Adding a CAA Record
A CAA record is a DNS record that lets Certificate Authorities know who is and isn’t authorized to issue digital certificates for a site. Though you’re not required to, we recommend setting one up to help defend against mis-issuance.
The DNS CAA record is specified by RFC 6844 and RFC 8659.
Structure of a CAA Record
Each CAA record has a flag and a property and is implemented in DNS as a Resource Record (RR) of type 257, with multiple CAA records per domain being allowed. The flag affects the interpretation of the record. The property allows the selection of different types of CAA records.
As of early 2019, only one bit is defined: the English issuer critical flag. If this flag is set, the bit has a significance of 128, this means that CAs that cannot evaluate the entries in the CAA record are not allowed to issue a certificate for the domain.
In addition to the flag, the following three properties are set:
- issue
This property allows a CA, which is defined in the value field, to issue a certificate for the affected domain. - issuewild
This property works like “issue” property, but only for wildcard certificates. For these, the entry takes precedence over the one under issue. - iodef
This property allows the domain owner to optionally provide a contact option for the certification authority. Not all CAs support this property.
Examples of CAA Records
Sectigo is authorized to issue SSL certificates for example.com:
example.com. IN CAA 0 issue "sectigo.com"
Certum is authorized to issue SSL wildcard certificates for example.com:
example.com. IN CAA 0 issuewild "certum.pl"
DigiCert is authorized to issue SSL wildcard certificates for example.com:
example.com. IN CAA 0 issuewild "digicert.com"
Sectigo is authorized to issue SSL wildcard certificates for example.com:
example.com. IN CAA 0 issuewild "sectigo.com"
It’s possible to combine multiple rules using multiple records: in this example, Sectigo is authorized to issue wildcard certificates for example.com, Digicert is authorized to issue certificates for example.com, and Certum is authorized to issue certificates for mail.example.com:
example.com. IN CAA 0 issuewild "sectigo.com"
example.com. IN CAA 0 issue "digicert.com"
mail.example.com. IN CAA 0 issue "certum.pl"