Which CAs may issue certificates for your domain; with IODEF report mail on violation.
What is this, and when do I need it?
What is this?
CAA (Certification Authority Authorization, RFC 8659) is a DNS record specifying which
certification authorities may issue TLS certificates for your domain. A reputable CA checks
the CAA record before every issuance; if it does not match, the CA refuses.
This prevents a foreign CA from accidentally or via social engineering issuing a valid
certificate for your domain - which would otherwise enable phishing or man-in-the-middle
attacks.
When do I need it?
Mandatory for every domain with its own website, mail or APIs. Cost:
one-time DNS entry, then passive protection. If you use Let's Encrypt, issue "letsencrypt.org" is enough.
Bonus: an iodef: entry with your security mail address ensures rejected CAs notify
you about the attempt - early warning signal for possible domain abuse.
CAA records are published by the DNS server for the domain. CAs check the CAA entry before
cert issuance and follow the override semantics per RFC 8659 § 3: they walk up from the FQDN and take the first
node with CAA records. A subdomain with its own CAA entries fully overrides the apex policy; there
is no additive inheritance.
issue allows standard certificates. issuewild is separate
and only applies to wildcard certificates. To rule out wildcards entirely, set only issuewild ";"; to restrict wildcards
to a narrower CA selection, list the allowed CAs here explicitly.
accounturi (RFC 8657) binds cert issuance to a specific ACME account URI:
even if an attacker wins DNS-01 or HTTP-01 validation, without control over the named account
they cannot issue certificates. validationmethods additionally restricts the allowed ACME challenges (typically dns-01 for domains with DNSSEC).
At the DNS provider you typically pick record type "CAA" or "TYPE257" in the UI; the zonefile
syntax shown here is BIND-style.
Inspect existing CAA records
Reads the domain's CAA records and checks completeness (issue/issuewild/iodef).
Try with:
Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.
How to add this record at your DNS provider
The record generated above has three parts: the record type (typically TXT,
occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual
payload in quotes). Every DNS provider asks for these same three fields - only the menu wording
differs.
Button Add record → pick a type, enter the name (use @ for the
root domain), paste the value.
Save. Propagation typically under 5 minutes.
IONOS (1&1)
Sign in to the IONOS customer center.
Menu Domains & SSL → click the domain → DNS.
Button Eintrag hinzufügen → pick a type, enter the host, paste the value into
the content field.
Save. Propagation typically 15-60 minutes.
Cloudflare
Sign in to Cloudflare, pick the domain.
Tab DNS → Records.
Button Add record → pick a type, enter the name (use @ for
the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
Save. Propagation typically under 2 minutes.
Note: If your DNS provider is not listed, you usually find the right place under headings like
"DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps;
the paths shown here are vendor-specific and can shift slightly with redesigns.