What is CAA?

CAA is a control to restrict which CAs can issue certificates for a particular domain name for issuing the certificate. By configuring the DNS CAA record, domain owners can specify which Certification Authorities are authorized to issue certificates to that domain name. You can use CAA to reduce your exposure to vulnerabilities in certificate authority validation systems and to enforce certificate procurement policies.

To use CAA, you publish a set of CAA records in your domain's DNS that list the CAs that you authorize to issue certificates. Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed.

What is a CAA record?

A Certification Authority Authorization (CAA) record is a standard that lets you specify which certificate authorities (CAs) are allowed to issue certificates for your domain. The purpose of the CAA record is to allow domain owners to authorize which certificate authorities are allowed to issue a certificate for a domain.

Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed. If no CAA record is present, any CA is allowed to issue a certificate for the domain.

1. CAA records can set policy for the entire domain, or for specific HostNames.

2. CAA records are also inherited by sub-domains.

3. CAA records can regulate the issuance of single-name certificates, wildcard certificates, or both.