The purpose of a CAA record is to provide additional confirmation for the Certification Authority (CA) during the validation process of acquiring an SSL certificate. This record allows specifying which certification authorities are authorized to deliver SSL certificates for the domain (see the RFC here).
Example CAA records¶
Below are some examples of CAA records.
The standard syntax for SSL certificates purchased from Gandi will be like the following if you enter it in the text version of our form:
@ IN CAA 0 issue "sectigo.com" @ IN CAA 0 issuewild "sectigo.com"
You can also allow multiple Certification Authorities (CA) to issue certificates for your domain. For example:
@ IN CAA 0 issue "sectigo.com" @ IN CAA 0 issue "letsencrypt.org"
CAA record values¶
If you are entering the records using the “table mode” of our DNS record editor, here is an explanation of the properties:
- Type: CAA is to specify this type of record. It indicates that a CA is authorized to deliver an SSL certificate for the domain.
- TTL: This is the number of seconds before the record is checked to see if it changed. 10800 is the default value.
- Name: Leave this empty (@) for just the domain itself. Add the subdomain here if it is for a subdomain.
- Flags: The default is 0. If you put 1, this blocks the validation if the tag is unknown by the CA.
- Tag: This lets you choose one of the following:
- issue: The CA is authorized to provide a certificate for this domain
- issuewild: the CA can issue wildcard certificates for this domain
- iodef: URL that the CA can use to send an error message, using the Incident Object Description Exchange Format.