SSL CertificatesTrust solutions
AnimatedSite Seal Logo GoGetSSL Site Seal
Better Rankingin Google Search Google Security
Domain SSLBy GoGetSSL from $39.00 /yr
AnimatedSite Seal Logo GoGetSSL Site Seal
Better Rankingin Google Search Google Security
Domain SSLBy GoGetSSL from $39.00 /yr
LEI CODE
Get your business identified and transparent globally
Minimize financial vulnerabilities
Boost OV/EV SSL validation process
$59.00 per year Get LEI Code
Home Wiki Problems & Issues How to setup CAA record

How to setup CAA record

  • CAA (Certification Authority Authorization) is a new type of DNS record designed to identify certification authorities that are allowed to issue SSL / TLS certificates for a specific domain name or subdomain.

    The largest and most popular certificate authorities agreed that starting from September 8, 2017, it is mandatory to strictly follow the instructions specified in the CAA records of the domain name or subdomain for which certificate issuance is requested.

    Using a CAA record will increase the level of security on the Internet and reduce the occurrence of unauthorized obtaining certificates for third-party domain names.

    Here is a detailed instruction that explains the capabilities of the CAA record and the format of its use.

    • *

      Record Format

      The CAA record value consists of three parts, separated by a space:

      CAA <flags> <tag> <value>
    • f

      <flag>

      The flag value is an 8-bit number, the high bit of which indicates the criticality of the record by the certification authority. The following values are currently valid:

      • 0 - If the tag value is not supported or not recognized by the certification authority, then the certification authority is allowed to issue a certificate for the domain name or subdomain at its discretion.
      • 128 - If the tag value is not supported or is not recognized by the certification authority, then the certification authority should not issue a certificate for a domain name or subdomain.
    • t

      <tag>

      The tag value can take one of the following values:

      • issue - Defines the certification authority that is allowed to issue the certificate for the domain name or subdomain used in the name of the entry.
      • issuewild - Defines a certification authority that is allowed to issue a wildcard certificate for the domain name or subdomain record used in the name. The certificate applies to the domain name or subdomain directly and to all its subdomains.
      • iodef - Defines the email address or URL (complying with RFC 5070) that a certification authority should use for notifications if it receives a request for a certificate in violation of the rules for a domain name defined by a CAA record.
    • v

      <value>

      The value depends on the tag value and must be enclosed in double quotation marks (""). Some certificate authorities allow you to use additional parameters for the value. In this case, the parameters must be separated by a semicolon (;).

      Example: 0 issue "sectigo.com; account = 12345"
      • In case tag = issue - Domain name of the certification authority, which is allowed to issue a certificate for the domain name or subdomain specified in the title. To prohibit the issuance of a certificate for all certificate authorities for the domain name or subdomain specified in the name of the record, you must use a semicolon (;) instead of the domain name of the certificate authority.

        Example: example.tld. CAA 0 issue "sectigo.com"
        Example: example.tld. CAA 0 issue ";"
      • In case tag = issuewild - Similar to the case when tag = issue, except that the rule applies to wildcard certificates.

        Example: example.tld. CAA 0 issuewild "sectigo.com"
        Example: example.tld. CAA 0 issuewild ";"
      • In case tag = iodef - Email address ("mailto: abuse@example.com") or URL ("http (s): // URL"), which the certification authority should use in case of receiving an unauthorized request for issuing a certificate for the domain name or subdomain used in the name of the entry.

        Example: example.tld. CAA 0 iodef "mailto: abuse@example.com"
    • *

      Features:

      • The record value for a domain name or subdomain is inherited to all its subdomains unless explicitly specified otherwise.
      • To define two or more certificate authorities for a single domain name or subdomain, you must use several CAA records.
      • The absence of a CAA record will be interpreted by any certificate authority as permission to issue a certificate.
      • The full CAA record specification is available in RFC 6844.
    • *

      How to check?

      Here are the most common methods to check CAA records:

      dig example.tld caa

Fast Issuance within 3-5 minutes

Get a Domain Validation SSL certificate within just 5 minutes using our friendly and automated system. No paperwork, callback or company required.

Price Match 100% Guarantee

Found a better price? We will match it - guaranteed. Get the best possible price in the World with us. The correct place to save your money.

Free SSL 90-day for free

Try 90-day Trial SSL Certificate before the real purchase to test cert's functionality. 99.9% browser and mobile support. Unlimited prolongation.

Money Back 30-day guarantee

Customer satisfaction is our major concern. Get a full refund within 30 days for any purchase of SSL certificates with 100% guarantee.

Speed up SSL issuance with LEI

GoGetSSL™ now offering fastest issuance of SSL on planet due to use of LEI code and API automation. Legal Entity Identifier (or LEI) is a global identity code, just like DUNS. Learn now how LEI may help you.

LEI codes starting at
$59.00
Check LEI offer
1,366,468+Total LEIs issued
224+Jurisdictions supported