CAA (Certification Authority Authorization) is an entry that defines which certification authorities are allowed to issue SSL certificates for a specific domain or subdomain.
Recording added in the domain settings and its data consists of three parameters, separated by spaces:
flag tag value
flag- An 8-bit number, the most significant bit of which determines how critical the certification authority is about the entry. Possible values:
0- if the certification authority does not support the parameter
tagor cannot recognize him, he is allowed to issue a certificate at his discretion.
128- if the certification authority does not support the parameter
tagor cannot recognize it, it is forbidden to issue a certificate.
tag- possible values:
issue- defines a certification authority that is allowed to issue a certificate.
issuewild- defines a certification authority that is allowed to issue a wildcard certificate.
iodef- defines an email address or URLthat the CA should use for notifications if a request is received to issue a certificate that violates the rules defined by the CAA record.
value- depends on the value
tagand must be in double quotes (
""). If there are several additional parameters, they must be separated by a semicolon (
;). Possible values:
issue, then as
";"if you want to prevent all certification authorities from issuing a certificate.
issuewild, then the possible values for
valuethe same as for
issue, only in this case for a wildcard certificate.
iodef, then as
For convenience, when creating a record, you can use online generators:
What CAA records look like in domain settings: