security DNS CAA record SSL certificate security domain security certificate authority authorization DNS management

What Is a DNS CAA Record and How to Use It to Enhance SSL Certificate Security

James Chen 13 views
What Is a DNS CAA Record and How to Use It to Enhance SSL Certificate Security

What Is a DNS CAA Record and Why Should You Care?

Every time you visit an HTTPS website, your browser trusts the SSL/TLS certificate presented by that site. That trust is anchored in a chain that ultimately leads to a Certificate Authority (CA) — an organization like Let’s Encrypt, DigiCert, or Sectigo. But here’s the catch: any CA can theoretically issue a certificate for your domain, as long as they validate that you control it. If a CA is compromised or makes a mistake, someone else could obtain a valid certificate for your domain and impersonate your site.

Enter the DNS CAA (Certification Authority Authorization) record. Introduced in RFC 6844, a CAA record is a DNS resource record that lets you explicitly declare which certificate authorities are permitted to issue certificates for your domain (and its subdomains). Any compliant CA must check this record before issuing a certificate. If the record forbids the CA (or if no allowed CAs match), the CA must refuse the request.

Think of it as a whitelist for SSL issuance. Without CAA, every CA that follows the standard industry validation process could issue for your domain. With CAA, you take control.

How a CAA Record Works

A CAA record has three components:

  • Flags – A single octet (usually 0 for non-critical, 128 for critical). Most implementations use 0.
  • Tag – One of three types:
    • issue – Authorizes a specific CA to issue certificates for the domain.
    • issuewild – Authorizes a CA to issue wildcard certificates (*.example.com).
    • iodef – Specifies a URL or email where CAs should send reports about certificate requests (useful for monitoring).
  • Value – The domain name of the allowed CA (e.g., letsencrypt.org) or an email/URI for iodef.

For example, a record like example.com. CAA 0 issue "letsencrypt.org" tells the world: “Only Let’s Encrypt may issue certificates for example.com.” You can add multiple issue records to allow several CAs.

Real-World Example: Securing a Multi‑Subdomain Setup

Imagine you run acmecorp.com with subdomains like shop.acmecorp.com, blog.acmecorp.com, and cdn.acmecorp.com.

  • You currently use DigiCert for main certificates and Let’s Encrypt for your dev subdomains.
  • A malicious actor tries to get a certificate from a lesser-known CA (or a CA with relaxed validation) for shop.acmecorp.com by proving email ownership of a disposable address.
  • Without CAA, that rogue CA could issue the certificate. With CAA, they check the record: “Only DigiCert and Let’s Encrypt are allowed” → request denied.

To implement this, you’d add two CAA records at the apex (acmecorp.com): 

acmecorp.com.    CAA   0   issue   "digicert.com"
acmecorp.com.    CAA   0   issue   "letsencrypt.org"

Additionally, you might add an iodef record to receive notifications: 

acmecorp.com.    CAA   0   iodef   "mailto:[email protected]"

How to Add a CAA Record

Adding a CAA record is done through your DNS management panel (e.g., your domain registrar, hosting provider, or DNS hosting service). The exact steps vary, but the general process is:

  1. Log in to your DNS provider.
  2. Navigate to the DNS record editor for your domain.
  3. Add a new record of type CAA (if not listed, check if your provider supports it – most modern ones do).
  4. Fill in:
    • Flags: 0
    • Tag: issue (or issuewild / iodef)
    • Value: The CA’s domain (e.g., letsencrypt.org)
  5. Save and wait for DNS propagation (may take minutes to hours).

Pro tip: Start by adding the CAA record for your own CA after you have an existing certificate in place. If you accidentally block your own CA, you might not be able to renew. Test with a low TTL first.

Checking Your CAA Records

You can verify your CAA records using any DNS lookup tool. On Whose.Domains, our DNS Analyzer lets you query all record types, including CAA. Simply enter your domain, switch to the “CAA” section, and see whether your records are properly configured.

You can also use command-line tools like dig:

dig example.com CAA +short

Example output:

0 issue "letsencrypt.org"
0 iodef "mailto:[email protected]"

Common Pitfalls and Best Practices

  • Don’t forget subdomains. CAA records are inherited by subdomains unless you override them. If you want strict control, set records at the apex and optionally override for specific subdomains.
  • Include backup CAs. If you only allow one CA and that CA has an outage, you can’t get a new certificate until it recovers. List at least two trusted CAs.
  • Use iodef for monitoring. Setting an iodef record tells CAs to email you about certificate requests. This helps detect malicious attempts early.
  • Check with your SSL provider. Some CAs (like Let’s Encrypt) have their own tools to verify that a domain has correct CAA records before they’ll issue. Use their “CAA check” pre-issuance tools.
  • Watch for wildcard-specific rules. The issuewild tag only applies to wildcard certificates. If you only set issuewild and not issue, a CA could still issue a non‑wildcard certificate for your domain. Usually you want both.

Enforcement and Compliance

Since September 2017, CA/Browser Forum Baseline Requirements have made CAA checking mandatory for publicly trusted CAs. Any CA that issues a certificate for a domain with a CAA record forbidding them can be held accountable and potentially revoked. However, the system is not foolproof: a CA might fail to check due to a bug, or an attacker might compromise a CA. Still, CAA significantly raises the bar.

For extra assurance, combine CAA records with other security measures: use SSL Checker to validate certificate chains, enable Certificate Transparency (CT) logging, and monitor your DNS regularly.

Actionable Advice for Domain Owners

  1. Audit your current setup. Use the DNS Analyzer to check if you already have any CAA records.
  2. Define your CA whitelist. List the CAs you currently use (e.g., Let’s Encrypt, DigiCert, Sectigo) and any you plan to use.
  3. Add records for the apex domain and any subdomains that need separate rules. Start with a simple issue record for each CA.
  4. Set an iodef record to receive reports. Use an email address that’s monitored by your security team.
  5. Test renewal immediately. After adding CAA, try to renew a certificate from your allowed CA to ensure it works. If it fails, double-check the record syntax.
  6. Review periodically. If you switch CAs or add new services, update your CAA records accordingly.

Conclusion

A DNS CAA record is a simple but powerful tool to prevent unauthorized SSL certificate issuance for your domains. By explicitly listing which certificate authorities you trust, you close a significant attack vector. With just a few minutes of DNS configuration and the help of tools like Whose.Domains’ DNS Analyzer, you can dramatically improve your website’s security posture. Start implementing CAA today — your visitors (and your future self) will thank you.

Have questions about your CAA records? Drop a comment or use the DNS Analyzer to diagnose any issues.

Tags: DNS CAA record SSL certificate security domain security certificate authority authorization DNS management

Related Posts

How to Use DNS Over HTTPS (DoH) to Improve Privacy and Security
May 31, 2026
How to Protect Your Domain from Hijacking: Prevention Tips and Recovery Steps
May 25, 2026
How to Check if Your Domain Is Blacklisted and How to Fix It
May 19, 2026