In this article, we explain how to set a CAA record within the DNS settings of your domain name.
A CAA record is a relatively new DNS record that is intended to indicate which Certificate Authorities (CA) may issue an SSL certificate for the relevant (sub) domain. Well-known Certificate Authorities include Comodo and Let's Encrypt.
If you set a CAA record for the root domain, the CAA record will also apply to all subdomains below, unless you set a separate CAA record for a specific subdomain.
In the CAA record, you specify which type of certificates the CA may issue. This can be either a Wildcard certificate or a certificate for the primary domain or a subdomain.
If there is no CAA record in your DNS settings, each CA will be allowed to issue an SSL certificate for the domain. If there are one or more CAA records in your DNS settings, then only the CAs in these CAA records may issue a certificate for the domain.
Where do I add a CAA record?
You can add all your DNS records easily and free of charge via your control panel. Go to the 'Domain & Hosting' tab and click the domain in the left column for which you want to set the MX record (do not check).
Now scroll to 'Advanced Domain Settings', followed by 'DNS'. If you do not see this yet, first click the switch behind 'TransIP settings'. This will show an overview of your DNS records.
How do I set a CAA record?
A CAA record consists of a flag, a tag, and a value. The tag and value together form the property. A flag is used to indicate how important or 'critical' a property is and is characterized by a 0 or a 1. In the image below, you see an example of a complete CAA record.
Here, @ stands for the primary domain for which the CAA record is set, the type shows that it is a CAA record.
In the value of the CAA record, you can see the flag (0), the tag (issue) and the value ("letsencrypt.org") sequentially.
To set a CAA record for a subdomain, you only enter the subdomain as the name. Our DNS software automatically adds your domain name in the background.
Below is an example of a CAA record for the subdomain example.domainname.com.
As a flag, you can enter a number between 0 and 255. For now, only the numbers 0 and 1 are actively used by CAA records. Here, 0 is non-critical and 1 critical.
A critical flag (1) is only required if a custom tag is used. Because for the current setup of CAA records only the existing tags 'issue', 'issuewild' and 'iodef' are used, it suffices to specify a 0 as a flag.
As mentioned, the tags 'issue', 'issuewild' and 'iodef' are currently supported by CAA records.
The issue tag
The issue tag indicates which CA has permission to issue a certificate for the domain. In the example below, we give Let's Encrypt permission to issue certificates for the root domain (and in doing so also the subdomains).
Using a CAA record, you can also indicate that Certificate Authorities do not have permission to issue certificates for the domain. You do this by giving the CAA record a semi-colon as the 'value'.
The issuewild tag
By using the issuewild tag, you give a CA permission to issue a Wildcard certificate for the domain. This type of certificate applies to all subdomains under your primary domain, except for subdomains that already have a separate certificate.
In the example below, we grant Comodo permission to issue Wildcard certificates for the primary domain.
Just like with the issue tag, for issuewild, you can also deny a CA permission to issue certificates on behalf of the domain with the aid of a semi-colon.
The iodef tag
The third tag that you can use for CAA records is the iodef tag. This tag allows you to set up an email address. A CA will then send a notification to this email address when a certificate is requested from a CA that is not mentioned in the record.
Below is an example of a CAA record that uses the iodef tag.
In this article, we have given examples of the most used applications of the CAA record. For more information about the use of CAA records, we advise you to read the RFC about this.
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.