CAA Records: Controlling Who Can Issue Your Certificates
A CAA (Certification Authority Authorization) record is a DNS entry that names the certificate authorities allowed to issue certificates for your domain. CAs are required to check it before issuance, so it limits the damage if an attacker tries to obtain a certificate from a CA you don't use.
What it looks like
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "letsencrypt.org"
example.com. CAA 0 iodef "mailto:security@example.com"
| Tag | Meaning |
|---|---|
issue |
CA allowed to issue normal certificates |
issuewild |
CA allowed to issue wildcard certificates |
iodef |
Where to report attempted violations |
An empty issue ";" means no CA may issue at all. Multiple issue records allow multiple CAs.
Why bother
CAA is defense in depth: even if some other validation is bypassed, a compliant CA will refuse to issue for your domain unless it is listed. It is a single DNS record and costs nothing to maintain.
Add the CAA record at your DNS host, then confirm your live certificate and chain with our SSL/TLS checker. To inspect DNS records generally, use the DNS lookup. Related: the certificate chain.
Note: CAA is checked by the CA at issuance time, not by browsers at connection time. It complements — but does not replace — DNSSEC and good account security at your CA.