Certification Authority Authorization (CAA) Records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. This record also provides a means for indicating notification rules in case someone requests a certificate from certificate authority that is not authorized.
A CAA record consists of the following fields:
-
Host- The hostname for the record, entered as either a simple, one-part name, or as a Fully Qualified Domain Name (FQDN) with or without a trailing dot. Examples:
-
hostname
-
hostname.example.biz
-
hostname.example.biz.
-
example.biz
-
example.biz.
-
-
Flags - Entered as an integer value between 0 - 255.
-
Property Tag - Select one of the following options from the dropdown menu.
-
Issue - Authorizes the domain name owner to issue certificates for the domain in which the property is published.
-
Issuewild - Authorizes the domain name owner to issue wildcard certificates for the domain in which the property is published. Issuewild properties are ignored during processing if the domain is not a wildcard domain. If the domain has a wildcard rrset specified, all other properties will be ignored during processing.
-
Iodef - Specifies a URL to which an issuer may report certificate issue requests that are inconsistent with the issuer's Certification Practices or Certificate Policy, or that a Certificate Evaluator may use to report possible policy violations. Accepted schema types are mailto and http/https.
-
-
Property Value - Entered as free text.
-
TTL