CAA records: who can issue certificates
A small DNS change with a delayed, expensive failure mode. Never publish a CAA without checking what currently issues.
CAA records are uncommon enough that many techs go their first year without touching one, then meet them during a security audit or a Cloudflare onboarding. The reason CAA matters for helpdesk work is the failure mode: a wrong CAA causes cert renewals to fail silently a few weeks or months later, after the tech who made the change has forgotten about it. The site goes offline when the cert expires.
CAA is a record where small change, big delayed impact is the norm.
What CAA does
A CAA (Certification Authority Authorization) record at a domain tells certificate authorities whether they’re allowed to issue certificates for that domain. Before issuing, a CA queries CAA. If a CAA exists and doesn’t authorise the CA, the issuance fails.
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issuewild "letsencrypt.org"
example.com. IN CAA 0 iodef "mailto:security@example.com"
The value has three components:
- Flag (
0or128). Mostly0.128means “critical”: CAs that don’t understand a tag must refuse issuance. - Tag (
issue,issuewild, oriodef).issuepermits regular certs;issuewildpermits wildcards;iodefis an email/URL the CA reports violations to. - Value. The CA’s identifier or the iodef URL.
The default and the failure mode
How to check what currently issues
Before publishing CAA, find out what’s currently issuing. Two paths:
- Look at the live certificate. Open the site in a browser; the cert’s issuer field names the CA. For multi-host setups (CDNs, load balancers), check each public endpoint.
- Query Certificate Transparency logs. Every cert issued for a domain is logged in public CT logs. Services like
crt.shlet you search a domain and see every cert issued in the last few years, including from CAs you didn’t know were involved (sub-CAs, vendor-managed certs, hosting-provider auto-issuance).
CT search reveals surprises. A hosting provider’s certificate-management subsystem issues from a CA the client never knew was in their stack; a subdomain delegates somewhere that issues from a different CA. Before publishing CAA, account for all of them.
What this is NOT
- “CAA controls which CA the client can buy from.” No. CAA controls which CA is technically permitted to issue. The client can buy from anyone; the issuance fails at the technical step if CAA doesn’t allow it.
- “No CAA means any cert is automatically issued, so the domain is insecure.” No. Any CA can issue doesn’t mean any cert is automatic. Each CA still does its own validation (domain control, ownership). CAA is an additional gate, not the primary one.
- “Adding CAA is always safer.” Adding the wrong CAA is actively dangerous because it silently breaks future renewals. Adding the right CAA is a small improvement. The risk cuts both ways.
Decision walkthrough
If you’re not sure what currently issues, don’t add CAA. The default (no CAA) is safe; an incomplete CAA is not. Monitor renewals for 60–90 days after publishing to catch any missed CA.