CAA Record Checker & Generator

What Are CAA Records?

CAA (Certificate Authority Authorization) records are DNS records defined in RFC 8659 that specify which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for a domain. Before issuing a certificate, CAs are required to check for CAA records and refuse issuance if they are not listed.

For example, if you only use Let's Encrypt, you can add a CAA record with 0 issue "letsencrypt.org" — this tells all other CAs that they must not issue certificates for your domain.

Why Should You Add CAA Records?

• Prevent unauthorized certificate issuance — without CAA records, any of the hundreds of public CAs can issue a certificate for your domain.
• Defense against mis-issuance — if an attacker tricks a CA into issuing a fraudulent certificate, CAA records reduce the pool of CAs they can target.
• Compliance requirement — many security frameworks (SOC 2, PCI DSS) recommend or require CAA records.
• Incident notification — the iodef tag lets you receive email alerts when a CA denies a certificate request.

How CAA Records Work

CAA records use three tags to control certificate issuance:

issue

Authorizes a CA to issue standard (non-wildcard) certificates.

issuewild

Authorizes a CA to issue wildcard certificates (e.g., *.example.com).

iodef

Specifies a URL or email where CAs should report policy violations.

Frequently Asked Questions

Do I need CAA records?

While not strictly required, CAA records are strongly recommended. Adding them is a simple, free security measure that takes minutes to configure.

What happens if I don't have CAA records?

If no CAA records are present, any Certificate Authority is allowed to issue certificates for your domain. This is the default behavior per RFC 8659.

Can CAA records break my existing certificates?

No. CAA records only affect future certificate issuance. Existing valid certificates continue to work. However, make sure to include your current CA in the records before your next renewal.