3.1.5.7. CAA

CAA (Certification Authority Authorization) is an entry that defines which certification authorities are allowed to issue SSL certificates for a specific domain or subdomain.

Important points:

  • The record value for a domain or subdomain is inherited across all of its subdomains, unless explicitly specified otherwise.
  • To define multiple CAs for the same domain or subdomain, you need to add multiple CAA records.
  • The absence of a CAA record is considered by certification authorities as permission to issue a certificate.
  • The full specification of the CAA record is available at RFC 6844.

Recording added in the domain settings and its data consists of three parameters, separated by spaces: 

flag tag value

Options:

  • flag - An 8-bit number, the most significant bit of which determines how critical the certification authority is about the entry. Possible values:
    • 0 - if the certification authority does not support the parameter tag or cannot recognize him, he is allowed to issue a certificate at his discretion.
    • 128 - if the certification authority does not support the parameter tag or cannot recognize him, he is prohibited from issuing a certificate.
  • tag - possible values:
    • issue — defines a certification authority that is allowed to issue a certificate.
    • issuewild — defines a certification authority that is allowed to issue a wildcard certificate.
    • iodef — defines an email address or URLthat the CA should use for notifications if a request is received to issue a certificate that violates the rules defined by the CAA record.
  • value - depends on the value tag and must be in double quotes (""). If there are several additional parameters, they must be separated by a semicolon (;). Possible values:
    • If tag equals issue, then as value indicates:
      • Or the domain of a certification authority that is allowed to issue a certificate.
      • Or ";"if you want to prevent all certification authorities from issuing a certificate.
    • If tag equals issuewild, then the possible values for value the same as for tag equals issue, only in this case for a wildcard certificate.
    • If tag equals iodef, then as value indicates:
      • Or an email address in the format "mailto:admin@example.com".
      • Or URL in the format "http(s)://URL".

For convenience, when creating a record, you can use online generators:

What CAA records look like in domain settings:

Content