CAA (Certification Authority Authorization) is an entry that defines which certification authorities are allowed to issue SSL certificates for a specific domain or subdomain.
Recording added in the domain settings and its data consists of three parameters, separated by spaces:
flag tag value
Parameters:
flag
- An 8-bit number, the most significant bit of which determines how critical the certification authority is about the entry. Possible values:0
- if the certification authority does not support the parameter tag
or cannot recognize him, he is allowed to issue a certificate at his discretion.128
- if the certification authority does not support the parameter tag
or cannot recognize it, it is forbidden to issue a certificate.tag
- possible values:issue
- defines a certification authority that is allowed to issue a certificate.issuewild
- defines a certification authority that is allowed to issue a wildcard certificate.iodef
- defines an email address or URLthat the CA should use for notifications if a request is received to issue a certificate that violates the rules defined by the CAA record.value
- depends on the value tag
and must be in double quotes (""
). If there are several additional parameters, they must be separated by a semicolon (;
). Possible values:tag
equally issue
, then as value
indicates:";"
if you want to prevent all certification authorities from issuing a certificate.tag
equally issuewild
, then the possible values for value
the same as for tag
equally issue
, only in this case for a wildcard certificate.tag
equally iodef
, then as value
indicates:"mailto:admin@example.com"
."http(s)://URL"
.For convenience, when creating a record, you can use online generators:
What CAA records look like in domain settings: