Documentation
System StatusPortal Login

Manage Certificate Authority Authorization (CAA) DNS Record

Suggest Edits

This article explains Certificate Authority Authorization (CAA) records and how they can be managed at Rackspace.

What is a CAA record?

Certificate Authority Authorization (CAA) records allow domain owners to specify which Certificate Authorities (CAs) are allowed to issue SSL certificates for a domain. If no CAA record is present, any CA is allowed to issue certificates for the domain.

CAA records can set a policy for the entire domain or for specific subdomains. If no CAA record is specified for a particular subdomain, the policy is inherited from the parent domain.

For example, a CAA record set for example.com also applies to subdomain.example.com unless there is also a CAA record set for subdomain.example.com.

CAA record format

CAA records have four parts:

  1. FQDN: The domain or subdomain on which the policy is being set.
  2. Flag: An integer. Almost always “0”.
  3. Tag: A string indicating the type of CAA record. Common tags are:
      - issue: The CA is allowed to issue SSL certificates.
      - issuewild: The CA is allowed to issue wildcard SSL certificates.
      - iodef: Specifies an URI or URL where the CA can report attempts to obtain certificates that violate the policy. This is optional.
  1. Value: The CA allowed to issue certificates. The special character “;” indicates that certificates may not be issued for the FQDN.

CAA record examples

Allow Let’s Encrypt to issue certificates for example.com:

example.com. CAA 0 issue "letsencrypt.org”

Allow both Let’s Encrypt and Sectigo to issue certificates for example.com, but only Sectigo is allowed to issue wildcard certificates:

example.com. CAA 0 issue "letsencrypt.org"

example.com. CAA 0 issuewild "sectigo.com"

Allow Let’s Encrypt to issue certificates for example.com. Also allow Sectigo to issue certificates, but only for ssl.example.com, and report requests that violate that policy to [email protected]. Certificates may not be issued for no-ssl.example.com:

example.com. CAA 0 issue “letsencrypt.org”

ssl.example.com. CAA 0 issue “sectigo.com"

ssl.example.com. CAA 0 iodef “mailto:[email protected]

no-ssl.example.com. CAA 0 issue “;”

How can a CAA record be managed for domains hosted with Rackspace?

Please contact your support team for assistance with CAA records. For new CAA records, please include the following:

  1. Fully Qualified Domain Name (FQDN)
  2. Flag
  3. Tag
  4. Value
  5. Time-To-Live (TTL), default is 300 seconds <optional>

Some Useful Links

For assistance contacting support: https://docs.rackspace.com/docs/contact-support
For official documentation regarding CAA records: https://datatracker.ietf.org/doc/html/rfc8659
https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization offers a comprehensive explanation and examples of CAA records.

Updated 15 days ago