Search in this section

Skip to end of metadata
Go to start of metadata
Inhaltsverzeichnis dieser Seite

A Certification Authority Authorization (CAA) Record specifies the Certificate Authority (CA) that is authorized to issue a certificate for a particular domain. This means that no other CA can issue certificates for your domain.

Structure of a CAA Record

You can create the CAA records in the DNS settings of the domain.


Domain            RR-TypeValue
example.comCAA0 issue ""
example.comCAA0 issuewild ""
example.comCAA0 iodef ""

The entry in the Value column consists of the following subentries:

Flag: A value between 0-255, used to represent the critical flag according to RFC.
Tag: An ASCII string representing the property.

  • issue: Authorizes the CA specified under "Value" to issue the certificates.
  • issuewild: Allows Wildcard Certificate
  • iodef: Mail address to which the CA sends notifications for issuing the certificate. Currently not supported by all CAs.

Value: Value associated with the 'tag'.

Beispiel nach BIND-Syntax: 300 IN CAA 0 issue "" 300 IN CAA 0 issuewild "" 300 IN CAA 0 iodef ""

Overview of valid Values for the CA

To grant permission to DigiCert and its brands, you may use any of the following entries, each containing all DigiCert products/brands.







Allow several CAs to issue Certificates

If several CAs certificates are to receive the authorization to issue certificates, several CAA records can be entered per domain.

Once a CAA record has been set, no other CA can issue a certificate for this domain. You must either delete the corresponding CAA record or create a new record for the other CA.