What is CAA Record?
Also known as: Certification Authority Authorization
A CAA (Certification Authority Authorization) DNS record lets domain owners specify which certificate authorities are permitted to issue SSL/TLS certificates for their domain.
A CAA record is a DNS resource record defined in RFC 6844 that allows a domain owner to declare which certificate authorities (CAs) are authorized to issue certificates for that domain. It is a security mechanism designed to reduce the risk of mis-issuance by rogue or compromised CAs. The record consists of three parts: flags, a tag (either "issue", "issuewild", or "iodef"), and a value containing the CA's domain name or a reporting URI.
When a CA receives a certificate request for a domain, it must check the DNS for CAA records. If a CAA record exists and the requesting CA is not listed, the CA must refuse to issue the certificate. The "issue" tag applies to all certificates, while "issuewild" specifically controls wildcard certificates. The "iodef" tag provides a method for CAs to report issuance policy violations to the domain owner. CAA records can be stacked: multiple records can list different authorized CAs, and a record with an empty value (e.g., "issue;") signals that no CA is authorized.
CAA records sit in the DNS zone alongside other security-oriented records like DNSSEC and DANE. They are a policy layer, not a cryptographic one. Since September 2017, the CA/Browser Forum Baseline Requirements have mandated that all CAs check CAA records before issuing publicly trusted certificates. This makes CAA a mandatory part of the public PKI ecosystem. However, CAA does not prevent issuance by an authorized CA that is itself compromised; it only restricts which CAs may be used.
Key facts
- Defined in RFC 6844, updated by RFC 8659.
- Uses three tags: issue, issuewild, and iodef.
- Mandatory check for all publicly trusted CAs since September 2017.
- A CAA record with an empty value denies all CAs.
- Does not prevent a listed CA from being compromised and mis-issuing.
How it works in practice
Related terms
References
More in DNS
A Record
A DNS resource record that maps a hostname to a 32-bit IPv4 address. It is the most fundamental record type for translating domain names to numeric addresses on the Internet.
AAAA Record
A DNS resource record that maps a hostname to a 128-bit IPv6 address, analogous to the A record for IPv4.
Authoritative DNS
An authoritative DNS server holds the definitive resource records for a specific domain and responds to queries with the final answer for that zone, not a cached copy.
CNAME Record
A DNS record that maps an alias hostname to the true or canonical hostname, allowing multiple names to resolve to the same IP address without duplicating A or AAAA records.
DNS
The Domain Name System (DNS) is a hierarchical, distributed naming system that translates human-readable domain names (like example.com) into IP addresses and other resource records used by internet protocols.
DNS Anycast
DNS Anycast uses one IP address served from multiple geographically distributed nameservers; queries are routed to the nearest or healthiest node, improving resilience and reducing latency.
DNS Caching
DNS caching stores resolved domain name query results for the specified TTL duration to avoid repeated queries to upstream authoritative servers.
DNS Hijacking
DNS hijacking is an attack or misconfiguration that returns forged DNS responses, causing users to connect to attacker-controlled hosts instead of the intended server.
DNSSEC
DNSSEC (DNS Security Extensions) add cryptographic digital signatures to DNS records, enabling resolvers to verify that responses have not been tampered with or spoofed.
DoH
DNS over HTTPS (DoH) encrypts DNS queries and responses inside HTTPS traffic, preventing on-path observers from seeing or tampering with DNS lookups.