Manage Certificate Authority Authorization (CAA) DNS Record

This article explains Certificate Authority Authorization (CAA) records and how they can be managed at Rackspace.

What is a CAA record?

Certificate Authority Authorization (CAA) records allow domain owners to specify which Certificate Authorities (CAs) are allowed to issue SSL certificates for a domain. If no CAA record is present, any CA is allowed to issue certificates for the domain.

CAA records can set a policy for the entire domain or for specific subdomains. If no CAA record is specified for a particular subdomain, the policy is inherited from the parent domain.

For example, a CAA record set for example.com also applies to subdomain.example.com unless there is also a CAA record set for subdomain.example.com.

CAA record format

CAA records have four parts:

  1. FQDN: The domain or subdomain on which the policy is being set.
  2. Flag: An integer. Almost always “0”.
  3. Tag: A string indicating the type of CAA record. Common tags are:
      - issue: The CA is allowed to issue SSL certificates.
      - issuewild: The CA is allowed to issue wildcard SSL certificates.
      - iodef: Specifies an URI or URL where the CA can report attempts to obtain certificates that violate the policy. This is optional.
  1. Value: The CA allowed to issue certificates. The special character “;” indicates that certificates may not be issued for the FQDN.

CAA record examples

Allow Let’s Encrypt to issue certificates for example.com:

example.com. CAA 0 issue "letsencrypt.org”

Allow both Let’s Encrypt and Sectigo to issue certificates for example.com, but only Sectigo is allowed to issue wildcard certificates:

example.com. CAA 0 issue "letsencrypt.org"

example.com. CAA 0 issuewild "sectigo.com"

Allow Let’s Encrypt to issue certificates for example.com. Also allow Sectigo to issue certificates, but only for ssl.example.com, and report requests that violate that policy to [email protected]. Certificates may not be issued for no-ssl.example.com:

example.com. CAA 0 issue “letsencrypt.org”

ssl.example.com. CAA 0 issue “sectigo.com"

ssl.example.com. CAA 0 iodef “mailto:[email protected]

no-ssl.example.com. CAA 0 issue “;”

How can a CAA record be managed for domains hosted with Rackspace?

Please contact your support team for assistance with CAA records. For new CAA records, please include the following:

  1. Fully Qualified Domain Name (FQDN)
  2. Flag
  3. Tag
  4. Value
  5. Time-To-Live (TTL), default is 300 seconds <optional>

Some Useful Links

For assistance contacting support: https://docs.rackspace.com/docs/contact-support
For official documentation regarding CAA records: https://datatracker.ietf.org/doc/html/rfc8659
https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization offers a comprehensive explanation and examples of CAA records.