3.1.5.7. CAA

CAA (Certification Authority Authorization) — is a record that specifies which certification authorities are permitted to issue SSL certificates for a particular domain or subdomain.

Important points:

  • The value of a record for a domain or subdomain is inherited by all its subdomains unless explicitly specified otherwise.
  • To define multiple certification authorities for a single domain or subdomain, you need to add multiple CAA records.
  • The absence of a CAA record is interpreted by certification authorities as permission to issue a certificate.
  • The full specification of the CAA record is available in RFC 6844.

The entry is added in the domain settings, and its data consists of three parameters separated by spaces: 

flag tag value

Parameters:

  • flag — an 8-bit number, the most significant bit of which determines how critically the certification authority regards the record. Possible values:
    • 0 — if the certification authority does not support the tag parameter or cannot recognize it, it is allowed to issue a certificate at its discretion.
    • 128 — if the certification authority does not support the tag parameter or cannot recognize it, it is prohibited from issuing a certificate.
  • tag — possible values:
    • issue — defines the certification authority that is authorized to issue the certificate.
    • issuewild — specifies the certification authority that is allowed to issue a wildcard certificate.
    • iodef — defines the email address or URL that the certification authority should use for notifications if a certificate issuance request violates the rules specified by the CAA record.
  • value — depends on the value of tag and must be enclosed in double quotes (""). If there are multiple additional parameters, they should be separated by a semicolon (;). Possible values:
    • If tag equals issue, then value is specified as:
      • Either the domain of the certification authority that is allowed to issue the certificate.
      • Either ";", if it is necessary to prohibit all certification centers from issuing a certificate.
    • If tag is equal to issuewild, then the possible values for value are the same as when tag is equal to issue, only in this case for a wildcard certificate.
    • If tag equals iodef, then specify the value as:
      • Or an email address in the format "mailto:admin@example.com".
      • Or a URL in the format "http(s)://URL".

For convenience when creating a record, you can use online generators:

What CAA records look like in the domain settings:

Content