CAA Record (Certification Authority Authorization) (CAA Record)
Why You Should Care About CAA Record
CAA records add a layer of defense against unauthorized certificate issuance. Without CAA, any of the hundreds of publicly trusted CAs could issue a certificate for your domain. With CAA records, only the CAs you explicitly authorize can issue certificates, significantly reducing your attack surface.
This is important because CA compromises and misissuance incidents have occurred multiple times. By setting CAA records, you limit the damage from a CA breach to only the CAs you actually use. If you only use Let's Encrypt, a CAA record saying only letsencrypt.org can issue certificates means a compromised DigiCert cannot issue a valid certificate for your domain.
CAA records also support the "iodef" tag, which specifies where the CA should report policy violations (attempted unauthorized issuance). This gives you visibility into potential attacks or misconfigurations. Setting up CAA records is a quick, free security improvement that every domain should implement.
Checking Your Setup
A DNS health checker shows your CAA records and validates they authorize the CA that issued your current certificate. If no CAA records exist, any CA can issue certificates for your domain. Add CAA records authorizing only the CA(s) you use.
Settings Overview
| Parameter | Value |
|---|---|
| Record Type | CAA |
| Flag | 0 (non-critical) or 128 (critical) |
| Tag: issue | Authorize CA for regular certs |
| Tag: issuewild | Authorize CA for wildcard certs |
| Tag: iodef | Report policy violations |
| Example | 0 issue "letsencrypt.org" |