Usage
CAA records are used to define certificate issuance policies for a domain.
Example:
| Type | Name (use @ for root) | Criticality | Tag | Value | TTL |
|---|---|---|---|---|---|
| CAA | @ | 0 | issue | letsencrypt.org | |
| CAA | @ | 0 | issuewild | letsencrypt.org | |
| CAA | @ | 0 | issuemail | digicert.com | |
| CAA | @ | 0 | issuevmc | digicert.com | |
| CAA | @ | 0 | iodef | mailto:security@example.com | |
| CAA | @ | 0 | contactemail | holu@example.com | |
| CAA | @ | 0 | contactphone | tel:+1234567890 |
Description
When a Certificate Authority (CA) issues a certificate, it checks the domain's CAA records (Certification Authority Authorization record) to verify that the issuance complies with the specified rules. This mechanism helps prevent unauthorized CAs from issuing certificates for your domain.
- The
issueandissue*tags specify which CAs are authorized to issue certificates for the domain. - The
iodeftag defines a contact method for reporting certificate issuance problems or policy violations. The CA must support this tag. If it doesn't, you won't be notified about violations. - The
contactemailandcontactphonetags specify your contact information.