Understanding CAA Records for SSL Certificates (2025 Guide)

Quick Answer

Table of Contents

What Are CAA Records?

Certificate Authority Authorization (CAA) is a DNS resource record type defined in RFC 8659 that allows domain name holders to indicate which Certificate Authorities are authorized to issue certificates for their domain. This mechanism provides domain owners with control over their domain's SSL/TLS certificate issuance process.

The Problem CAA Records Solve

Before CAA records, any Certificate Authority could issue a certificate for any domain as long as the requester passed domain validation. This created security risks:

• Unauthorized issuance: A malicious actor could obtain a valid certificate from any CA
• Internal policy violations: Organizations couldn't enforce policies about which CAs to use
• Attack surface: More CAs meant more potential points of compromise

Historical Context

The CAA standard evolved over several years:

• 2013: RFC 6844 introduced the original CAA specification
• 2017: All public CAs became required to check CAA records (September 8, 2017)
• 2019: RFC 8659 obsoleted RFC 6844 with improvements including clearer syntax via ABNF and simplified processing rules

Current Adoption Rates

Despite being mandatory for CAs to check, CAA adoption by domain owners remains relatively low:

• 15.4% of the top 150,000 TLS-supporting websites use CAA records (Qualys, June 2024)
• ~10% overall domain adoption as of 2024
• Adoption has grown from approximately 1.4% of all domains in 2023

How CAA Records Work

Understanding the CAA checking process helps explain how these records protect your domain.

The Certificate Issuance Flow

When a Certificate Authority receives a certificate request for your domain:

1. Request received: CA receives a certificate signing request (CSR) for example.com
2. Domain validation: CA verifies the requester controls the domain
3. CAA lookup: CA performs DNS lookup for CAA records
4. Record evaluation: CA checks if it's authorized in any CAA record found
5. Decision:
   • If no CAA records exist: CA may issue the certificate
   • If CAA records exist and CA is listed: CA may issue the certificate
   • If CAA records exist and CA is not listed: CA must deny the request

DNS Lookup Behavior

The CA performs a CAA lookup following a specific tree-climbing algorithm:

For a certificate request for www.shop.example.com:

1. Check www.shop.example.com for CAA records
2. If none found, check shop.example.com
3. If none found, check example.com
4. If none found, check com (usually has none)
5. If still none found, any CA may issue

This inheritance model allows you to set a single CAA record at the apex domain that applies to all subdomains.

What "Checking CAA" Means

CAs must perform CAA checks:

• At most 8 hours before certificate issuance
• Using standard DNS resolution (respecting TTL caching)
• Following the tree-climbing algorithm for subdomains
• Recognizing both issue and issuewild tags

CAA Record Syntax and Structure

CAA records have a specific format that must be followed precisely.

Basic Record Format

domain.com.    IN    CAA    flags    tag    "value"

Breaking down each component:

The Flags Field

The flags field is a single byte (0-255) that modifies record behavior:

In practice: Almost all CAA records use flag 0. The critical flag (128) is rarely used because it could cause compatibility issues with CAs that don't understand newer tag types.

Complete Record Examples

Allow Let's Encrypt only:

example.com.    3600    IN    CAA    0    issue    "letsencrypt.org"

Allow multiple CAs:

example.com.    3600    IN    CAA    0    issue    "letsencrypt.org"
example.com.    3600    IN    CAA    0    issue    "digicert.com"
example.com.    3600    IN    CAA    0    issue    "comodoca.com"

Deny all certificate issuance:

example.com.    3600    IN    CAA    0    issue    ";"

CAA Record Tags Explained

RFC 8659 defines three standard tags, each serving a distinct purpose.

The issue Tag

The issue tag authorizes a CA to issue non-wildcard certificates for the domain and its subdomains.

Syntax:

example.com.    CAA    0    issue    "ca-domain.com"

Parameters: You can include optional parameters after the CA domain:

example.com.    CAA    0    issue    "letsencrypt.org; validationmethods=dns-01"

Common parameters:

• accounturi - Restrict to specific ACME account
• validationmethods - Restrict validation methods (e.g., dns-01, http-01)

Example with parameters:

example.com.    CAA    0    issue    "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123456"

The issuewild Tag

The issuewild tag specifically controls wildcard certificate issuance (*.example.com).

Key behavior:

• issuewild takes precedence over issue for wildcard certificates
• If only issue exists (no issuewild), it applies to both wildcard and non-wildcard
• If issuewild exists, it controls wildcard issuance exclusively

Examples:

Allow wildcards from DigiCert only, regular certs from Let's Encrypt:

example.com.    CAA    0    issue       "letsencrypt.org"
example.com.    CAA    0    issuewild   "digicert.com"

Deny wildcard certificates entirely:

example.com.    CAA    0    issue       "letsencrypt.org"
example.com.    CAA    0    issuewild   ";"

The iodef Tag

The iodef (Incident Object Description Exchange Format) tag specifies where CAs should send violation reports.

Supported formats:

example.com.    CAA    0    iodef    "mailto:[email protected]"
example.com.    CAA    0    iodef    "https://example.com/caa-report"

Important notes:

• Not all CAs send iodef reports
• Reports are sent when a certificate request is denied due to CAA
• Useful for monitoring unauthorized certificate attempts

Common CA Domain Names for CAA Records

Here are the correct domain values to use for major Certificate Authorities:

Free Certificate Authorities

Commercial Certificate Authorities

CDN/Cloud Provider CAs

Cloudflare note: When using Cloudflare's Universal SSL or Advanced Certificates, Cloudflare automatically adds hidden CAA records to ensure certificate issuance works. These records authorize the CAs that Cloudflare uses but don't appear in your Cloudflare DNS dashboard.

Setting Up CAA Records by Provider

Cloudflare

Cloudflare supports CAA records natively and handles them specially for their SSL products.

Steps:

1. Log in to Cloudflare Dashboard
2. Select your domain
3. Go to DNS > Records
4. Click Add record
5. Select CAA as the type
6. Configure:
   • Name: @ for root domain or subdomain name
   • Flag: Select 0
   • Tag: Choose Only allow specific hostnames (issue), Only allow wildcards (issuewild), or Send violation reports (iodef)
   • CA domain name: Enter the CA domain (e.g., letsencrypt.org)

Example configuration for Cloudflare Universal SSL:

@    CAA    0    issue    "digicert.com"
@    CAA    0    issue    "letsencrypt.org"
@    CAA    0    issue    "pki.goog"

Important: Cloudflare automatically adds background CAA records to ensure their SSL services work. If you add custom CAA records that don't include Cloudflare's CAs, Universal SSL may break.

AWS Route 53

Route 53 fully supports CAA records with a straightforward setup.

Steps:

1. Open the Route 53 console
2. Select your hosted zone
3. Click Create record
4. Configure:
   • Record name: Leave blank for apex or enter subdomain
   • Record type: Select CAA
   • Value: Enter in format: flag tag "value"

Example Route 53 values:

0 issue "amazon.com"
0 issue "letsencrypt.org"
0 issuewild "amazon.com"

For AWS Certificate Manager (ACM):

0 issue "amazon.com"
0 issue "amazontrust.com"

GoDaddy

GoDaddy's DNS interface supports CAA records through their DNS management panel.

Steps:

1. Log in to your GoDaddy account
2. Go to My Products > Domains
3. Select your domain and click DNS
4. Click Add under Records
5. Select CAA from the Type menu
6. Configure:
   • Name: @ for root or subdomain
   • Flag: Enter 0
   • Tag: Select issue, issuewild, or iodef
   • Value: Enter the CA domain

Common GoDaddy configuration:

@    CAA    0    issue    "godaddy.com"
@    CAA    0    issue    "letsencrypt.org"

Google Cloud DNS

Steps:

1. Go to Cloud DNS in Google Cloud Console
2. Select your managed zone
3. Click Add record set
4. Configure:
   • DNS Name: Your domain or subdomain
   • Resource record type: CAA
   • Flag: 0
   • Tag: issue, issuewild, or iodef
   • Value: CA domain name

DigitalOcean

Steps:

1. Go to Networking > Domains
2. Select your domain
3. Click Add record
4. Select CAA
5. Enter the flag, tag, and value

Namecheap

Steps:

1. Log in to Namecheap
2. Go to Domain List > Manage for your domain
3. Click Advanced DNS
4. Click Add New Record
5. Select CAA Record
6. Configure flag, tag, and value

CAA Records and Wildcard Certificates

Wildcard certificates require special consideration in CAA configuration.

How Wildcard Authorization Works

The issuewild tag specifically controls wildcard certificate issuance:

# Allow DigiCert for wildcard certs, Let's Encrypt for regular certs
example.com.    CAA    0    issue       "letsencrypt.org"
example.com.    CAA    0    issuewild   "digicert.com"

Inheritance Behavior

If you only have issue records (no issuewild), the issue records control both wildcard and non-wildcard:

# This allows Let's Encrypt for ALL certificates (including wildcards)
example.com.    CAA    0    issue    "letsencrypt.org"

Denying Wildcard Certificates

To explicitly prevent wildcard certificate issuance:

# Allow regular certs from Let's Encrypt, deny all wildcards
example.com.    CAA    0    issue       "letsencrypt.org"
example.com.    CAA    0    issuewild   ";"

The semicolon with no CA domain effectively denies all wildcard issuance.

CAA Record Inheritance and Subdomains

Understanding how CAA records inherit to subdomains is crucial for proper configuration.

The Tree-Climbing Algorithm

When a CA checks CAA records for api.app.example.com, it follows this order:

1. Check api.app.example.com - if CAA found, use it
2. Check app.example.com - if CAA found, use it
3. Check example.com - if CAA found, use it
4. Check com - typically no CAA records
5. No CAA found anywhere - any CA may issue

Subdomain Override Example

# Root domain allows Let's Encrypt
example.com.         CAA    0    issue    "letsencrypt.org"

# API subdomain allows DigiCert instead
api.example.com.     CAA    0    issue    "digicert.com"

With this configuration:

• www.example.com can get certs from Let's Encrypt (inherits from root)
• api.example.com can only get certs from DigiCert (has own CAA record)
• v1.api.example.com can only get certs from DigiCert (inherits from api subdomain)

Best Practice for Multi-Subdomain Sites

For complex sites, consider whether to:

1. Set CAA at root only: Simpler management, all subdomains inherit
2. Set CAA per subdomain: More granular control, more management overhead

Security Considerations

CAA records provide security benefits but also have limitations you should understand.

DNSSEC Dependency

Critical warning: CAA records are vulnerable to DNS spoofing attacks without DNSSEC.

Without DNSSEC:

• An attacker could spoof DNS responses
• They could make the CA see fake "no CAA records" responses
• This would allow unauthorized certificate issuance

Recommendation: Enable DNSSEC for your domain to ensure CAA record integrity.

What CAA Does NOT Protect Against

CAA has limitations:

1. Compromised CAs: If an authorized CA is compromised, CAA doesn't help
2. Stolen domain credentials: If attackers gain DNS access, they can modify CAA records
3. Pre-existing certificates: CAA doesn't revoke already-issued certificates
4. Human error: Misconfigured CAA records can block legitimate certificates

Certificate Transparency Monitoring

CAA works best when combined with Certificate Transparency (CT) monitoring:

• CT logs record all issued certificates publicly
• You can monitor CT logs for unauthorized certificates
• Even if CAA is bypassed, CT provides visibility

Services for CT monitoring:

• crt.sh - Free certificate search
• SSLMate CertSpotter
• Cloudflare Certificate Transparency Monitoring

Troubleshooting CAA Issues

Common problems and solutions when working with CAA records.

Certificate Issuance Blocked

Error message: "No CAA record contains the issuance domain [ca-domain]"

Causes:

1. CAA record exists but doesn't include the CA you're using
2. You added CAA records and forgot to include a CA you need
3. Typo in the CA domain name

Solution:

# Check your current CAA records
dig example.com CAA +short

# Verify the CA domain is correct
# Add the missing CA to your CAA records

Cloudflare Universal SSL Not Working

Problem: Added custom CAA records, now Cloudflare SSL broken

Solution: Ensure your CAA records include Cloudflare's CAs:

@    CAA    0    issue    "digicert.com"
@    CAA    0    issue    "letsencrypt.org"
@    CAA    0    issue    "pki.goog"

Let's Encrypt Failing with CAA Error

Problem: Certbot or other ACME client fails with CAA error

Solution: Add Let's Encrypt to your CAA records:

example.com.    CAA    0    issue    "letsencrypt.org"

Verifying CAA Records

Using dig:

dig example.com CAA +short
# Output: 0 issue "letsencrypt.org"

Using nslookup:

nslookup -type=CAA example.com

Online tools:

• SSLMate CAA Record Generator
• MXToolbox CAA Lookup
• DNSChecker CAA Lookup

Propagation Delays

Problem: Added CAA records but CA still can't see them

Causes:

1. DNS propagation hasn't completed
2. TTL on old records hasn't expired
3. CA is caching DNS responses

Solution:

• Wait for TTL to expire (check current TTL with dig)
• Most CAs cache for up to 8 hours maximum
• Plan CAA changes ahead of certificate renewals

Best Practices

Follow these guidelines for effective CAA implementation.

1. Start with Audit Mode

Before restricting CAs, understand your current certificate landscape:

1. Inventory all SSL certificates for your domain
2. Identify which CAs issued them
3. Document all services that auto-provision certificates (CDNs, cloud platforms)

2. Include All Necessary CAs

Create CAA records that include every CA you actually use:

# Example: Using Cloudflare, AWS, and Let's Encrypt
example.com.    CAA    0    issue    "digicert.com"
example.com.    CAA    0    issue    "letsencrypt.org"
example.com.    CAA    0    issue    "pki.goog"
example.com.    CAA    0    issue    "amazon.com"

3. Set Up Reporting

Always include an iodef record for monitoring:

example.com.    CAA    0    iodef    "mailto:[email protected]"

4. Enable DNSSEC

CAA without DNSSEC provides limited security:

• Enable DNSSEC at your registrar
• Verify DNSSEC is working: dig example.com DS +short

5. Document Your Configuration

Maintain documentation of:

• Which CAs are authorized and why
• Which services depend on which CAs
• Renewal schedules and procedures
• Contacts for certificate issues

6. Plan for Certificate Renewals

• Add CAA records well before certificates expire
• Allow time for DNS propagation
• Test certificate issuance before critical renewals

7. Consider Wildcard Restrictions

If you don't need wildcard certificates:

example.com.    CAA    0    issue       "letsencrypt.org"
example.com.    CAA    0    issuewild   ";"

8. Use the CAA Generator Tool

SSLMate offers a helpful CAA record generator:

• https://sslmate.com/caa/
• Select your CAs, get properly formatted records

Frequently Asked Questions

What happens if I don't have any CAA records?

If your domain has no CAA records, any Certificate Authority can issue certificates for your domain (assuming they pass domain validation). CAA records are optional but recommended for enhanced security.

Do CAA records affect existing certificates?

No. CAA records only affect future certificate issuance. Existing valid certificates continue to work regardless of CAA records. However, renewals are new issuance events and will be subject to CAA checks.

Can CAA records prevent certificate renewals?

Yes. If you add restrictive CAA records after obtaining a certificate, and the CA isn't in your CAA records, renewal will fail. Always verify your CAA records include all CAs you use before certificate renewal time.

How long do CAA records take to propagate?

CAA records propagate like any other DNS record, typically within minutes to a few hours. CAs cache DNS responses, so allow up to 8 hours after changes before expecting them to take effect.

Do I need CAA records for subdomains?

Not necessarily. CAA records at the root domain apply to all subdomains unless a subdomain has its own CAA record. You only need subdomain-specific CAA records if you want different authorization for specific subdomains.

Will CAA records break my website if misconfigured?

CAA records don't affect website functionality directly. However, misconfigured CAA records can prevent certificate issuance or renewal, which could eventually cause HTTPS to stop working when certificates expire.

Are CAA records required for SSL certificates?

CAA records are not required to obtain SSL certificates. However, CAs are required to check for CAA records and respect them if they exist. Having CAA records is a security best practice.

What's the difference between issue and issuewild?

The issue tag authorizes non-wildcard certificates (and wildcard if no issuewild exists). The issuewild tag specifically controls wildcard certificate issuance and takes precedence over issue for wildcards.

Key Takeaways

• CAA records specify authorized CAs: They tell Certificate Authorities which ones can issue certificates for your domain, providing an additional security layer.

• Mandatory checking since 2017: All public CAs must check CAA records before issuing certificates, though having CAA records is optional for domain owners.

• Three tag types: Use issue for standard certificates, issuewild for wildcard certificates, and iodef for violation reporting.

• Inheritance applies to subdomains: CAA records at the root domain apply to all subdomains unless overridden with subdomain-specific records.

• DNSSEC enhances CAA security: Without DNSSEC, CAA records can be spoofed, reducing their effectiveness.

• Plan before implementing: Audit your certificate landscape and include all necessary CAs before adding restrictive CAA records.

Next Steps

Immediate Actions

1. Audit your certificates: List all SSL certificates for your domain and their issuing CAs
2. Check existing CAA records: Run dig yourdomain.com CAA +short
3. Use the CAA generator: Visit sslmate.com/caa to create records

Recommended Reading

• DNS Record Types Explained - Understand all DNS record types
• DNSSEC Protection Against DNS Attacks - Secure your DNS infrastructure
• Understanding DNS TTL - Master DNS caching and propagation

Tools to Use

• DomainDetails.com: Look up any domain's current CAA records
• SSLMate CAA Generator: Generate properly formatted CAA records
• crt.sh: Monitor Certificate Transparency logs for your domain

Research Sources

• RFC 8659: DNS Certification Authority Authorization (CAA) Resource Record - The official CAA specification
• Let's Encrypt CAA Documentation - Let's Encrypt's CAA implementation guide
• Cloudflare CAA Records Documentation - Cloudflare's CAA setup guide
• AWS Certificate Manager CAA Configuration - AWS CAA setup for ACM
• DigiCert CAA Checking Explanation - Industry perspective on CAA
• SSLMate About CAA - Comprehensive CAA resource
• Wikipedia: DNS Certification Authority Authorization - Adoption statistics and history
• The SSL Store: What Is a CAA Record? - Practical CAA guide