A CAA (Certification Authority Authorization) record is a DNS entry that lists the certificate authorities permitted to issue SSL/TLS certificates for a domain. It is defined in RFC 8659. Public CAs are required to check CAA at issuance time; if no CAA record exists, any compliant CA may issue a certificate for your name.
Why it matters
CAA reduces the blast radius of a compromised or rogue CA. Without it, an attacker who tricks any trusted authority can mint a valid certificate for your domain and intercept traffic — even with HSTS enabled. Setting CAA pins issuance to the CAs you actually use, and the optional iodef tag gives you an alert channel when something attempts an out-of-policy issuance.
How to set it
- Add a record per allowed issuer, for example
0 issue "letsencrypt.org"and0 issue "digicert.com". - Use
issuewildseparately to control wildcard certificate issuance, for example0 issuewild ";"to disallow them entirely. - Set
0 iodef "mailto:security@example.com"to receive incident reports of blocked issuance attempts. - Apply CAA at the apex (
example.com); subdomains inherit unless they have their own record. - Combine with DNSSEC so resolvers can trust the CAA response itself.
- After issuing a certificate, verify configuration via the CA's preflight tools or
dig CAA example.com.