What Are CAA Records?

The CAA record is a type of DNS record used to provide additional confirmation for the Certification Authority (CA) when validating an SSL certificate. This record allows you to specify which certification authorities are authorized to deliver SSL certificates for your domain. See the RFC here.

Can I have an example of a CAA record?

Below are some examples of CAA records.

The standard syntax for SSL certificates purchased from Gandi will follow this pattern when entered in text mode:

@ IN CAA 0 issue "sectigo.com"
@ IN CAA 0 issuewild "sectigo.com"

You can also allow multiple Certification Authorities (CA) to issue certificates for your domain. For example:

@ IN CAA 0 issue "sectigo.com"
@ IN CAA 0 issue "letsencrypt.org"

What do the CAA record values mean?

If you are entering the records using the “table mode” of our DNS record editor, here is an explanation of the properties:

  • Type: CAA is to specify this type of record. It indicates that a CA is authorized to deliver an SSL certificate for the domain.

  • TTL: This is the number of seconds before the record is checked to see if it changed. 10800 is the default value.

  • Name: Leave this empty (@) for just the domain itself. Add the subdomain here if it is for a subdomain.

  • Flags: The default is 0. If you put 1, this blocks the validation if the tag is unknown by the CA.

  • Tag: This lets you choose one of the following:

    • issue: The CA is authorized to provide a certificate for this domain

    • issuewild: the CA can issue wildcard certificates for this domain

    • iodef: URL that the CA can use to send an error message, using the Incident Object Description Exchange Format.