The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA records can set policy for the entire domain, or for specific hostnames. They are also inherited by subdomains, therefore a CAA record set on domain.com will also apply to any subdomain, such as subdomain.domain.com (unless overridden). CAA records can control the issuance single-name certificates, wildcard certificates, or both.
Why do you need a CAA record?
CAA records allow you to determine which certification authorities may issue certificates for your domain and subdomains. For that reason, it is always a good idea to control this via proper CAA record(s).
How to create a DNS CAA record?
Log in your ClouDNS account, enter your DNS zone management page, and click on Add new record. For Type choose CAA and type as follow:
Flag
All records will have the default issuer critical value of 0, which means they are not critical. Flag 128 is used for critical
Type
Type allows you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair.
issue: Explicitly authorizes a single certificate authority to issue a certificate (any type) for the hostname.
issuewild: Authorization to issue certificates that specify a wildcard domain. Please note: issuewild properties take precedence over issue properties when specified.
iodef: (Incident Description Exchange Format) Specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.
Value
Specify the domain name of the CA provider to which the CAA record applies.
How to start managing CAA records for your domain name?
- Open free trial account from here — free forever
- Verify your e-mail address
- Log into your control panel
- Create new Master DNS from the [add new] button — read more here
- Add the CAA record(s) you need as it is described in this article
Support of CAA records
ClouDNS provides full support for CAA records for all our DNS services. Just write to our technical support, if you need any assistance with your CAA records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.
FAQ
Question: What should my CAA record looks like if I purchase an SSL certificate from ClouDNS?
Answer: The Certificate Authority we work with is Sectigo. Sectigo recognizes the following domain names in issue and issuewild property tags as permitting them to issue:
Originally published at https://www.cloudns.net.
