What is a CAA record and why do I need it?

A CAA (Certification Authority Authorization) record is a DNS record that specifies which Certificate Authorities are authorized to issue SSL certificates for your domain. You need CAA records to prevent unauthorized CAs from issuing fraudulent certificates, protecting your domain from certificate-based attacks and enhancing your overall security posture.

How do CAA records prevent SSL certificate fraud?

CAA records work by instructing Certificate Authorities to check DNS before issuing certificates. When a CA receives a certificate request for your domain, it verifies the CAA records to ensure it's authorized to issue certificates. If the CA isn't listed in your CAA records, the certificate issuance is blocked, preventing unauthorized certificates from being issued.

What's the difference between 'issue' and 'issuewild' tags?

The 'issue' tag controls which CAs can issue standard SSL certificates for your domain (example.com), while the 'issuewild' tag specifically controls which CAs can issue wildcard certificates (*.example.com). You can authorize different CAs for each tag type to maintain granular control over certificate issuance.

Do all Certificate Authorities respect CAA records?

Most major Certificate Authorities respect CAA records as they are required by the CA/Browser Forum baseline requirements. However, it's recommended to verify with your specific CAs that they check CAA records before issuing certificates. Some older or less reputable CAs may not enforce CAA checking.

How long does it take for CAA records to take effect?

CAA records typically take effect within a few minutes to a few hours, depending on your DNS provider's propagation time and the TTL (Time To Live) value set on your records. Most DNS changes propagate globally within 24 hours, but CAs may cache DNS lookups, so allow some time for full implementation across all Certificate Authorities.

CAA Record Generator

Tên miền

Chọn Certificate Authority được phép cấp SSL

Cho phép cấp SSL wildcard (*.domain.com)

Email nhận báo cáo vi phạm (iodef) — tùy chọn

How to Use CAA Record Generator

When to Use CAA Record Generator

🔒Need an SSL certificate?

Protect your website with BKNS SSL — from 199,000đ/year, free installation

Buy SSL

CAA Record Generator

How to Use CAA Record Generator

When to Use CAA Record Generator

Technical Information About CAA Records

Frequently Asked Questions