We use cookies
We use cookies to optimize our website. By continuing to browse the site, you agree to our use of cookies.
New design
Control panel
  • Русский
  • Українська
  • English
  • UAH
  • USD
  • RUB
  • EUR
  • 0-800-307-307 Hotline
  • +38 (044) 392-74-33 Kiev
  • +38 (057) 728-39-00 Kharkiv
  • +38 (056) 794-38-31 Dnipro
  • +38 (032) 229-58-93 Lviv
  • +38 (048) 738-57-70 Odessa
  • +38(093) 170-15-42  Life
  • +38 (067) 400-88-44 Kievstar
  • +1(888)393-24-51  USA, Toll free
  • +44(131)507-01-14  Great Britain
  • +7 (499) 348-28-61 Moscow

3.1.5.7. CAA

CAA (Certification Authority Authorization) is an entry that defines which certification authorities are allowed to issue SSL certificates for a specific domain or subdomain.

Important points:

  • The record value for a domain or subdomain is inherited across all of its subdomains, unless explicitly specified otherwise.
  • To define multiple CAs for the same domain or subdomain, you need to add multiple CAA records.
  • The absence of a CAA record is considered by certification authorities as permission to issue a certificate.
  • The complete specification of the CAA record is available at RFC 6844.

Recording added in the domain settings and its data consists of three parameters, separated by spaces:

flag tag value

Parameters:

  • flag - An 8-bit number, the most significant bit of which determines how critical the certification authority is about the entry. Possible values:
    • 0 - if the certification authority does not support the parameter tag or cannot recognize him, he is allowed to issue a certificate at his discretion.
    • 128 - if the certification authority does not support the parameter tag or cannot recognize it, it is forbidden to issue a certificate.
  • tag - possible values:
    • issue - defines a certification authority that is allowed to issue a certificate.
    • issuewild - defines a certification authority that is allowed to issue a wildcard certificate.
    • iodef - defines an email address or URLthat the CA should use for notifications if a request is received to issue a certificate that violates the rules defined by the CAA record.
  • value - depends on the value tag and must be in double quotes (""). If there are several additional parameters, they must be separated by a semicolon (;). Possible values:
    • Ifa tag equally issue, then as value indicates:
      • Or the domain of a certification authority that is allowed to issue a certificate.
      • Or ";"if you want to prevent all certification authorities from issuing a certificate.
    • Ifa tag equally issuewild, then the possible values for value the same as for tag equally issue, only in this case for a wildcard certificate.
    • Ifa tag equally iodef, then as value indicates:
      • Or an email address in the format "mailto:admin@example.com".
      • Or URL in the format "http(s)://URL".

For convenience, when creating a record, you can use online generators:

What CAA records look like in domain settings: