How to configure CAA records

All certificates that are issued by a CA (Certificate Authority) runs a CAA (Certification Authority Authorisation) check on the domain before issuance.

CAA records can be used as a tool for an organisation to ensure only certain CA(s) are able to issue certificates to their domains.

The rules for CAA records on a domain:

• No CAA record: All CAs can issue
• CAA record for specified CA(s): Only specified CA(s) can issue

Two CAA record commands exists:

• issue: Allows issuance of certificates for specified CA(s)
• issuewild: Allows issuance of wildcard certificates for specified CA(s)

Example CAA records for trustzone.com:

• issuewild: globalsign.com
• issue: sectigo.com
• issue: globalsign.com

This would allow both GlobalSign and Sectigo to issue regular SSL/TLS certificates for trustzone.com (and any subdomains), while only allowing GlobalSign to issue wildcard certificates.

Note: if there are no “issuewild” records, wildcards are allowed to be issued by CAs with a “issue” record.

Further, we recommend a TTL value of 3600 and if your DNS provider requires it, that the “Flag” value is set to 0.

An example of a CAA record created on a certain domain:

@ IN CAA 0 issue “globalsign.com”

It is perfectly fine to have CAA records for multiple CAs. Do contact us if you have any questions about getting better control over your certificates.