What is a CAA record?
A CAA record serves as an additional confirmation for the Certification Authority (CA) during the SSL certificate validation process. This record specifies to the CA who is authorized to issue SSL certificates for the domain.
You can find the RFC here:
https://datatracker.ietf.org/doc/html/rfc6844
Examples of CAA records
The standard syntax for SSL certificates purchased via Gandi should be as follows (if entered via the editor's "Advanced view")
@ IN CAA 0 issue "sectigo.com
@ IN CAA 0 issuewild "sectigo.com
You can also specify multiple Certification Authorities (CAs) if you're generating several different CA certificates for a single domain. For example:
@ IN CAA 0 issue "sectigo.com"
@ IN CAA 0 issue "letsencrypt.org"
CAA record values
If you enter the records via the "Advanced View" mode of our DNS record editor, you'll find an explanation of the various properties below.
- Type: CAA indicates a certification authority authorized to issue SSL for the domain.
- TTL: This is the number of seconds before the record is checked and updated if it has been modified. The default value is 10800.
- Name: The domain (@ for the Apex domain) or subdomain to which the authorization will apply.
- Flags: 0 (standard) or 1 (blocks validation if the tag is unknown to the certification authority).
- Tag: indicates what the value field specifies
- issue: the certification authority authorized to issue certificates for this domain
- issuewild: the certification authority authorized to issue wildcard certificates for this domain.
iodef : URL to which a certification authority can send a report if a request is made without the CAA record authorizing it.