Any Certificate Authority (CA) can issue a TLS certificate for any domain by default. This means if an attacker compromises even one of the hundreds of public CAs, they can get a valid certificate for your domain. CAA (Certificate Authority Authorization) DNS records solve this by explicitly specifying which CAs are authorized to issue certificates for your domain.

How CAA Records Work

CAA is a DNS record type (RFC 8659) that a CA must check before issuing a certificate. If a CAA record exists and the CA is not listed, the CA must refuse to issue the certificate.

CAA Record Format

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issue "digicert.com"
example.com.  IN  CAA  0 issuewild "letsencrypt.org"
example.com.  IN  CAA  0 iodef "mailto:security@example.com"

CAA Record Properties

Flags (0): Currently always 0. Flag value 128 marks the property as critical — CAs must refuse issuance if they don't understand the property.
issue: Authorizes a CA to issue standard (non-wildcard) certificates
issuewild: Authorizes a CA to issue wildcard certificates specifically
iodef: Specifies where CAs should report policy violations (email or URL)

Why You Need CAA Records

Prevent unauthorized certificates: Even if an attacker tricks a CA, the CA must check CAA and refuse issuance
Reduce attack surface: Limit your trusted CAs to only those you actually use
Compliance: SOC 2, PCI DSS, and other frameworks increasingly expect CAA configuration
Incident detection: The iodef property alerts you when a CA encounters a policy violation
Certificate Transparency complement: CT logs detect mis-issued certificates after the fact; CAA prevents them proactively

Setting Up CAA Records

Step 1: Identify Your CAs

Determine which Certificate Authorities currently issue certificates for your domain:

# Check Certificate Transparency logs
# Use crt.sh to see all certificates issued for your domain
# Visit: https://crt.sh/?q=example.com

Step 2: Create CAA Records

If you use Let's Encrypt only:

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issuewild "letsencrypt.org"
example.com.  CAA  0 iodef "mailto:security@example.com"

If you use multiple CAs:

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issue "digicert.com"
example.com.  CAA  0 issue "sectigo.com"
example.com.  CAA  0 issuewild "letsencrypt.org"
example.com.  CAA  0 iodef "mailto:security@example.com"

To block all certificate issuance (rarely needed):

example.com.  CAA  0 issue ";"

Step 3: Add Records at Your DNS Provider

Most DNS providers support CAA records through their web interface:

Cloudflare: DNS > Add Record > Type: CAA
AWS Route 53: Create Record > CAA type
Google Cloud DNS: Add Record Set > CAA

Step 4: Verify Your CAA Records

# Using dig
dig CAA example.com

# Expected output:
# example.com. 3600 IN CAA 0 issue "letsencrypt.org"

CAA and Subdomains

CAA records follow DNS hierarchy. If a subdomain has no CAA record, the CA checks the parent domain. This means:

A CAA record on example.com applies to all subdomains by default
Subdomains can override with their own CAA records
You can set different CAs for different subdomains if needed

Common CAA Configuration Patterns

Basic: Single CA

Most sites only need one CA. This is the simplest and most secure configuration:

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issuewild "letsencrypt.org"

Separate Wildcard Policy

Allow standard certificates from multiple CAs but restrict wildcards:

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issue "digicert.com"
example.com.  CAA  0 issuewild "letsencrypt.org"

CAA Limitations

Not enforced by browsers: CAA is checked by CAs during issuance, not by browsers during connection. A mis-issued certificate will still work.
DNS compromise: If an attacker can modify your DNS records, they can also modify CAA records. Use DNSSEC to protect against this.
CA compliance: All public CAs are required to check CAA, but misconfigured or rogue CAs might not comply.

CAA Records Checklist

Audit which CAs currently issue certificates for your domain
Create CAA records listing only the CAs you use
Add issuewild records to control wildcard certificate issuance
Set up iodef for violation notifications
Verify records with dig or DNS lookup tools
Enable DNSSEC to protect CAA records from tampering
Run a SecScanner scan to verify CAA record configuration

CAA records are a simple but effective defense layer for your TLS infrastructure. Combined with Certificate Transparency monitoring, they provide both proactive prevention and reactive detection of unauthorized certificate issuance.

How CAA Records Work

CAA is a DNS record type (RFC 8659) that a CA must check before issuing a certificate. If a CAA record exists and the CA is not listed, the CA must refuse to issue the certificate.

CAA Record Format

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issue "digicert.com"
example.com.  IN  CAA  0 issuewild "letsencrypt.org"
example.com.  IN  CAA  0 iodef "mailto:security@example.com"

CAA Record Properties

Flags (0): Currently always 0. Flag value 128 marks the property as critical — CAs must refuse issuance if they don't understand the property.
issue: Authorizes a CA to issue standard (non-wildcard) certificates
issuewild: Authorizes a CA to issue wildcard certificates specifically
iodef: Specifies where CAs should report policy violations (email or URL)

Why You Need CAA Records

Prevent unauthorized certificates: Even if an attacker tricks a CA, the CA must check CAA and refuse issuance
Reduce attack surface: Limit your trusted CAs to only those you actually use
Compliance: SOC 2, PCI DSS, and other frameworks increasingly expect CAA configuration
Incident detection: The iodef property alerts you when a CA encounters a policy violation
Certificate Transparency complement: CT logs detect mis-issued certificates after the fact; CAA prevents them proactively

Setting Up CAA Records

Step 1: Identify Your CAs

Determine which Certificate Authorities currently issue certificates for your domain:

# Check Certificate Transparency logs
# Use crt.sh to see all certificates issued for your domain
# Visit: https://crt.sh/?q=example.com

Step 2: Create CAA Records

If you use Let's Encrypt only:

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issuewild "letsencrypt.org"
example.com.  CAA  0 iodef "mailto:security@example.com"

If you use multiple CAs:

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issue "digicert.com"
example.com.  CAA  0 issue "sectigo.com"
example.com.  CAA  0 issuewild "letsencrypt.org"
example.com.  CAA  0 iodef "mailto:security@example.com"

To block all certificate issuance (rarely needed):

example.com.  CAA  0 issue ";"

Step 3: Add Records at Your DNS Provider

Most DNS providers support CAA records through their web interface:

Cloudflare: DNS > Add Record > Type: CAA
AWS Route 53: Create Record > CAA type
Google Cloud DNS: Add Record Set > CAA

Step 4: Verify Your CAA Records

# Using dig
dig CAA example.com

# Expected output:
# example.com. 3600 IN CAA 0 issue "letsencrypt.org"

CAA and Subdomains

CAA records follow DNS hierarchy. If a subdomain has no CAA record, the CA checks the parent domain. This means:

A CAA record on example.com applies to all subdomains by default
Subdomains can override with their own CAA records
You can set different CAs for different subdomains if needed

Common CAA Configuration Patterns

Basic: Single CA

Most sites only need one CA. This is the simplest and most secure configuration:

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issuewild "letsencrypt.org"

Separate Wildcard Policy

Allow standard certificates from multiple CAs but restrict wildcards:

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issue "digicert.com"
example.com.  CAA  0 issuewild "letsencrypt.org"

CAA Limitations

Not enforced by browsers: CAA is checked by CAs during issuance, not by browsers during connection. A mis-issued certificate will still work.
DNS compromise: If an attacker can modify your DNS records, they can also modify CAA records. Use DNSSEC to protect against this.
CA compliance: All public CAs are required to check CAA, but misconfigured or rogue CAs might not comply.

CAA Records Checklist

Audit which CAs currently issue certificates for your domain
Create CAA records listing only the CAs you use
Add issuewild records to control wildcard certificate issuance
Set up iodef for violation notifications
Verify records with dig or DNS lookup tools
Enable DNSSEC to protect CAA records from tampering
Run a SecScanner scan to verify CAA record configuration

How CAA Records Work

CAA Record Format

CAA Record Properties

Why You Need CAA Records

Setting Up CAA Records

Step 1: Identify Your CAs

Step 2: Create CAA Records

Step 3: Add Records at Your DNS Provider

Step 4: Verify Your CAA Records

CAA and Subdomains

Common CAA Configuration Patterns

Basic: Single CA

Separate Wildcard Policy

CAA Limitations

CAA Records Checklist

Related Articles

Certificate Transparency: How It Protects Your Domain

DNSSEC Explained: Protect Your Domain from DNS Spoofing Attacks

TLS/HTTPS Security Essentials: Protecting Your Website in 2025

Check Your Website Security

How CAA Records Work

CAA Record Format

CAA Record Properties

Why You Need CAA Records

Setting Up CAA Records

Step 1: Identify Your CAs

Step 2: Create CAA Records

Step 3: Add Records at Your DNS Provider

Step 4: Verify Your CAA Records

CAA and Subdomains

Common CAA Configuration Patterns

Basic: Single CA

Separate Wildcard Policy

CAA Limitations

CAA Records Checklist

Related Articles

Certificate Transparency: How It Protects Your Domain

DNSSEC Explained: Protect Your Domain from DNS Spoofing Attacks

TLS/HTTPS Security Essentials: Protecting Your Website in 2025

Check Your Website Security