CAA records are used to specify which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. As of September 8, 2017 all CAs are required to check for these records before issuing a certificate. If no record is present, any CA may issue a certificate. Otherwise, only the specified CAs may issue certificates. CAA records can be applied to single hosts, or entire domains.
An example CAA record follows:
example.com. IN CAA 0 issue "letsencrypt.org"
The host, IN, and record type (CAA) are common DNS fields. The CAA-specific information above is the 0 issue "letsencrypt.org" portion. It is made up of three parts: flags (0), tags (issue), and values ("letsencrypt.org").
- Flags are an integer which indicates how a CA should handle tags it doesn't understand. If the flag is
0, the record will be ignored. If1, the CA must refuse to issue the certificate. - Tags are strings that denote the purpose of a CAA record. Currently they can be
issueto authorize a CA to create certificates for a specific hostname,issuewildto authorize wildcard certificates, oriodefto define a URL where CAs can report policy violations. - Values are a string associated with the record's tag. For
issueandissuewildthis will typically be the domain of the CA you're granting the permission to. Foriodefthis may be the URL of a contact form, or amailto:link for email feedback.
You may use dig to fetch CAA records using the following options:
- dig example.com type257
For more detailed information about CAA records, you can read RFC 6844
Alert: For Control Panel Help & Tutorials, click here: Panel Tutorials
