About CAA

About CAA

There are over a hundred organizations, called certificate authorities, that can issue SSL certificates which vouch for the identity of your domain. If you're like most domain owners, you probably get your certificates from only a handful of certificate authorities. CAA (Certificate Authority Authorization) lets you declare which certificate authorities you actually use, forbidding the others from issuing certificates for your domain.

Here are some reasons for you to use CAA:

  • You want to reduce your risk from insecure certificate authorities. You can use CAA to limit your domain to certificate authorities which you trust not to issue unauthorized certificates.
  • You want to stop your employees from obtaining certificates from unauthorized vendors.

Setting up CAA is easy. Use the handy CAA generator to check off the certificate authorities which you authorize. Then publish the generated DNS records in your domain's DNS. Your domain needs to be hosted with a DNS provider that supports CAA. Fortunately, many major DNS providers now support CAA.

CAA is an IETF standard defined by RFC 6844. Starting September 8, 2017, all public certificate authorities will be required to respect CAA records. Before issuing a certificate for a domain, they must check the domain for CAA records, and refuse to issue if the CAA record set doesn't authorize them. (If there is no CAA record, they are allowed to issue.)

CAA and Sub-domains

The CAA record set for a domain also applies to all sub-domains. If a sub-domain has its own CAA record set, it takes precedence.

For example, before a certificate authority issues a certificate for www.example.com, it will query domains for CAA record sets in the following order, and use the first record set it finds:

  1. www.example.com
  2. example.com


If a domain name is a CNAME (also known as an alias) for another domain, then the certificate authority also looks for CAA record sets at the CNAME target, as well as all parent domains of the target. If no CAA record set is found, the certificate authority continues searching parent domains of the original domain name.

For example, if blog.example.com is a CNAME for blog.example.net, then the certificate authority looks for CAA record sets in the following order:

  1. blog.example.net
  2. example.net
  3. example.com


A certificate authority that goes rogue or is totally compromised can issue a certificate for your domain regardless of what CAA says. Also, DNS records can be spoofed by a powerful attacker to trick a certificate authority into thinking that it is authorized.

However, in practice CAA would have protected domain owners from many of the recent security vulnerabilities in certificate authorities. Publishing a CAA policy is a very sensible security measure despite its limitations.

For added protection, use a Certificate Transparency monitor such as Cert Spotter to alert you if a certificate is issued that violates your CAA policy.