Why CAA Records Matter

Why CAA Records Matter

CAA records for DNS help people who own domain names control who can make certificates for their domain. This stops people who shouldn’t have them from getting digital certificates and makes your website’s domain more secure. This writing will tell you more about CAA records.

What is a CAA Record?

A CAA record, or Certification Authority Authorization record, is a type of DNS record. It lets a person who owns a domain name choose which Certificate Authorities (CAs) can make certificates for their domain.

On the internet, a certificate (also called a digital certificate or SSL/TLS certificate) is used to show that a public key belongs to someone. It has details about the key, who owns it, and a digital signature from a Certificate Authority (CA) which has checked that the certificate is right.

CAA records help domain owners set rules about who can make certificates for their domain. This makes the domain more secure.

How Does a CAA Record Work?

Imagine you own a house and want to make it safe. You could put in a security system and choose a specific security company to look after it. In this picture, your house is your domain, the security system is the SSL/TLS certificate, and the security company is the Certificate Authority. A CAA record is like a list of approved security companies that you put on your front door.

When a CA gets ready to make a certificate, it first looks at the CAA record for the domain. If the CA sees itself on the CAA record, it can go ahead and make the certificate. If it’s not on the record, it has to say no to the certificate request. This gives domain owners more control and helps stop certificates from being made when they shouldn’t be.

How to Use CAA Records

To use a CAA record, you add the record to your DNS setup. The record has parts like flags, tags, and values, which help set the policy. The most common tags are ‘issue’, ‘issuewild’, and ‘iodef’:

  • issue: This tag says which CA can make a certificate for your domain
  • issuewild: This tag says which CA can make a wildcard certificate for your domain. Wildcard certificates make the domain and its subdomains safe
  • iodef: This tag is used to report when a policy is broken. It gives a URL where the CA can send reports if they find any breaking of your rules

What Does a CAA Record Look Like?

Here’s an example of a CAA record for a made-up domain, example.com:

example.com.    IN   CAA   0 issue "letsencrypt.org"

This is a basic CAA record. Here’s what each part means:

  • example.com.: This is the domain for the CAA record
  • IN: This stands for Internet – it’s the class of the DNS record
  • CAA: This tells us the type of DNS record – in this case, a Certification Authority Authorization record
  • 0: This is the flag. Most CAA records have a flag of 0. It can be set to 1 to mean “critical”. This means that any Certificate Authority that doesn’t know about CAA records should not make a certificate. Since many older CAs don’t know about CAA records, this flag is usually set at 0
  • issue: This is the tag of the record. Here, it’s issue, which means the record is saying which CA can make certificates (non-wildcard) for this domain
  • “letsencrypt.org”: This is the value, which shows the authorized Certificate Authority. In this example, only Let’s Encrypt (letsencrypt.org) can make certificates for example.com

You can add an iodef record for more protection. It looks like this:

example.com.    IN   CAA   0 iodef "mailto:security@example.com"

In this, iodef is the tag. It shows a way to report certificate requests that break the security rules. The value “mailto:security@example.com” means that rule breaks should be reported by email to security@example.com.

So, with these two CAA records, only Let’s Encrypt can make certificates for example.com. If anyone breaks this rule, they should report it to security@example.com.


Looking for reliable, high-performance DNS hosting? Choose Gcore DNS Hosting for fast and resilient DNS services:

  • Global latency averaging 30 ms
  • Anycast routing
  • Multiple load balancing options, including Geobalancing
  • Free-forever through enterprise-grade plans

Try for free

Subscribe to our newsletter

Stay informed about the latest updates, news, and insights.