Share Article
How to configure CAA records
.

All certificates that are issued by a CA (Certificate Authority) runs a CAA (Certification Authority Authorisation) check on the domain before issuance.
CAA records can be used as a tool for an organisation to ensure only certain CA(s) are able to issue certificates to their domains.
The rules for CAA records on a domain:
- No CAA record: All CAs can issue
- CAA record for specified CA(s): Only specified CA(s) can issue
Two CAA record commands exists:
- issue: Allows issuance of certificates for specified CA(s)
- issuewild: Allows issuance of wildcard certificates for specified CA(s)
Example CAA records for trustzone.com:
- issuewild: globalsign.com
- issue: sectigo.com
- issue: globalsign.com
This would allow both GlobalSign and Sectigo to issue regular SSL/TLS certificates for trustzone.com (and any subdomains), while only allowing GlobalSign to issue wildcard certificates.
Note: if there are no “issuewild” records, wildcards are allowed to be issued by CAs with a “issue” record.
Further, we recommend a TTL value of 3600 and if your DNS provider requires it, that the “Flag” value is set to 0.
An example of a CAA record created on a certain domain:
@ IN CAA 0 issue “globalsign.com”
It is perfectly fine to have CAA records for multiple CAs. Do contact us if you have any questions about getting better control over your certificates.
Submit Your Technical Queries Here for Expert Assistance!
We will contact you as soon as possible.
Please enter your details below.