In this article, we explain how to set a CAA record within the DNS settings of your domain name.
A CAA record is a DNS record that allows you to state which Certificate Authorities (CA) are allowed to issue an SSL certificate for the a (sub)domain. Well-known Certificate Authorities include Sectigo (formerly known as Comodo) and Let's Encrypt.
If you set a CAA record for the root domain, the CAA record will also apply to all subdomains below, unless you set a separate CAA record for a specific subdomain.
In the CAA record, you also specify which type of SSL certificates the CA may issue. This can either be a Wildcard SSL certificate or an SSL certificate for the root domain or a subdomain.
If there is no CAA record present in your DNS settings, every CA will be allowed to issue an SSL certificate for the domain name. If there are one or more CAA records in your DNS settings, then only the CAs in these CAA records may issue an SSL certificate for the domain name.
Note that every CA needs to be defined in a seperate record: You cannot combine multiple CA's into a single record.
Where do I add a CAA record?
You can add all your DNS records easily and free of charge via your control panel. Go to 'Domain' and select the domain in the left column for which you want to set the DKIM record (don't check the box).
Now scroll to 'Advanced Domain Settings', followed by 'DNS'. If you do not see this yet, first click the switch behind 'TransIP settings' so the TransIP settings are switched off. The DNS records of your domain name will become visible, after which you can change them at will.
How do I set a CAA record?
A CAA record consists of a flag, a tag, and a value. The tag and value together form the property. A flag is used to indicate how important or 'critical' a property is and is characterized by a 0 or a 128.
The image above shows an example of a complete CAA record.
Name
You set a CAA record by starting with the name. Here you specify for which part of the domain the DNS record should work. A CAA record can be set for both the root domain and for subdomains.
- If you want to set a CAA record for the root domain, enter an @ in the 'Name' field.
- If you want to set a CAA record for a subdomain, only enter the subdomain in the 'Name' field.
- Our DNS software will automatically add the root domain name in the background.
Below is an example of a CAA record for the subdomain example.domainname.com.
TTL
The 'TTL' of a DNS record determines how long the record can remain in the cache. We recommend keeping the TTL low, for example at 1 or 5 minutes.
Type
Because we're setting a CAA record, we choose 'CAA' under 'Type'.
Value
In the value of the CAA record, you first set the flag, followed by the tag and the value. The example below you can see the flag (0), the tag (issue) and the value ("letsencrypt.org").
We will now give a short explanation of the different elements a CAA record consists of.
Flags
For the flag you can enter a number between 0 and 255. For now, only the numbers 0 and 128 are actively supported by CAA records, where 0 is non-critical and 128 is critical.
A critical flag (128) is only required if a custom tag is used. Because the tags 'issue', 'issuewild' and 'iodef' are the only tags currently used, it suffices to specify a 0 as a flag.
Tags & Values
As mentioned, the tags 'issue', 'issuewild' and 'iodef' are currently supported by CAA records.
The issue tag
With the issue tag, you can indicate which CA has permission to issue an SSL certificate for the domain. You do this by entering issue as the 'Tag' and adding the CA in quotation marks as the 'Value'.
In the example below, we give Let's Encrypt permission to issue certificates for the root domain (and in doing so also the subdomains).
Using a CAA record, you can also indicate that Certificate Authorities do not have permission to issue SSL certificates for the domain. You do this by entering issue as the 'Tag' and a semi-colon in quotation marks as the 'Value'.
The issuewild tag
By using the issuewild tag, you give a CA permission to issue a Wildcard SSL certificate for the domain. This type of SSL certificate applies to all subdomains under your primary domain. You do this by entering issuewild as the 'Tag' and adding the CA in quotation marks as the 'Value'.
In the example below, we grant the Certificate Authority Sectigo permission to issue Wildcard SSL certificates for the primary domain.
Just like with the issue tag, you can also deny a CA permission to issue Wildcard SSL certificates on behalf of the domain name. You do this by entering issuewild as the 'Tag' and a semi-colon in quotation marks as the 'Value'.
The iodef tag
The third tag that you can use for CAA records is the iodef tag. This tag allows you to add an email address to a CAA record. A CA will then send a notification to this email address when an SSL certificate is requested by a CA that is not mentioned in the record. You do this by entering iodef as the 'Tag' and mailto:email@address.com in quotation marks as the 'Value'.
Below is an example of a CAA record that uses the iodef tag.
- Not every CA supports every 'Tag' and 'Value', so make sure to check with your CA which you can use.
- Every 'Tag' needs to have its own CAA record. You can not add multiple tags to the same record.
In this article we explained how to configure CAA records in your control panel. For a general explanation about DNS records and entering them, see the article ‘DNS and nameservers'.
For more information about the use of CAA records, we advise you to read the RFC about this.
If you have any questions regarding this article, please contact our support team. You can reach them using the 'Contact us' button below or via the 'Contact' button inside your control panel.