAA validation requires valid DNSSEC
dig example.com CAA +dnssecBest Practices
- Always set CAA records — they are a free security measure against unauthorized certificate issuance
- Include an
iodefrecord to receive reports when unauthorized issuance is attempted - Use
issuewildseparately fromissueto control wildcard certificate issuance independently - Audit CAA records when changing certificate providers
- Use CAA with Certificate Transparency monitoring for defense in depth
- Test CAA records before deploying — incorrect records can block legitimate certificate renewal