CAA Record
DNSCAA Record is a DNS record type that lets a domain owner specify which certificate authorities (CAs) are allowed to issue TLS/SSL certificates for that domain. By publishing CAA rules, you reduce the risk of unauthorized certificate issuance and improve control over HTTPS security. It supports directives for permitted issuers, wildcard coverage, and reporting of policy violations.
How It Works
A CAA (Certification Authority Authorization) record is published in DNS for a domain (and optionally its subdomains) to declare certificate issuance policy. When a CA receives a request to issue a certificate for example.com, it is expected to query DNS for CAA records and check whether it is authorized. If the policy does not permit that CA, the CA should refuse to issue the certificate. This adds a DNS-based control layer on top of normal domain validation methods.
CAA records use tags such as "issue" (authorize a CA for standard certificates), "issuewild" (authorize a CA for wildcard certificates), and "iodef" (where to send violation reports). Records can be set at the apex (example.com) and inherited by subdomains unless overridden. Because CAA is enforced during certificate issuance, changes depend on DNS propagation and caching, so planning updates before renewals or provider migrations is important.
Why It Matters for Web Hosting
CAA records affect whether your hosting control panel, CDN, or certificate automation can successfully issue or renew HTTPS certificates. If you switch hosts, move to a different certificate manager, or enable automated SSL, an existing CAA policy can block issuance and cause failed renewals or downtime warnings in browsers. When comparing hosting plans, confirm which CA is used for included SSL and ensure your CAA policy allows it, especially for wildcard certificates.
Common Use Cases
- Restricting certificate issuance to a chosen CA for tighter security governance
- Preventing accidental issuance by a new platform after DNS or hosting changes
- Allowing one CA for standard certificates and a different one for wildcard certificates
- Supporting automated certificate issuance (ACME) while limiting which CA can be used
- Adding an incident reporting endpoint via iodef to monitor policy violations
CAA Record vs TXT Record
CAA is purpose-built to control which certificate authorities may issue certificates, while TXT is a generic record type often used to prove domain control (for example, ACME challenges, SPF, or other verification strings). A CA may require TXT records during validation, but CAA can still block issuance even if validation succeeds. In practice, TXT helps prove you control the domain; CAA defines who is allowed to issue certificates for it.