Table of Contents

A Certification Authority Authorization (CAA) Record specifies the Certificate Authority (CA) that is authorized to issue a certificate for a particular domain. This means that no other CA can issue certificates for your domain.

Structure of a CAA record

You can create the CAA records in the DNS settings of the domain.

Examples:

Domain	RR-Type	Value
example.com	CAA	0 issue "digicert.com"
example.com	CAA	0 issuewild "digicert.com"
example.com	CAA	0 iodef "mailto:customer@digicert.com"

The entry in the Value column consists of the following subentries:

Flag: A value between 0-255, used to represent the critical flag according to RFC.
Tag: An ASCII string representing the property.

issue: Authorizes the CA specified under "Value" to issue the certificates.
issuewild: Allows Wildcard Certificate
iodef: Mail address to which the CA sends notifications for issuing the certificate. Currently not supported by all CAs.

Value: Value associated with the 'tag'.

Beispiel nach BIND-Syntax:

example.com. 300 IN CAA 0 issue "digicert.com"
example.com. 300 IN CAA 0 issuewild "digicert.com"
example.com. 300 IN CAA 0 iodef "mailto:customer@example.com"

Overview of valid values for the CA

To assign the authorization to DigiCert and their product lines, you can use either of the two DigiCert entries, as both contain all products/brands of DigiCert.

The remaining entries only apply to the respective CA.

digicert.com
www.digicert.com
thawte.com
geotrust.com
rapidssl.com
sectigo.com
globalsign.com

Allow several CAs to issue certificates

If several CAs certificates are to receive the authorization to issue certificates, several CAA records can be entered per domain.

Once a CAA record has been set, no other CA can issue a certificate for this domain. You must either delete the corresponding CAA record or create a new record for the other CA.