What are CAA records?
Learn what CAA records do, how they restrict certificate issuance, and why they are useful for certificate governance.
Introduction
CAA stands for Certification Authority Authorization. A CAA record lets a domain owner say which certificate authorities are allowed to issue certificates for the domain.
This is a useful control for reducing the risk of unintended certificate issuance.
Common CAA tags
- issue authorizes standard certificate issuance
- issuewild authorizes wildcard certificate issuance
- iodef provides a contact or reporting destination for policy violations
Why CAA matters
CAA records add a policy layer around certificate issuance. They are not mandatory, but they are a useful hardening control.
They are especially useful for organizations that want clearer control over which CAs can issue for their domains.