What are CAA records?
Learn what CAA records contain, how issue and issuewild tags work, and how CAA helps control which certificate authorities can issue for your domain.
Tools For This Topic
What a CAA record is
A CAA (Certification Authority Authorization) record lets a domain owner define which certificate authorities are allowed to issue TLS certificates for the domain.
It acts as a DNS-based policy control that certificate authorities are expected to check before issuing a certificate.
While not mandatory, CAA is widely used as a hardening measure to reduce the risk of unintended or unauthorized certificate issuance.
What a CAA record looks like
A typical CAA record contains a flag, a tag, and a value.
example.com. 3600 IN CAA 0 issue "letsencrypt.org"This example allows letsencrypt.org to issue standard (non-wildcard) certificates for the domain.
Unlike some other DNS records, the structure is compact but carries important policy meaning.
What the fields mean
- Flags: usually set to 0 in most deployments, but can enforce stricter processing if required
- Tag: defines the type of authorization, such as issue, issuewild, or iodef
- Value: specifies the authorized certificate authority or reporting endpoint
Common tags
- issue: authorizes standard certificate issuance
- issuewild: authorizes wildcard certificate issuance
- iodef: defines where certificate-related incident reports should be sent
How CAA is evaluated
When a certificate authority receives a request, it performs a DNS lookup for CAA records on the requested domain.
If no CAA record exists, any trusted CA may proceed with issuance. If a CAA record is present, the CA must check whether it is explicitly authorized.
CAA evaluation also walks up the DNS hierarchy, meaning parent domains may influence policy if no record exists at the exact hostname.
Why CAA matters
CAA adds a layer of governance to certificate issuance. It allows organisations to define which providers are trusted for their domain.
This is particularly valuable in environments with strict security or compliance requirements, where certificate issuance should be tightly controlled.
It also helps reduce the blast radius of misconfiguration or compromise at a certificate authority.
Common mistakes
- Not updating CAA records after switching certificate providers
- Forgetting to allow wildcard issuance when needed
- Blocking a CA that is still in active use
- Publishing CAA without understanding existing certificate workflows
CAA and certificate troubleshooting
If certificate issuance fails unexpectedly, CAA is a common cause. A CA may refuse to issue if it is not explicitly authorized in the record.
In these cases, checking the current CAA policy and comparing it with the intended certificate provider is essential.
Use These DNS Pro Tools
If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.
Related Tools
Related Articles
How to Fix CAA Record Errors Before Certificate Renewal Fails
Learn how to fix CAA record errors, why certificate issuance gets blocked, and how to verify issue, issuewild, and parent-domain policy before renewal fails.
How to Read CAA Records Correctly
Learn how to read CAA records, understand issue, issuewild, and iodef tags, and tell whether certificate issuance is properly restricted for a domain.
How Certificate Transparency Helps Find Subdomains
Learn how certificate transparency logs help find subdomains, what the data misses, and how to interpret CT-based hostname discovery safely.