Skip to content

CAA Record

CAA is a new DNS record type. It specifies which certificate authority are allowed to issue a certificate for the domain. It is more of a mechanism for certificate authorities to check for erroneously issued certificates.


$ dig caa +short  
0 issue ""  
0 issue ""

The first number has a special meaning for certificate authorities. 0 means, that they can issue a certificate. A different number usually means some kind of problem, so a certificate will not be issued.

The next property is issue. It denotes which authority is allowed to issue a certificate. Issuewild has the same meaning, but for wildcard certificates. Iodef sets the email address, where CA should send a notification of issuing a certificate (not all of them support this).