SECURITY GUIDE

CAA Record Lookup: Control Who Can Issue Certificates for Your Domain

CAA records limit authorized Certificate Authorities. Learn how to configure them to prevent unauthorized issuance.

CAA: access control for certificates

CAA records (Certificate Authority Authorization, RFC 8659) allow the domain owner to specify in DNS which Certificate Authorities (CAs) are authorized to issue SSL certificates for that domain. Since September 2017, all public CAs are required to check CAA records before issuing a certificate. If the CAA record does not authorize the CA, issuance is blocked. This prevents the issuance of fraudulent certificates from compromised CAs or validation errors.

Without CAA records, any CA in the world can issue a certificate for your domain. With approximately 150 existing public CAs and hundreds of intermediate CAs, the attack surface is enormous: compromising just one CA (or its validation process) is enough to obtain a fraudulent certificate. CAA records drastically reduce this surface: if you authorize only Let's Encrypt, the other 149 CAs cannot issue certificates for you, even if compromised.

Configuring CAA records

CAA record examples
# Autorizza solo Let's Encrypt
esempio.com. IN CAA 0 issue "letsencrypt.org"

# Autorizza anche DigiCert per wildcard
esempio.com. IN CAA 0 issue "letsencrypt.org"
esempio.com. IN CAA 0 issuewild "digicert.com"

# Blocca tutte le CA (nessun certificato autorizzato)
esempio.com. IN CAA 0 issue ";"

# Notifica tentativi non autorizzati
esempio.com. IN CAA 0 iodef "mailto:security@esempio.com"

Three tags are available: issue authorizes a CA to issue normal certificates, issuewild authorizes the issuance of wildcard certificates (*.domain.com), and iodef specifies where to send notifications of unauthorized attempts. If you specify only issue without issuewild, wildcards inherit the issue policy. If you want only a specific CA to issue wildcards, use issuewild explicitly.

Verification and maintenance

Use our CAA Record Lookup to verify your domain's CAA records and ensure authorized CAs match the ones you actually use. Before changing CAs (for example from Let's Encrypt to DigiCert), update CAA records in advance, otherwise the new CA will not be able to issue the certificate. Also check SSL Check to confirm that the current certificate was issued by an authorized CA.

CAA records are inherited by subdomains: if example.com has a CAA record, all subdomains without their own CAA records inherit the parent's policy. You can override the policy for specific subdomains. This hierarchy is useful: you can authorize Let's Encrypt for the main domain and DigiCert for a specific subdomain that requires an EV certificate. Verify the inheritance chain with DNS Lookup by checking CAA records at each level.

The iodef tag is often overlooked but very useful: it notifies you when a CA refuses to issue a certificate for your domain due to CAA records. This can indicate: a fraudulent issuance attempt (an attacker tries to obtain a certificate for your domain), or an operational issue (your team tries to use an unauthorized CA). In both cases, the notification allows you to act quickly.

Try CAA Record Lookup for free
Verify CAA records that authorize CAs to issue certificates
Use CAA Record Lookup >

Explore the Network

capops.io Free tools for DevOps & SysAdmin — monitoring, deploy, CI/CD, server management and more Visit → pixcode.io Free graphic tools — image converter, color palette generator, SVG optimizer and more Visit →