Home Icon > Resources > Expert Guides > SSL/TLS Best Practices > Do I Need a CAA Record? How to Check & Add One

Do I Need a CAA Record? How to Check & Add One

A certificate authority authorization (CAA) record is a DNS resource that boosts security by giving site owners control over which certification authorities (CAs) can issue SSL/TLS certificates for their domains.

Managing these critical domain name system (DNS) records is integral to

  • preventing unauthorized SSL certificate issuances and
  • ensuring that only authorized (and trusted) CAs can provide certificates.

Learn how to create and add a CAA record to your DNS, and how to easily check CAA records’ statuses using CertPanel SSL Monitor.

CAA Record Overview

A CAA resource record (RR) is an optional short series of statements containing crucial information about the domain. For example, it’ll include info about which certificates can be issued for your site (and which CAs are authorized to do so), and where to report security issues.

Each CAA record is typically written on a separate line and contains several key pieces of information in a specific formatCAA <flag> <tag> <”value”>.

Here are a few quick examples of what CAA records look like and what their components entail for an example domain: 

An illustration breaking down the components of a CAA record
Image caption: An example illustration that breaks down the different elements of a standard CAA record. NOTE: You may sometimes see an “IN” inserted between the domain and the CAA record — this stands for “Internet” and specifies the class of DNS record.

Breaking Down the Key CAA Record Components 

Every CAA record must list the domain name that the record applies to (i.e., yourdomain.com) and specify that it’s a CAA record. However, it also must contain three other crucial elements:

  1. Flag: These binary numbers (0 or 1) indicate whether the record is critical.
    • 0 — Noncritical (this is the default setting) 
    • 1 — Critical (i.e., the CA must respect the directive and not issue certificates for the specified domain if it doesn’t understand the CAA record property). 
  2. Property Tag: Specifies the intended purpose (i.e., what a specific CA is authorized to do) or property. 
    • issue — Authorizes a specific CA (i.e., Sectigo) to issue non-wildcard certificates. 
      • Example: CAA 0 issue “sectigo.com” 
    • issuewild — Authorizes the specific CA to issue wildcard certificates.  
      • Example: CAA 0 issuewild “sectigo.com” 
    • iodef — The incident object description exchange format (IODEF) property specifies the means to send policy violation reports.  
      • Example: CAA 0 iodef mailto:admin@yourdomain.com 
  3. Value: Contains the CA’s domain or contact details for reporting violations. 

Pro Tip: Optionally, you can specify the time-to-live (TTL), which specifies for how long (in seconds) the DNS server will keep your CAA record cached. Typically, mission-critical records should be updated more quickly, so you’ll want to use a shorter TTL (e.g., 300 seconds), whereas non-critical records might opt for a longer TTL, such as every 4 hours (i.e., 14400 seconds)

NOTE: The examples we’re using are written in the standard BIND zone file format (which works for Google Cloud DNS, DNSimple, and some others). However, some other domain name systems’ CAA records comprise only three specific components (i.e., a flag, tag, and value).

How to Generate a CAA Record for Your Domain 

If you’re a managed DNS or security services customer, you likely don’t have to worry about creating CAA records yourself. (In many cases, the service provider will handle those tasks for you.) However, if you do host your own DNS, here’s how you can painlessly generate a CAA record for your domain.

For this example, we’ll use TheSSLstore.com’s CAA Record Generator Tool to create a CAA record for our test domain caa.itsatestsite.online and add it to AWS Route 53

Simply enter your domain name (e.g., caa.itsatestsite.online for our example domain), into your chosen CAA Record Generator tool and click Generate

The generated CAA output for a standard BIND zone file will look like this:

caa.itsatestsite.online. IN CAA 0 issue "sectigo.com" 

How to Add the CAA Record to Your Domain

In this next step, you’ll take the generated CAA record and add it to your domain name system records. If you’re like 99% of our customers, you’ll typically do this using your domain registrar’s DNS servers and its cPanel to create your CAA records.

For this example, we’ll walk you through how to create a CAA record in cPanel and Amazon Web Service’s hosted DNS service (AWS Route 53).

Add the CAA Record in cPanel

After you’ve logged in to your domain’s cPanel: 

  1. Navigate under Tools to the Domains section and select Zone Editor.
  2. Click the Manage button next to the domain for which you’ll create the CAA record.
  3. In the Zone Records section, click the + Add Record dropdown and select Add “CAA” Record.
  4. On this next screen, enter the following details:
    1. Valid Zone Name: yourdomain.com (insert your domain here)
    1. TTL: 300 for records that must be updated more frequently and 14400 typically for those that don’t
    1. Type: CAA
    1. Issuer Critical Flag: 0
    1. Tag: Specify what a CA can do (i.e., issue standard or wildcard certificates
    1. Value: This is where you’ll enter the CA’s domain name (e.g., sectigo.com or digicert.com)
  5. Hit Save Record to save your changes.
A screenshot demonstrating how to set up a CAA record in cPanel

Add the CAA Record in AWS Route 53 

Once you’ve logged in to the AWS Management Console: 

  1. Navigate to Route 53 and select your hosted zone to access your domain’s DNS records. 
  2. Click Create Record
  3. Enter the following details: 
    • Record Name: caa 
    • Record Type: CAA 
    • Value: 0 issue “sectigo.com”   
    • TTL: 300 (recommended) 
  4. Click Create Record to save the changes. 

Ensure Your CAA Record Has Been Added Successfully

Use CertPanel SSL Monitor to verify that the new CAA record has been successfully added. You can do this quickly by looking under the Recommended Features section of your report, as shown below: 

A screenshot of where to find the CAA record status in CertPanel SSL Monitor

How to Check Your Site’s CAA Records + Other SSL/TLS Configurations

Using CertPanel SSL Monitor, you can quickly check whether the CAA record is correctly configured and detect any vulnerabilities. Don’t have CertPanel? Get it now.

Steps to Verify Your CAA Record Using CertPanel SSL Monitor 

Once you’ve logged in to CertPanel

  1. Enter your domain name under the SSL Monitor section. For this example, we’ll use the test domain caa.itsatestsite.online.    
A screenshot showing where to enter your domain name when setting up CertPanel SSL Monitor
  1. Click Scan to review the status of the CAA Record. If any issues are detected, please follow the suggested remediation steps provided by the tool. 
A screenshot showing in CertPanel that no CAA record(s) exist

CAA Record Example 

Below is the complete CAA record configuration for caa.itsatestsite.online:  

caa.itsatestsite.online. IN CAA 0 issue "sectigo.com"   
caa.itsatestsite.online. IN CAA 0 issuewild "sectigo.com"   
caa.itsatestsite.online. IN CAA 0 iodef mailto:admin@caa.itsatestsite.online

Final Takeaways Regarding CAA Records

CAA records play a crucial role in preventing unauthorized SSL certificate issuance by limiting which CA(s) can issue certificates for a domain. You can set up and manage CAA records for your domain by using a CAA Record Generator tool and adding the record to your cPanel or via your domain registrar’s site or your DNS (such as AWS Route 53).

Keeping an eye on things with the CertPanel SSL Monitor helps to keep your domain safe and in line with rules by ensuring everything is properly configured.

Related Links