Frequently Asked Questions

What is a DNS CAA record?

CAA lets a domain owner specify which Certificate Authorities may issue certificates for the domain. It can also set rules for wildcard issuance and provide an incident reporting address.

What do the CAA tags mean?

issue authorizes CAs for non-wildcard certificates, issuewild authorizes CAs for wildcard certificates, and iodef defines where incident reports should be sent.

What does the flags field mean?

Flags are usually 0, 128 marks a critical property which tells CAs to reject issuance if they do not understand the tag.

Do I need CAA to get a certificate?

No, it is optional. Without CAA, CAs use their standard validation. CAA improves control by limiting which CAs can issue for your domain.

Why do I have no CAA records?

Many domains do not publish CAA. Certificate Authorities will then check parent zones or proceed based on their policies.