CAA Records

Certification Authority Authorization (CAA) Records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. This record also provides a means for indicating notification rules in case someone requests a certificate from certificate authority that is not authorized.

A CAA record consists of the following fields:

  • Host- The hostname for the record, entered as either a simple, one-part name, or as a Fully Qualified Domain Name (FQDN) with or without a trailing dot. Examples:

    • hostname

    • hostname.example.biz

    • hostname.example.biz.

    • example.biz

    • example.biz.

  • Flags - Entered as an integer value between 0 - 255.

  • Property Tag - Select one of the following options from the dropdown menu.

    • issue - Authorizes the domain name owner to issue certificates for the domain in which the property is published.

    • issuewild - Authorizes the domain name owner to issue wildcard certificates for the domain in which the property is published. Issuewild properties are ignored during processing if the domain is not a wildcard domain. If the domain has a wildcard rrset specified, all other properties will be ignored during processing.

    • issuemail - Authorizes the domain name owner to restrict the issuance of certificates that certify email addresses.

    • issuevmc - Authorizes the domain name holder to issue mark certificates for the domain.

    • iodef - Specifies a URL to which an issuer may report certificate issue requests that are inconsistent with the issuer's Certification Practices or Certificate Policy, or that a Certificate Evaluator may use to report possible policy violations. Accepted schema types are mailto and http/https.

  • Property Value - Entered as free text.

  • TTL - The Time to Live (TTL) for the record. You can provide this value as either an integer or an annotated value (1h = 1 hour). This field is not required, and will be set to the default value if left empty.

 

If the property tag issuevmc is configured with the property value digicert.com, it authorizes the digicert.com to issue Mark Certificates. These certificates will contain information about FQDN and the holder of the issuer-domain-name.