Article overview

Help article

I want to add a CAA record for my domain name

A CAA-record is a relatively new DNS record that is meant to set which CA's (Certificate Authorities) are allowed to create SSL certificates for a domain. A CA is an organization that is certified to issue SSL certificates. If you record contains a listing for CA #1, but an SSL certificate is requested at CA #2, this request will be denied.

Example of a CAA record

Example of a CAA-record

The different sections of this CAA records have the following meaning:

  • 0: This is the 'flag' of the record. At this time only 0 are 128 valid values (although you can enter anything between 0 and 254), but in most cases entering a 0 will suffice for the record. See the RFC for more information regarding this 'flag'.
  • issuewild: This is the 'tag' of the record. This states that wildcard certificates may be provided by the CA that follows. There are 3 different 'tags' that may be used:
    - issue: This states explicitly that a 'regular' SSL certificate may be provided by the 'CA' that follows after.
    - issuewild: This states explicitly that a 'wildcard' SSL certificate may be provided by the 'CA' that follows after.
    - iodef: This tag gives the option to set a mail address to which a 'CA' will send a report in case of a request at a not listed CA (in another CAA record).
  • "comodo.com": This is the 'CA' which is given permission to issue certificates for your (sub) domain. Common examples are "comodo.com", "symantec.com" & "letsencrypt.org". When using the "iodef"-tag, use a 'mailto' referral. For example: "mailto:caa-misuse@yourdomainname.com".

In case you want to allow several CA's to issue certificates, you can add several separate CAA records. This is also the case if you want to use the 'iodef'-tag; this always needs to be done via an extra record.

If you want to set a CAA-record for a subdomain, you need to replace the @ with the name of the subdomain. For example:
subdomain	300	CAA	0 issue "letsencrypt.org"
Below some examples of CAA records can be found: More examples for CAA records

Do you have a good idea?

Give us your idea! If it's popular we'll add it to the wishlist!

Has this article been helpful?

Create an account or log in to leave a rating.

Share this article

Comments

Create an account or log in to be able to leave a comment.

Are you stuck?

Ask one of our specialists to assist you

Contact us