CAA (Certification Authority Authorization) is an entry that defines which certification authorities are allowed to issue SSL certificates for a specific domain or subdomain.
- The record value for a domain or subdomain is inherited across all of its subdomains, unless explicitly specified otherwise.
- To define multiple CAs for the same domain or subdomain, you need to add multiple CAA records.
- The absence of a CAA record is considered by certification authorities as permission to issue a certificate.
- The full specification of the CAA record is available at RFC 6844.
Recording added in the domain settings and its data consists of three parameters, separated by spaces:
flag tag value
flag- An 8-bit number, the most significant bit of which determines how critical the certification authority is about the entry. Possible values:
0- if the certification authority does not support the parameter
tagor cannot recognize him, he is allowed to issue a certificate at his discretion.
128- if the certification authority does not support the parameter
tagor cannot recognize him, he is prohibited from issuing a certificate.
tag- possible values:
issue— defines a certification authority that is allowed to issue a certificate.
issuewild— defines a certification authority that is allowed to issue a wildcard certificate.
iodef— defines an email address or URLthat the CA should use for notifications if a request is received to issue a certificate that violates the rules defined by the CAA record.
value- depends on the value
tagand must be in double quotes (
""). If there are several additional parameters, they must be separated by a semicolon (
;). Possible values:
issue, then as
- Or the domain of a certification authority that is allowed to issue a certificate.
";"if you want to prevent all certification authorities from issuing a certificate.
issuewild, then the possible values for
valuethe same as for
issue, only in this case for a wildcard certificate.
iodef, then as
- Or an email address in the format
- Or URL in the format
For convenience, when creating a record, you can use online generators:
What CAA records look like in domain settings: