Skip to main content

CAA Record

Stands For: Certification Authority Authorization

Definition: A Certification Authority Authorization (CAA) record is a type of resource record in the Domain Name System (DNS) that gives domain owners a way to specify which Certificate Authorities (CAs) are permitted to issue digital certificates (e.g., SSL/TLS certificates) for their domain.

Key Characteristics:

  • Purpose: To prevent the mis-issuance of certificates for a domain by creating a security policy that compliant CAs must adhere to. This reduces the risk of unauthorized or fraudulent certificates being issued.
  • How it Works: Before issuing a certificate, a CA is required to query the DNS for a CAA record on the corresponding domain.
    • If a CAA record exists, the CA checks if its own name is present in the record. If it is not listed, the CA is prohibited from issuing the certificate.
    • If no CAA record is found for a domain, any CA is allowed to issue a certificate for it.
  • Structure: A CAA record consists of three main parts:
    • Flags: An integer, most commonly 0.
    • Tag: Specifies the type of policy being set. The three standard tags are:
      • issue: Authorizes a specific CA to issue non-wildcard certificates.
      • issuewild: Authorizes a specific CA to issue wildcard certificates.
      • iodef: (Incident Object Description Exchange Format) Provides a method (like an email address) for CAs to report policy violations.
    • Value: The value associated with the tag, such as the domain name of the authorized CA (e.g., "letsencrypt.org").
  • Inheritance: The policy set by a CAA record on a parent domain applies to all its subdomains, unless a subdomain has its own specific CAA record.

Common Use Cases:

  • Enforcing a corporate policy to only use certificates from specific, approved vendors.
  • Adding a layer of security to prevent unauthorized certificate issuance.
  • Providing CAs with a contact point for reporting potential issues.

Usage Note: As of June 2025, checking for CAA records is mandatory for all public Certificate Authorities. While domain owners are not required to create CAA records, doing so is considered a security best practice to control which CAs can issue certificates for your domain.