CAA Record (Certificate Authority Authorization)

What is a CAA Record?

A CAA (Certificate Authority Authorization) record is a DNS record type that specifies which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for a domain. CAA acts as a security control, preventing unauthorized certificate issuance even if an attacker compromises a CA.

Why CAA Records Matter

Without CAA records, any of the hundreds of trusted CAs could issue a certificate for your domain. This creates risk:

• CA Compromise: If any trusted CA is compromised, attackers could get certificates for your domain
• Mis-issuance: CAs occasionally issue certificates incorrectly
• Social Engineering: Attackers might trick a CA into issuing unauthorized certificates

CAA records reduce attack surface by restricting which CAs can issue for your domain.

How CAA Works

1. Domain owner publishes CAA records in DNS

2. Certificate requester asks a CA for a certificate

3. CA checks CAA records for the domain

4. CA issues only if authorized (or no CAA records exist)

5. If unauthorized, CA must refuse the request

Mandatory CA Checking

As of September 2017, all CAs are required to check CAA records before issuing certificates. This is part of the CA/Browser Forum Baseline Requirements.

CAA Record Format

example.com.    IN    CAA    0 issue "letsencrypt.org"

Components:

• 0: Flags (0 = non-critical, 128 = critical)
• issue/issuewild/iodef: Property tag
• "letsencrypt.org": Property value (the authorized CA)

Property Tags

CAA Record Examples

Single CA (Let's Encrypt only)

example.com.    CAA    0 issue "letsencrypt.org"

Multiple CAs

example.com.    CAA    0 issue "letsencrypt.org"
example.com.    CAA    0 issue "digicert.com"
example.com.    CAA    0 issue "sectigo.com"

Wildcard Restriction

Allow Let's Encrypt for regular certs, DigiCert for wildcards:

example.com.    CAA    0 issue "letsencrypt.org"
example.com.    CAA    0 issuewild "digicert.com"

Deny All (No Certificates)

Useful for domains that should never have certificates:

example.com.    CAA    0 issue ";"

With Reporting

example.com.    CAA    0 issue "letsencrypt.org"
example.com.    CAA    0 iodef "mailto:security@example.com"

Common CA Identifiers

Check your CA's documentation for the exact identifier to use.

Implementing CAA Records

Via DNS Provider

Most DNS providers have CAA record support in their interface.

Via Zone File

; Allow Let's Encrypt and DigiCert
@    IN    CAA    0 issue "letsencrypt.org"
@    IN    CAA    0 issue "digicert.com"
@    IN    CAA    0 iodef "mailto:security@example.com"

CAA Inheritance

CAA records follow DNS hierarchy:

• If example.com has CAA records, they apply to subdomains
• Subdomains can have their own CAA records (override parent)
• No CAA records = any CA can issue

example.com.        CAA    0 issue "letsencrypt.org"     ; Applies to all
api.example.com.    CAA    0 issue "digicert.com"        ; Override for api

Checking CAA Records

dig example.com CAA

; ANSWER SECTION:
example.com.    300    IN    CAA    0 issue "letsencrypt.org"

curl "https://domscan.net/v1/health?domain=example.com"
# Reports hasCAA in security details

CAA Best Practices

1. Always configure CAA: Reduce your attack surface

2. Include all CAs you use: Don't forget CDN/cloud provider CAs

3. Set up iodef: Get notified of unauthorized attempts

4. Test before enforcing: Verify your CAs can still issue

5. Keep records updated: Add new CAs before requesting certificates

Common CAA Issues

CAA is a simple but powerful security control that every domain should implement.