A CAA-record is a relatively new DNS record that is meant to set which CA's (Certificate Authorities) are allowed to create SSL certificates for a domain. A CA is an organization that is certified to issue SSL certificates. If you record contains a listing for CA #1, but an SSL certificate is requested at CA #2, this request will be denied.
Example of a CAA record
The different sections of this CAA records have the following meaning:
- 0: This is the 'flag' of the record. At this time only 0 are 128 valid values (although you can enter anything between 0 and 254), but in most cases entering a 0 will suffice for the record. See the RFC for more information regarding this 'flag'.
- issuewild: This is the 'tag' of the record. This states that wildcard certificates may be provided by the CA that follows. There are 3 different 'tags' that may be used:
- issue: This states explicitly that a 'regular' SSL certificate may be provided by the 'CA' that follows after.
- issuewild: This states explicitly that a 'wildcard' SSL certificate may be provided by the 'CA' that follows after.
- iodef: This tag gives the option to set a mail address to which a 'CA' will send a report in case of a request at a not listed CA (in another CAA record).
- "comodo.com": This is the 'CA' which is given permission to issue certificates for your (sub) domain. Common examples are "comodo.com", "symantec.com" & "letsencrypt.org". When using the "iodef"-tag, use a 'mailto' referral. For example: "mailto:firstname.lastname@example.org".
In case you want to allow several CA's to issue certificates, you can add several separate CAA records. This is also the case if you want to use the 'iodef'-tag; this always needs to be done via an extra record.
If you want to set a CAA-record for a subdomain, you need to replace the @ with the name of the subdomain. For example:
subdomain 300 CAA 0 issue "letsencrypt.org"Below some examples of CAA records can be found: