DNSBuddy

Knowledge base

CAA record

Learn what a DNS CAA record is, how it controls which Certificate Authorities can issue SSL/TLS certificates for your domain, examples, lookup methods, and best practices.

What Is a CAA Record in DNS?

TL;DR
A CAA record (Certificate Authority Authorization) specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain.
It adds an important security layer: CAs must check CAA records before issuing a certificate, if your domain isn't authorized, they won't issue one.
This helps prevent unauthorized or fraudulent certificates.

Look up CAA records
Enter a domain name to lookup CAA records

Enter the domain name you want to lookup

View full DNS lookup tool with advanced options →

How CAA Records Work

Before issuing an SSL/TLS certificate, every compliant CA (Let's Encrypt, DigiCert, Sectigo, etc.) is required to query your domain's CAA records.

  • If no CAA records exist → Issuance is allowed (any CA can issue).
  • If CAA records exist → Only listed CAs are permitted.
  • Special value issue ";" → Prohibits all issuance.

CAA records apply at the domain level (or wildcard) and support multiple entries.

Common Use Cases

  • Prevent certificate mis-issuance: block rogue or compromised CAs
  • Restrict to trusted CAs: e.g. only Let's Encrypt or your enterprise CA
  • Control wildcard certificates: separate rules for *.example.com
  • Incident reporting: notify your security team if a CA sees suspicious activity
  • Compliance & security hardening: meet standards (PCI DSS, SOC 2, etc.)

How to Lookup CAA Records

dig example.com CAA
nslookup -type=CAA example.com

Record Format

NAME          TTL    CLASS  TYPE  FLAGS  TAG     VALUE
example.com.  3600   IN     CAA   0      issue   "letsencrypt.org"
  • FLAGS: Usually 0 (non-critical) or 128 (critical, CA must understand)
  • TAG: issue, issuewild, iodef
  • VALUE: CA identifier (e.g. letsencrypt.org) or ; to prohibit

Valid Examples

Allow only Let's Encrypt

example.com.  CAA  0  issue  "letsencrypt.org"

Allow multiple CAs

example.com.  CAA  0  issue  "letsencrypt.org"
example.com.  CAA  0  issue  "digicert.com"

Prohibit all issuance

example.com.  CAA  0  issue  ";"

Wildcard-specific rule

example.com.      CAA  0  issue      "letsencrypt.org"
example.com.      CAA  0  issuewild  "digicert.com"

With incident reporting

example.com.  CAA  0  issue   "letsencrypt.org"
example.com.  CAA  0  iodef   "mailto:[email protected]"

CAA vs Other Record Types

FeatureCAATXTA/AAAA
Primary purposeCA authorizationGeneric text / SPFIP address mapping
Security impactHigh (cert issuance)Medium (validation)None
Controls certificatesYesNoNo
Multiple records allowedYesYesYes
Required by CAs to checkYesSometimesNo

→ See also: TXT Record, A Record

Frequently Asked Questions

Do I really need CAA records?
Not required, but strongly recommended as a security best practice. They prevent mis-issuance by unauthorized CAs.
What happens if I have no CAA records?
Any valid CA can issue certificates (after their normal validation). CAA adds explicit control.
Can I allow multiple CAs?
Yes, just add one CAA record per CA under the `issue` tag.
How do I block all certificate issuance?
Use: `CAA 0 issue ";"` this tells all CAs to refuse issuance.
Does CAA prevent all fraud?
No, but it significantly reduces risk of unauthorized certificates. Combine with Certificate Transparency monitoring.

References

RFC 6844

DNS Certification Authority Authorization (CAA) Resource Record

Related: TXT Record · A Record · DNS Basics