CAA (Certificate Authority Authorization) is a DNS record specifying which CAs may issue SSL certificates for a domain. Prevents mis-issuance. Since 2017, CAs are required to check CAA before issuance. Syntax: example.com. 300 IN CAA 0 issue "letsencrypt.org".
Free online tool — DNS lookup tool: instant results, no signup.
CAA (Certificate Authority Authorization) is a DNS record specifying which CAs may issue SSL certificates for a domain. Prevents mis-issuance. Since 2017, CAs are required to check CAA before issuance. Syntax: example.com. 300 IN CAA 0 issue "letsencrypt.org".
Creating and managing CAA records is a straightforward process that involves editing your domain's DNS settings. Below are the steps to set up a CAA record:
letsencrypt.org).For example, to allow only Let's Encrypt to issue certificates for your domain, you would create the following CAA record:
example.com. 300 IN CAA 0 issue "letsencrypt.org"Repeat this process for each CA you wish to authorize. Remember that if you do not set a CAA record, any CA can issue certificates for your domain, potentially leading to security risks.
CAA records consist of three main components: flags, tags, and values. Understanding these components is crucial for effectively managing SSL certificate issuance for your domain.
The flag determines the criticality of the CAA record:
Tags specify the type of authorization you are granting:
For example, if you want to issue a wildcard certificate only through Let's Encrypt, your CAA record would look like this:
example.com. 300 IN CAA 0 issuewild "letsencrypt.org"Understanding these flags and tags allows domain owners to fine-tune their security posture regarding SSL certificate issuance.
When configuring CAA records, misconfigurations can lead to issues in SSL certificate issuance. Here are some common problems and troubleshooting tips:
If you do not have any CAA records set up, any Certificate Authority can issue certificates for your domain. This can expose your domain to potential misuse. Ensure that you have at least one CAA record in place.
Using the wrong flag can lead to unexpected behavior. For instance, setting a flag to '128' without specifying the correct CA may prevent all CAs from issuing certificates. Always verify that your flags align with your intended security policies.
DNS records are sensitive to syntax. Ensure that you use the correct format, including quotation marks around CA names. An example of a correctly formatted CAA record is:
example.com. 300 IN CAA 0 issue "letsencrypt.org"After making changes to your CAA records, it may take some time for those changes to propagate across the internet. Be patient and verify the changes using DNS lookup tools.
You can use command-line tools like dig to check your CAA records:
dig example.com CAABy understanding these common pitfalls and how to troubleshoot them, you can ensure that your CAA records effectively protect your domain's SSL certificate issuance.
DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.
Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.
Direct queries to authoritative servers. Results in milliseconds, no caching.
SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.
Save check results. Compare DNS records before and after registrar changes.
DNS check after deploy
SPF/DKIM/DMARC audit
DNS config audit
DNS zone control
v=spf1 TXT record.DNS check history, API keys and DNS change monitoring.
Sign up freeIf you work with web infrastructure — yes. See description above.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.