CAA Record CAA Record

How does CAA record work?

CAA record is a type of DNS record that allows domain owners to specify which Certificate Authorities (CAs) are allowed to issue certificates for that domain. By default, every public CA is allowed to issue certificates for any domain name if they are able to validate the requester's ownership of the domain name. If a CA receives an order for a certificate for a domain with a CAA record and that CA isn’t listed as an authorized issuer, they are prohibited from issuing the certificate to that domain or any subdomain.

CAA record format

A typical CAA record looks like the following in standard BIND format:

@ 10800 IN CAA 0 issue ""
An anatomy of the CNAME Record @ 10800 IN CAA 0 issue "" looks like the below:
Host Label TTL Record Class Record Type Flag Tag Value 3600 IN CAA 0 issue ""
It defines the hostname of a record and whether the hostname will be appended to the label. Fully qualified hostnames terminated by a period will not append the origin.

The time-to-live in seconds. This is the amount of time the record is allowed to be cached by an outside DNS server.

Record Class
Mainly 3 classes of DNS records exist:
  • IN (Internet) – default and generally what internet uses.
  • CH (Chaosnet) – used for querying DNS server versions.
  • HS (Hesiod) – uses DNS functionality to provide access to databases of information that change infrequently.
Record Type
The record format is defined using this field. Common record types are A, AAAA, CNAME, CAA, TXT etc. In the case of a CAA record, the record type is CAA.

Flags have only two strictly defined states currently: 0 (non-critical and default) and 1 (critical). Issuer Critical flag tells the CA that it must completely understand the property tag to proceed and RFC 6844 leaves other possibilities open for user-defined flag use.

3 tags are currently defined in the RFC:
  • issue: authorizes a single certificate authority to issue certificates for the domain in which the property is published.
  • issuewild: authorizes a single certificate authority to issue wildcard certificates for the domain in which the property is published.
  • iodef: specifies a URL to which an issuer may report certificate issue requests that are inconsistent with the issuer's Certification Practices or Certificate Policy.
The field contains strings associated with tags. For the issue and issuewild tags, the value is typically the domain name of the CA authorized by the record, for example, For iodef tag, you’ll supply a URL where policy violations should be reported. It is usually in the format of

CAA record restrictions

Multiple CAA records
A domain owner can choose to allow multiple CAs to issue certificates for their domain name. The above records limit SSL certificate issuance for to three CAs (Comodo, Let's Encrypt and Entrust).

@ 10800 IN CAA 0 issue ""
@ 10800 IN CAA 0 issue ""
@ 10800 IN CAA 0 issue ""
issue tag and subdomain
The issue tag also authorizes the authorized CA to issue certificates for any subdomains of the specified domain such as,, etc.

issuewild tag
The issuewild tag lets the domain owner define what CAs can issue certificates for wildcards separately from the main domain or other subdomains. issuewild tags take precedence over any issue tags. Therefore, Comodo is not allowed to issue wildcard certificates in the above example.

Comodo is the default CA for; Both Comodo and Entrust can issue certificates for; If a non-defined subdomain such as comes into question, it falls into the category of wildcard and only Let's Encrypt is the authorized CA for it.

@ 10800 IN CAA 0 issue "" 
www 10800 IN CAA 0 issue "" 
www 10800 IN CAA 0 issue "" 
@ 10800 IN CAA 0 issuewild ""

CAA record glossary

CA (Certificate Authority)
Certificate Authority is a trusted entity that issues digital SSL certificates and manages identification, public keys for encrypting information.

Berkeley Internet Name Daemon - is the most commonly used DNS software on the Internet and Dynu observes BIND format.

A wildcard DNS record is a record in a DNS zone that will match requests for non-existent domain names.