Skip to content

CAA Record

CAA is a new DNS record type. It specifies which certificate authority are allowed to issue a certificate for the domain. It is more of a mechanism for certificate authorities to check for erroneously issued certificates.

Structure

$ dig google.com caa +short  
0 issue "pki.goog"  
0 issue "symantec.com"

The first number has a special meaning for certificate authorities. 0 means, that they can issue a certificate. A different number usually means some kind of problem, so a certificate will not be issued.

The next property is issue. It denotes which authority is allowed to issue a certificate. Issuewild has the same meaning, but for wildcard certificates. Iodef sets the email address, where CA should send a notification of issuing a certificate (not all of them support this).