CAA Record (Certification Authority Authorization)
What is CAA Record (Certification Authority Authorization)?
CAA Record (Certification Authority Authorization)A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs.
A CAA record (Certification Authority Authorization, originally RFC 6844 and updated by RFC 8659) is a DNS resource record that lets a domain owner enumerate exactly which CAs may issue certificates for the domain. The record carries three fields: a flag byte, a property tag (`issue`, `issuewild`, `iodef`), and a value (typically a CA's issuer name such as `letsencrypt.org` or `digicert.com`). Since September 2017, all CAB Forum-trusted public CAs are required by the Baseline Requirements to check CAA records before issuing certificates and to refuse issuance if the record forbids them. A typical hardened deployment looks like `example.com. CAA 0 issue "letsencrypt.org"; example.com. CAA 0 issuewild ";"; example.com. CAA 0 iodef "mailto:security@example.com"`. The third record asks misbehaving CAs to report any rejected issuance attempt. CAA significantly reduces the risk of cert mis-issuance — by typosquatted domains, by hijacked CA accounts, by lookalike-CAs in obscure trust stores — and is one of the simplest single-record web-hygiene wins available. It pairs naturally with Certificate Transparency monitoring.
● Examples
- 01
An organization publishes `CAA 0 issue "letsencrypt.org"` so that no other public CA can issue end-entity certificates for the domain.
- 02
A CT-monitoring alert fires on a certificate issued for the domain by a CA not listed in its CAA records, indicating either a misconfiguration or a CA non-compliance event.
● Frequently asked questions
What is CAA Record (Certification Authority Authorization)?
A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs. It belongs to the Network Security category of cybersecurity.
What does CAA Record (Certification Authority Authorization) mean?
A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs.
How does CAA Record (Certification Authority Authorization) work?
A CAA record (Certification Authority Authorization, originally RFC 6844 and updated by RFC 8659) is a DNS resource record that lets a domain owner enumerate exactly which CAs may issue certificates for the domain. The record carries three fields: a flag byte, a property tag (`issue`, `issuewild`, `iodef`), and a value (typically a CA's issuer name such as `letsencrypt.org` or `digicert.com`). Since September 2017, all CAB Forum-trusted public CAs are required by the Baseline Requirements to check CAA records before issuing certificates and to refuse issuance if the record forbids them. A typical hardened deployment looks like `example.com. CAA 0 issue "letsencrypt.org"; example.com. CAA 0 issuewild ";"; example.com. CAA 0 iodef "mailto:security@example.com"`. The third record asks misbehaving CAs to report any rejected issuance attempt. CAA significantly reduces the risk of cert mis-issuance — by typosquatted domains, by hijacked CA accounts, by lookalike-CAs in obscure trust stores — and is one of the simplest single-record web-hygiene wins available. It pairs naturally with Certificate Transparency monitoring.
How do you defend against CAA Record (Certification Authority Authorization)?
Defences for CAA Record (Certification Authority Authorization) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CAA Record (Certification Authority Authorization)?
Common alternative names include: Certification Authority Authorization, CAA DNS record.
● Related terms
- network-security№ 174
Certificate Authority (CA)
A trusted entity that issues and signs digital certificates, binding cryptographic public keys to verified identities such as domain names or organisations.
- defense-ops№ 177
Certificate Transparency
An ecosystem of append-only public logs of TLS certificates, defined by RFC 6962 and 9162, that lets anyone audit which certificates exist for any domain.
- network-security№ 981
Public Key Infrastructure (PKI)
The combined system of policies, software, hardware and trusted authorities used to issue, distribute, validate and revoke digital certificates that bind identities to public keys.
- network-security№ 380
DNSSEC
A set of DNS extensions that uses digital signatures to let resolvers verify the authenticity and integrity of DNS records.
- network-security№ 1385
X.509 Certificate
A standard structure for a digital certificate that binds a public key to an identity through a signature from a trusted certificate authority.
- network-security№ 444
Extended Validation Certificate
A TLS certificate issued only after a CA performs a strict, standardised verification of the legal identity, physical existence and authority of the requesting organisation.